Skip to content

LG-7434: Support HTTP POST for OIDC logout route#10573

Merged
lmgeorge merged 3 commits intomainfrom
lmgeorge/LG-7434-add-support-for-post-oidc-logout-requests
May 13, 2024
Merged

LG-7434: Support HTTP POST for OIDC logout route#10573
lmgeorge merged 3 commits intomainfrom
lmgeorge/LG-7434-add-support-for-post-oidc-logout-requests

Conversation

@lmgeorge
Copy link
Contributor

@lmgeorge lmgeorge commented May 8, 2024
edited
Loading

🎫 Ticket

Link to the relevant ticket:
LG-7434: Add support for POST OIDC logout requests (this ticket has been superseded by the referenced this GitLab issue).

🛠 Summary of changes

  • Uses one action for both GET and POST. The route definition has been updated with a match statement
  • The tests are identical and have been extrapolated into shared_examples blocks to make working with different request methods simpler
  • To reduce confusion about Rails' default rendering behavior, the index.html.erb template as been renamed to confirm_logout.html.erb

📜 Testing Plan

Requires:

  • A configured partner app to sign-out users with POST
  • identity-idp app to have reject_id_token_hint_in_logout: true in application.yml OR the partner app must not send an id_token_hint

Steps

  1. Sign in to the partner app
  2. Sign out
  3. Confirm that the appropriate confirmation view is shown

@lmgeorge lmgeorge requested review from Sgtpluck and mitchellhenke May 8, 2024 17:09
mitchellhenke
mitchellhenke reviewed May 8, 2024
View reviewed changes
zachmargolis
zachmargolis reviewed May 8, 2024
View reviewed changes
@lmgeorge lmgeorge marked this pull request as draft May 8, 2024 19:41
lmgeorge added 2 commits May 10, 2024 19:39
@lmgeorge
LG-7434: Support HTTP POST for OIDC logout route
7913de6 
**Why**:

- The specification for OpenID Connect RP-Initiated Logout 1.0 requires
  both HTTP `GET` and `POST` methods to be supported. See: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout

- Data sent using the `POST` method remains encrypted during transport in the
  browser and in web application logs, preventing leakage of sensitive
  information

**How**:

- The same endpoint shall be used, `/openid_connect/logout`, but the
  request data must be sent as part of the body and use form
  serialization (RFC 9110, sec. 9.3.3)

resolves https://gitlab.login.gov/lg-people/lg-people-appdev/protocols/openid-connect/-/issues/3

changelog: Bug Fixes, Security, Support POST for OIDC RP-Initiated Logout 1.0
@lmgeorge
PR!10573: uses one method for both POST and GET, Rspec tests use shar…
756061e 
…ed_examples
@lmgeorge lmgeorge force-pushed the lmgeorge/LG-7434-add-support-for-post-oidc-logout-requests branch from d9ff5c7 to 756061e Compare May 10, 2024 23:44
@lmgeorge lmgeorge marked this pull request as ready for review May 10, 2024 23:48
zachmargolis
zachmargolis approved these changes May 13, 2024
View reviewed changes
@lmgeorge lmgeorge merged commit 9d24329 into main May 13, 2024
@lmgeorge lmgeorge deleted the lmgeorge/LG-7434-add-support-for-post-oidc-logout-requests branch May 13, 2024 19:23
@amirbey amirbey mentioned this pull request May 14, 2024
Merged
@lmgeorge lmgeorge mentioned this pull request May 24, 2024
Merged
@aduth aduth mentioned this pull request Jul 1, 2024
Merged
aduth added a commit that referenced this pull request Jul 1, 2024
@aduth
Reorder redirect relative to sign-out
0e91c51 
Signing out would cause current_user to always return nil. This change returns to previous implementation prior to #10573 with order of redirect

See: https://github.com/18F/identity-idp/pull/10887/files#r1661091791
aduth
aduth reviewed Jul 1, 2024
View reviewed changes
app/controllers/openid_connect/logout_controller.rb
Comment on lines +128 to +130
sign_out

redirect_user(redirect_uri, @logout_form.service_provider&.issuer, current_user&.uuid)
Copy link
Contributor

@aduth aduth Jul 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noting that the reordering redirect_user to happen after sign_out caused a change in behavior with current_user always being nil. It wasn't caught in our specs since our stub_sign_in helper wasn't faithfully recreating the behavior of Devise's handling of current_user

I accidentally stumbled into this in #10887 with a change to improve the stubbed sign-out behavior. More info at https://github.com/18F/identity-idp/pull/10887/files#r1661091791.

aduth added a commit that referenced this pull request Jul 1, 2024
@aduth
LG-13318: Ensure user_id present in account deletion submitted event (#…
c052c3d 
…10887)

* LG-13318: Ensure user_id present in account deletion submitted

changelog: Internal, Analytics, Ensure user ID present in account deletion submitted

* Fix PIV CAC login controller specs

The issue was stub_analytics was _also_ being called and causing the controller to memoize analytics result in a way that wasn't previously surfaced since we asserted against analytics_user directly, despite the fact that the analytics method is what's actually used in code for logging

* Reorder redirect relative to sign-out

Signing out would cause current_user to always return nil. This change returns to previous implementation prior to #10573 with order of redirect

See: https://github.com/18F/identity-idp/pull/10887/files#r1661091791
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sgtpluck Sgtpluck Awaiting requested review from Sgtpluck

@mitchellhenke mitchellhenke Awaiting requested review from mitchellhenke

2 more reviewers

@zachmargolis zachmargolis zachmargolis approved these changes

@aduth aduth aduth left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lmgeorge @zachmargolis @mitchellhenke @aduth