Get OIDC end_session_endpoint from server metadata

2023-09-14 10:09:45 +02:00 · 2023-09-14 10:09:45 +02:00 · e5f86e72c2
parent 02059e5043
commit e5f86e72c2
2 changed files with 15 additions and 14 deletions
--- a/web/init.py
+++ b/web/init.py
@ -17,8 +17,7 @@ def create_app(test_config=None):
        'ldap_pass': '',
        'ldap_base_dn': '',
        'user_group': '',
-        'oidc_url_discovery': '',
-        'oidc_url_logout': '',
+        'oidc_server': '',
        'oidc_client_id': '',
        'oidc_client_secret': '',
        'admin_group': '',
@ -36,13 +35,9 @@ def create_app(test_config=None):
        db.write('settings', settings)

    app.config['SECRET_KEY'] = settings.get('secret_key', '')
-    app.config['OIDC_URL_DISCOVERY'] = settings.get('oidc_url_discovery', '')
-    app.config['OIDC_URL_LOGOUT'] = settings.get('oidc_url_logout', '')
-    app.config['OIDC_CLIENT_ID'] = settings.get('oidc_client_id', '')
-    app.config['OIDC_CLIENT_SECRET'] = settings.get('oidc_client_secret', '')

    from . import auth
-    auth.init_app(app)
+    auth.init_app(app, settings)

    from . import errors
    errors.init_app(app)
--- a/web/auth.py
+++ b/web/auth.py
@ -25,16 +25,20 @@ class User(flask_login.UserMixin):
    def get_id(self):
        return self.username

-def init_app(app):
+def init_app(app, settings):
    login_manager = flask_login.LoginManager(app)
    oauth = authlib.integrations.flask_client.OAuth(app)
    oauth.register(
        name='default',
-        server_metadata_url=app.config['OIDC_URL_DISCOVERY'],
-        client_id=app.config['OIDC_CLIENT_ID'],
-        client_secret=app.config['OIDC_CLIENT_SECRET'],
+        server_metadata_url=settings.get('oidc_server'),
+        client_id=settings.get('oidc_client_id'),
+        client_secret=settings.get('oidc_client_secret'),
        client_kwargs={'scope': 'openid profile email'})

+    metadata = oauth.default.load_server_metadata()
+    app.config['OIDC_CLIENT_ID'] = settings.get('OIDC_CLIENT_ID')
+    app.config['OIDC_END_SESSION_ENDPOINT'] = metadata.get('end_session_endpoint')
+
    @login_manager.user_loader
    def load_user(username):
        return users.get(username)
@ -57,6 +61,8 @@ def init_app(app):
    @app.route('/logout')
    def logout():
        flask_login.logout_user()
-        return flask.redirect(
-            flask.current_app.config.get('OIDC_URL_LOGOUT') + '?'
-            + urllib.parse.urlencode({'client_id': config.get('OIDC_CLIENT_ID')}))
+        if oidc_logout_url := flask.current_app.config.get('OIDC_END_SESSION_ENDPOINT'):
+            return flask.redirect(oidc_logout_url + '?'
+                + urllib.parse.urlencode({'client_id': flask.current_app.config.get('OIDC_CLIENT_ID')}))
+        else:
+            return flask.redirect('/')