Add configuration to delete AccessTokens on Logout

Qup42 · dopry · commit 371f091ed293 · 2023-05-11T14:58:41.000-04:00
diff --git a/docs/settings.rst b/docs/settings.rst
@@ -334,6 +334,14 @@ Default: ``True``
 
 Whether expired ID tokens are accepted for RP-Initiated Logout. The Tokens must still be signed by the OP and otherwise valid.
 
+OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Default: ``True``
+
+Whether to delete the access, refresh and ID tokens of the user that is being logged out.
+The types of applications for which tokens are deleted can be customized with `RPInitiatedLogoutView.token_types_to_delete`.
+The default is to delete the tokens of all applications if this flag is enabled.
+
 OIDC_ISS_ENDPOINT
 ~~~~~~~~~~~~~~~~~
 Default: ``""``
diff --git a/oauth2_provider/settings.py b/oauth2_provider/settings.py
@@ -91,6 +91,7 @@
 "OIDC_RP_INITIATED_LOGOUT_ENABLED": False,
 "OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT": True,
 "OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS": True,
+ "OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS": True,
 # Special settings that will be evaluated at runtime
 "_SCOPES": [],
 "_DEFAULT_SCOPES": [],
diff --git a/oauth2_provider/views/oidc.py b/oauth2_provider/views/oidc.py
@@ -22,7 +22,12 @@
 )
 from ..forms import ConfirmLogoutForm
 from ..http import OAuth2ResponseRedirect
-from ..models import get_application_model, get_id_token_model
+from ..models import (
+ get_access_token_model,
+ get_application_model,
+ get_id_token_model,
+ get_refresh_token_model,
+)
 from ..settings import oauth2_settings
 from .mixins import OAuthLibMixin, OIDCLogoutOnlyMixin, OIDCOnlyMixin
 
@@ -260,6 +265,10 @@ def validate_logout_request(request, id_token_hint, client_id, post_logout_redir
 class RPInitiatedLogoutView(OIDCLogoutOnlyMixin, FormView):
 template_name = "oauth2_provider/logout_confirm.html"
 form_class = ConfirmLogoutForm
+ token_types_to_delete = [
+ Application.CLIENT_PUBLIC,
+ Application.CLIENT_CONFIDENTIAL,
+ ]
 
 def get_initial(self):
 return{
@@ -330,7 +339,29 @@ def form_valid(self, form):
 return self.error_response(error)
 
 def do_logout(self, application=None, post_logout_redirect_uri=None, state=None):
+ # Delete Access Tokens
+ if oauth2_settings.OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS:
+ AccessToken = get_access_token_model()
+ RefreshToken = get_refresh_token_model()
+ access_tokens_to_delete = AccessToken.objects.filter(
+ user=self.request.user, application__client_type__in=self.token_types_to_delete
+ )
+ # This queryset has to be evaluated eagerly. The queryset would be empty with lazy evaluation
+ # because `access_tokens_to_delete` represents an empty queryset once `refresh_tokens_to_delete`
+ # is evaluated as all AccessTokens have been deleted.
+ refresh_tokens_to_delete = list(
+ RefreshToken.objects.filter(access_token__in=access_tokens_to_delete)
+ )
+ for token in access_tokens_to_delete:
+ # Delete the token and its corresponding refresh and IDTokens.
+ if token.id_token:
+ token.id_token.revoke()
+ token.revoke()
+ for refresh_token in refresh_tokens_to_delete:
+ refresh_token.revoke()
+ # Logout in Django
 logout(self.request)
+ # Redirect
 if post_logout_redirect_uri:
 if state:
 return OAuth2ResponseRedirect(
diff --git a/tests/presets.py b/tests/presets.py
@@ -33,6 +33,8 @@
 OIDC_SETTINGS_RP_LOGOUT["OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT"] = False
 OIDC_SETTINGS_RP_LOGOUT_DENY_EXPIRED = deepcopy(OIDC_SETTINGS_RP_LOGOUT)
 OIDC_SETTINGS_RP_LOGOUT_DENY_EXPIRED["OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS"] = False
+OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS = deepcopy(OIDC_SETTINGS_RP_LOGOUT)
+OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS["OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS"] = False
 REST_FRAMEWORK_SCOPES ={
 "SCOPES":{
 "read": "Read scope",
diff --git a/tests/test_oidc_views.py b/tests/test_oidc_views.py
@@ -3,9 +3,10 @@
 from django.contrib.auth.models import AnonymousUser
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
+from django.utils import timezone
 
 from oauth2_provider.exceptions import ClientIdMissmatch, InvalidOIDCClientError, InvalidOIDCRedirectURIError
-from oauth2_provider.models import get_id_token_model
+from oauth2_provider.models import get_access_token_model, get_id_token_model, get_refresh_token_model
 from oauth2_provider.oauth2_validators import OAuth2Validator
 from oauth2_provider.settings import oauth2_settings
 from oauth2_provider.views.oidc import _load_id_token, _validate_claims, validate_logout_request
@@ -474,6 +475,58 @@ def test_userinfo_endpoint_bad_token(oidc_tokens, client):
 assert rsp.status_code == 401
 
 
+@pytest.mark.django_db
+def test_token_deletion_on_logout(oidc_tokens, loggend_in_client, rp_settings):
+ AccessToken = get_access_token_model()
+ IDToken = get_id_token_model()
+ RefreshToken = get_refresh_token_model()
+ assert AccessToken.objects.count() == 1
+ assert IDToken.objects.count() == 1
+ assert RefreshToken.objects.count() == 1
+ rsp = loggend_in_client.get(
+ reverse("oauth2_provider:rp-initiated-logout"),
+ data={
+ "id_token_hint": oidc_tokens.id_token,
+ "client_id": oidc_tokens.application.client_id,
+ },
+ )
+ assert rsp.status_code == 302
+ assert not is_logged_in(loggend_in_client)
+ # Check that all tokens have either been deleted or expired.
+ assert all([token.is_expired() for token in AccessToken.objects.all()])
+ assert all([token.is_expired() for token in IDToken.objects.all()])
+ assert all([token.revoked <= timezone.now() for token in RefreshToken.objects.all()])
+
+
+@pytest.mark.django_db
+@pytest.mark.oauth2_settings(presets.OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS)
+def test_token_deletion_on_logout_disabled(oidc_tokens, loggend_in_client, rp_settings):
+ rp_settings.OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS = False
+
+ AccessToken = get_access_token_model()
+ IDToken = get_id_token_model()
+ RefreshToken = get_refresh_token_model()
+ assert AccessToken.objects.count() == 1
+ assert IDToken.objects.count() == 1
+ assert RefreshToken.objects.count() == 1
+ rsp = loggend_in_client.get(
+ reverse("oauth2_provider:rp-initiated-logout"),
+ data={
+ "id_token_hint": oidc_tokens.id_token,
+ "client_id": oidc_tokens.application.client_id,
+ },
+ )
+ assert rsp.status_code == 302
+ assert not is_logged_in(loggend_in_client)
+ # Check that the tokens have not been expired or deleted.
+ assert AccessToken.objects.count() == 1
+ assert not any([token.is_expired() for token in AccessToken.objects.all()])
+ assert IDToken.objects.count() == 1
+ assert not any([token.is_expired() for token in IDToken.objects.all()])
+ assert RefreshToken.objects.count() == 1
+ assert not any([token.revoked is not None for token in RefreshToken.objects.all()])
+
+
 EXAMPLE_EMAIL = "example.email@example.com"
 
 

-Original file line number
+Diff line change
+)
 from ..formsimportConfirmLogoutForm
 from ..httpimportOAuth2ResponseRedirect
 -from ..modelsimportget_application_model, get_id_token_model
 +from ..modelsimport (
 +get_access_token_model,
 +get_application_model,
 +get_id_token_model,
 +get_refresh_token_model,
 +)
 from ..settingsimportoauth2_settings
 from .mixinsimportOAuthLibMixin, OIDCLogoutOnlyMixin, OIDCOnlyMixin
 classRPInitiatedLogoutView(OIDCLogoutOnlyMixin, FormView):
 template_name="oauth2_provider/logout_confirm.html"
 form_class=ConfirmLogoutForm
 +token_types_to_delete= [
 +Application.CLIENT_PUBLIC,
 +Application.CLIENT_CONFIDENTIAL,
 + ]
 defget_initial(self):
 return{
 returnself.error_response(error)
 defdo_logout(self, application=None, post_logout_redirect_uri=None, state=None):
 +# Delete Access Tokens
 +ifoauth2_settings.OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS:
 +AccessToken=get_access_token_model()
 +RefreshToken=get_refresh_token_model()
 +access_tokens_to_delete=AccessToken.objects.filter(
 +user=self.request.user, application__client_type__in=self.token_types_to_delete
 + )
 +# This queryset has to be evaluated eagerly. The queryset would be empty with lazy evaluation
 +# because `access_tokens_to_delete` represents an empty queryset once `refresh_tokens_to_delete`
 +# is evaluated as all AccessTokens have been deleted.
 +refresh_tokens_to_delete=list(
 +RefreshToken.objects.filter(access_token__in=access_tokens_to_delete)
 + )
 +fortokeninaccess_tokens_to_delete:
 +# Delete the token and its corresponding refresh and IDTokens.
 +iftoken.id_token:
 +token.id_token.revoke()
 +token.revoke()
 +forrefresh_tokeninrefresh_tokens_to_delete:
 +refresh_token.revoke()
 +# Logout in Django
 logout(self.request)
 +# Redirect
 ifpost_logout_redirect_uri:
 ifstate:
 returnOAuth2ResponseRedirect(
-Original file line number
+Diff line change
 OIDC_SETTINGS_RP_LOGOUT["OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT"] =False
 OIDC_SETTINGS_RP_LOGOUT_DENY_EXPIRED=deepcopy(OIDC_SETTINGS_RP_LOGOUT)
 OIDC_SETTINGS_RP_LOGOUT_DENY_EXPIRED["OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS"] =False
 +OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS=deepcopy(OIDC_SETTINGS_RP_LOGOUT)
 +OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS["OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS"] =False
 REST_FRAMEWORK_SCOPES={
 "SCOPES":{
 "read": "Read scope",
-Original file line number
+Diff line change
 fromdjango.contrib.auth.modelsimportAnonymousUser
 fromdjango.testimportRequestFactory, TestCase
 fromdjango.urlsimportreverse
 +fromdjango.utilsimporttimezone
 fromoauth2_provider.exceptionsimportClientIdMissmatch, InvalidOIDCClientError, InvalidOIDCRedirectURIError
 -fromoauth2_provider.modelsimportget_id_token_model
 +fromoauth2_provider.modelsimportget_access_token_model, get_id_token_model, get_refresh_token_model
 fromoauth2_provider.oauth2_validatorsimportOAuth2Validator
 fromoauth2_provider.settingsimportoauth2_settings
 fromoauth2_provider.views.oidcimport_load_id_token, _validate_claims, validate_logout_request
 assertrsp.status_code==401
 +@pytest.mark.django_db
 +deftest_token_deletion_on_logout(oidc_tokens, loggend_in_client, rp_settings):
 +AccessToken=get_access_token_model()
 +IDToken=get_id_token_model()
 +RefreshToken=get_refresh_token_model()
 +assertAccessToken.objects.count() ==1
 +assertIDToken.objects.count() ==1
 +assertRefreshToken.objects.count() ==1
 +rsp=loggend_in_client.get(
 +reverse("oauth2_provider:rp-initiated-logout"),
 +data={
 +"id_token_hint": oidc_tokens.id_token,
 +"client_id": oidc_tokens.application.client_id,
 + },
 + )
 +assertrsp.status_code==302
 +assertnotis_logged_in(loggend_in_client)
 +# Check that all tokens have either been deleted or expired.
 +assertall([token.is_expired() fortokeninAccessToken.objects.all()])
 +assertall([token.is_expired() fortokeninIDToken.objects.all()])
 +assertall([token.revoked<=timezone.now() fortokeninRefreshToken.objects.all()])
++
++
 +@pytest.mark.django_db
 +@pytest.mark.oauth2_settings(presets.OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS)
 +deftest_token_deletion_on_logout_disabled(oidc_tokens, loggend_in_client, rp_settings):
 +rp_settings.OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS=False
++
 +AccessToken=get_access_token_model()
 +IDToken=get_id_token_model()
 +RefreshToken=get_refresh_token_model()
 +assertAccessToken.objects.count() ==1
 +assertIDToken.objects.count() ==1
 +assertRefreshToken.objects.count() ==1
 +rsp=loggend_in_client.get(
 +reverse("oauth2_provider:rp-initiated-logout"),
 +data={
 +"id_token_hint": oidc_tokens.id_token,
 +"client_id": oidc_tokens.application.client_id,
 + },
 + )
 +assertrsp.status_code==302
 +assertnotis_logged_in(loggend_in_client)
 +# Check that the tokens have not been expired or deleted.
 +assertAccessToken.objects.count() ==1
 +assertnotany([token.is_expired() fortokeninAccessToken.objects.all()])
 +assertIDToken.objects.count() ==1
 +assertnotany([token.is_expired() fortokeninIDToken.objects.all()])
 +assertRefreshToken.objects.count() ==1
 +assertnotany([token.revokedisnotNonefortokeninRefreshToken.objects.all()])
++
++
 EXAMPLE_EMAIL="[email protected]"