add more config flexibility for OIDC

level12 · Apr 16, 2020 · 39beae0 · 39beae0
1 parent bbe5cc3
commit 39beae0
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 4 deletions.
diff --git a/keg_auth/core.py b/keg_auth/core.py
@@ -100,6 +100,13 @@ def init_config(self, app):
         # Use select2 for form selects in templates extending keg_auth/form-base.
         app.config.setdefault('KEGAUTH_USE_SELECT2', True)
 
+        # Set defaults for OIDC URI locations
+        app.config.setdefault('OIDC_AUTH_URI', '/oauth2/v1/authorize')
+        app.config.setdefault('OIDC_TOKEN_URI', '/oauth2/v1/token')
+        app.config.setdefault('OIDC_ISSUER', '/oauth2')
+        app.config.setdefault('OIDC_USERINFO_URI', '/oauth2/userinfo')
+        app.config.setdefault('KEGAUTH_OIDC_LOGOUT_REDIRECT', None)
+
     def init_cli(self, app):
         keg_auth.cli.add_cli_to_app(app, self.cli_group_name,
                                     user_args=app.config.get('KEGAUTH_CLI_USER_ARGS'))

diff --git a/keg_auth/libs/authenticators.py b/keg_auth/libs/authenticators.py
@@ -521,6 +521,11 @@ def get(self):
         url_after_login = flask.url_for(flask.current_app.auth_manager.endpoint('after-login'))
         bad_token_redirect_resp = flask.current_app.login_manager.unauthorized()
 
+        url_only_redirect = flask.current_app.config.get('KEGAUTH_OIDC_LOGOUT_REDIRECT')
+        if url_only_redirect:
+            flask_login.logout_user()
+            return flask.abort(flask.redirect(url_only_redirect))
+
         """ Logout won't work if user isn't authenticated to begin with, i.e. there won't be a
             token to use. Just redirect to a sane place to force a login to continue."""
         try:
@@ -569,10 +574,11 @@ def __init__(self, app):
             'web': {
                 'client_id': app.config.get('OIDC_CLIENT_ID'),
                 'client_secret': app.config.get('OIDC_CLIENT_SECRET'),
-                'auth_uri': app.config.get('OIDC_PROVIDER_URL') + '/oauth2/default/v1/authorize',
-                'token_uri': app.config.get('OIDC_PROVIDER_URL') + '/oauth2/default/v1/token',
-                'issuer': app.config.get('OIDC_PROVIDER_URL') + '/oauth2/default',
-                'userinfo_uri': app.config.get('OIDC_PROVIDER_URL') + '/oauth2/default/userinfo',
+                'auth_uri': app.config.get('OIDC_PROVIDER_URL') + app.config.get('OIDC_AUTH_URI'),
+                'token_uri': app.config.get('OIDC_PROVIDER_URL') + app.config.get('OIDC_TOKEN_URI'),
+                'issuer': app.config.get('OIDC_PROVIDER_URL') + app.config.get('OIDC_ISSUER'),
+                'userinfo_uri': app.config.get('OIDC_PROVIDER_URL') +
+                app.config.get('OIDC_USERINFO_URI'),
                 'redirect_uris': [
                     app.config.get('OIDC_REDIRECT_BASE') + app.config.get('OIDC_CALLBACK_ROUTE')
                 ]

diff --git a/keg_auth/tests/test_views.py b/keg_auth/tests/test_views.py
@@ -1353,3 +1353,11 @@ def test_success(self, oidc_auth_client, auth_user):
             resp = oidc_auth_client.get('/logout', status=302)
             assert '/oauth2/default/v1/logout?id_token_hint=foo&post_logout_redirect_uri' \
                 in resp.location
+
+    def test_success_redirect(self, oidc_auth_client, auth_user):
+        with mock.patch.dict(
+            flask.current_app.config,
+            {'KEGAUTH_OIDC_LOGOUT_REDIRECT': 'http://foo'}
+        ):
+            resp = oidc_auth_client.get('/logout', status=302)
+            assert '/foo' in resp.location