[syncope] branch 2_1_X updated: [SYNCOPE-1756] add id_token_hint to OIDC Logout request (#458)

Fri, 05 May 2023 03:25:44 -0700 

This is an automated email from the ASF dual-hosted git repository.

ilgrosso pushed a commit to branch 2_1_X
in repository https://gitbox.apache.org/repos/asf/syncope.git


The following commit(s) were added to refs/heads/2_1_X by this push:
     new b5b53d58ae [SYNCOPE-1756] add id_token_hint to OIDC Logout request 
(#458)
b5b53d58ae is described below

commit b5b53d58aef18d061e494273d2a3dbdc9ea86936
Author: Valerio Crescia <[email protected]>
AuthorDate: Fri May 5 12:25:33 2023 +0200

    [SYNCOPE-1756] add id_token_hint to OIDC Logout request (#458)
---
 .../org/apache/syncope/ext/oidcclient/agent/BeforeLogout.java  |  5 +++++
 .../org/apache/syncope/ext/oidcclient/agent/CodeConsumer.java  |  1 +
 .../org/apache/syncope/ext/oidcclient/agent/Constants.java     |  2 ++
 .../main/java/org/apache/syncope/common/lib/OIDCConstants.java |  4 +++-
 .../org/apache/syncope/common/lib/to/OIDCLoginResponseTO.java  | 10 ++++++++++
 .../java/org/apache/syncope/core/logic/OIDCClientLogic.java    |  2 ++
 6 files changed, 23 insertions(+), 1 deletion(-)

diff --git 
a/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/BeforeLogout.java
 
b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/BeforeLogout.java
index 6925c0ef13..89034416a6 100644
--- 
a/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/BeforeLogout.java
+++ 
b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/BeforeLogout.java
@@ -52,6 +52,10 @@ public class BeforeLogout extends HttpServlet {
         if (StringUtils.isBlank(accessToken)) {
             throw new IllegalArgumentException("No access token found ");
         }
+        String idToken = (String) 
request.getSession().getAttribute(Constants.ID_TOKEN);
+        if (StringUtils.isBlank(idToken)) {
+            throw new IllegalArgumentException("No id token found ");
+        }
         SyncopeClient client = clientFactory.create(accessToken);
         OIDCLogoutRequestTO requestTO = 
client.getService(OIDCClientService.class).
                 
createLogoutRequest(request.getSession().getAttribute(OIDCConstants.OP).toString());
@@ -60,6 +64,7 @@ public class BeforeLogout extends HttpServlet {
                 + "/logout";
         UriBuilder ub = UriBuilder.fromUri(requestTO.getEndSessionEndpoint());
         ub.queryParam(OIDCConstants.POST_LOGOUT_REDIRECT_URI, 
postLogoutRedirectURI);
+        ub.queryParam(OIDCConstants.ID_TOKEN_HINT, idToken);
         response.setHeader(HttpHeaders.LOCATION, ub.build().toASCIIString());
     }
 }
diff --git 
a/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/CodeConsumer.java
 
b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/CodeConsumer.java
index 7bb26c181c..be52401053 100644
--- 
a/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/CodeConsumer.java
+++ 
b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/CodeConsumer.java
@@ -85,6 +85,7 @@ public class CodeConsumer extends HttpServlet {
                             Constants.OIDCCLIENTJWT, 
responseTO.getAccessToken());
                     request.getSession().setAttribute(
                             Constants.OIDCCLIENTJWT_EXPIRE, 
responseTO.getAccessTokenExpiryTime());
+                    request.getSession().setAttribute(Constants.ID_TOKEN, 
responseTO.getIdToken());
 
                     String successURL = 
getServletContext().getInitParameter(Constants.CONTEXT_PARAM_LOGIN_SUCCESS_URL);
                     if (successURL == null) {
diff --git 
a/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Constants.java
 
b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Constants.java
index 62e00c02ae..ede1d57823 100644
--- 
a/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Constants.java
+++ 
b/ext/oidcclient/agent/src/main/java/org/apache/syncope/ext/oidcclient/agent/Constants.java
@@ -26,6 +26,8 @@ public final class Constants {
 
     public static final String PARAM_OP = "op";
 
+    public static final String ID_TOKEN = "id.token";
+
     public static final String CONTEXT_PARAM_LOGIN_SUCCESS_URL = 
"oidcclient.login.success.url";
 
     public static final String CONTEXT_PARAM_LOGIN_ERROR_URL = 
"oidcclient.login.error.url";
diff --git 
a/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/OIDCConstants.java
 
b/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/OIDCConstants.java
index 78b00b62fa..64ded8f47d 100644
--- 
a/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/OIDCConstants.java
+++ 
b/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/OIDCConstants.java
@@ -24,12 +24,14 @@ public final class OIDCConstants {
 
     public static final String CLIENT_SECRET = "client_secret";
 
+    public static final String ID_TOKEN_HINT = "id_token_hint";
+
     public static final String SCOPE = "scope";
 
     public static final String RESPONSE_TYPE = "response_type";
 
     public static final String STATE = "state";
-    
+
     public static final String POST_LOGOUT_REDIRECT_URI = 
"post_logout_redirect_uri";
 
     public static final String REDIRECT_URI = "redirect_uri";
diff --git 
a/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCLoginResponseTO.java
 
b/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCLoginResponseTO.java
index c7672922e1..fc14f7d62c 100644
--- 
a/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCLoginResponseTO.java
+++ 
b/ext/oidcclient/common-lib/src/main/java/org/apache/syncope/common/lib/to/OIDCLoginResponseTO.java
@@ -44,6 +44,8 @@ public class OIDCLoginResponseTO implements Serializable {
 
     private String accessToken;
 
+    private String idToken;
+
     private Date accessTokenExpiryTime;
 
     private final Set<AttrTO> attrs = new HashSet<>();
@@ -80,6 +82,14 @@ public class OIDCLoginResponseTO implements Serializable {
         this.accessToken = accessToken;
     }
 
+    public String getIdToken() {
+        return idToken;
+    }
+
+    public void setIdToken(final String idToken) {
+        this.idToken = idToken;
+    }
+
     public Date getAccessTokenExpiryTime() {
         return accessTokenExpiryTime;
     }
diff --git 
a/ext/oidcclient/logic/src/main/java/org/apache/syncope/core/logic/OIDCClientLogic.java
 
b/ext/oidcclient/logic/src/main/java/org/apache/syncope/core/logic/OIDCClientLogic.java
index a32865171f..3e20dda85f 100644
--- 
a/ext/oidcclient/logic/src/main/java/org/apache/syncope/core/logic/OIDCClientLogic.java
+++ 
b/ext/oidcclient/logic/src/main/java/org/apache/syncope/core/logic/OIDCClientLogic.java
@@ -154,6 +154,8 @@ public class OIDCClientLogic extends 
AbstractTransactionalLogic<EntityTO> {
 
         // 3. prepare the result:
         final OIDCLoginResponseTO responseTO = new OIDCLoginResponseTO();
+        responseTO.setIdToken(tokenEndpointResponse.getIdToken());
+
         
responseTO.setLogoutSupported(StringUtils.isNotBlank(op.getEndSessionEndpoint()));
 
         // 3a. extract user info from userInfoEndpoint if exists otherwise 
from idToken

Reply via email to