-
-
Notifications
You must be signed in to change notification settings - Fork 400
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[14.0][IMP] auth_oidc: Logout the user from the auth provider #666
base: 14.0
Are you sure you want to change the base?
Changes from 8 commits
4884777
a4360a4
1344d3a
7e817fa
b7e96b9
29e295b
5c30529
9401071
6bd6a6b
bb63584
134417b
abe4570
ae387c4
5acdf4a
59421ce
d59f8ce
8fc3df6
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,7 +9,10 @@ | |
|
||
from werkzeug.urls import url_decode, url_encode | ||
|
||
from odoo import http | ||
from odoo.addons.auth_oauth.controllers.main import OAuthLogin | ||
from odoo.addons.web.controllers.main import Session | ||
from odoo.http import request | ||
|
||
_logger = logging.getLogger(__name__) | ||
|
||
|
@@ -48,3 +51,28 @@ | |
provider["auth_endpoint"], url_encode(params) | ||
) | ||
return providers | ||
|
||
|
||
class OpenIDLogout(Session): | ||
|
||
@http.route("/web/session/logout", type="http", auth="none") | ||
def logout(self, redirect="/web/login"): | ||
user = request.env["res.users"].sudo().browse(request.session.uid) | ||
if user.oauth_provider_id.id: | ||
p = request.env["auth.oauth.provider"].sudo().browse(user.oauth_provider_id.id) | ||
if p.logout_endpoint: | ||
r = redirect | ||
if r.find('http') == -1 and r.find('https') == -1: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I have sneaked in support for full URLs There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done |
||
r = request.env['ir.config_parameter'].sudo().get_param('web.base.url') + r | ||
logout_base_url = p.logout_endpoint | ||
params = {} | ||
if '?' in p.logout_endpoint: | ||
url_parts = p.logout_endpoint.split("?") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not too comfortable with parsing a URL this way. What if, for instance, there is more than 1 |
||
logout_base_url = url_parts[0] | ||
params = url_decode(url_parts[1]) | ||
params["client_id"] = p.client_id | ||
params["post_logout_redirect_uri"] = r | ||
logout_url = f"{logout_base_url}?{url_encode(params)}" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It might be nice to extract this url manipulation logic in a little class method that could be unit tested. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is there documentation on how to run the test suite? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @wluyima This part of the odoo documentation should get you started. Let me know if you hit any issue. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks @sbidoul is there a way I can find documentation to run Odoo 14.0 locally from source? I was following the 15.0 documentation and I can't seem to install the packages in the requirements.txt file, I get this error when I try to install the packages, do you have any clues? I'm using Python 3.12.4. I'm not sure if is not compatible, is there documentation on Odoo and Python versions compatibility? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For Odoo 14 I generally use python 3.8. It will for sure not work with 3.12. I recommend installing the Odoo dependencies in a virtual environment:
But if you don't use Odoo 14, why do you do this PR to the 14.0 branch? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks @sbidoul! I did say we're using Odoo 14 which is why this PR is issued against the 14.0 branch and I'm installing the dependencies in a virtual environment but I was using python 3.12, I'll try with python 3.8 and see if it works. I was actually able to later find the documentation for Odoo 14 here. |
||
return super().logout(redirect=logout_url) | ||
# User has no account with any provider or no logout URL is configured for the provider | ||
return super().logout(redirect=redirect) |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -46,6 +46,11 @@ class AuthOauthProvider(models.Model): | |
string="Token URL", help="Required for OpenID Connect authorization code flow." | ||
) | ||
jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.") | ||
logout_endpoint = fields.Char( | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd suggest naming this field |
||
string="Logout URL", | ||
help="Required for OpenID Connect to logout the user in the authorization provider upon logout in the client, " | ||
"should be the value of end_session_endpoint specified by the authorization provider" | ||
) | ||
|
||
@tools.ormcache("self.jwks_uri", "kid") | ||
def _get_keys(self, kid): | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a comment or docstring referencing the spec that this implements?
https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout