projects / arvados.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bd471a9)
21137: Remove id_token_hint from controller RP-initiated logout
authorBrett Smith <brett.smith@curii.com>
Tue, 21 Nov 2023 21:14:59 +0000 (16:14 -0500)
committerBrett Smith <brett.smith@curii.com>
Tue, 21 Nov 2023 21:14:59 +0000 (16:14 -0500)
In the current Arvados stack, it is not possible to provide the ID token
this parameter expects, because we do not retain it anywhere. The user's
authorization token will either be an OIDC access token or an Arvados
token generated when they logged in, so neither is suitable for use as
id_token_hint.

The spec says this parameter is RECOMMENDED but not REQUIRED, so
omitting it is the simplest option that should still meet functional
requirements.

Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>

lib/controller/localdb/login_oidc.go patch | blob | history
lib/controller/localdb/login_oidc_test.go patch | blob | history

diff --git a/lib/controller/localdb/login_oidc.go b/lib/controller/localdb/login_oidc.go
index 66819fd12ad9fe78a53961b7aa0beaa5667b8c8b..128a271dbc9e3b146ae9eb89ea320c4130f17b42 100644 (file)
--- a/lib/controller/localdb/login_oidc.go
+++ b/lib/controller/localdb/login_oidc.go
@@ -134,10 +134,6 @@ func (ctrl *oidcLoginController) Logout(ctx context.Context, opts arvados.Logout
                values := ctrl.endSessionURL.Query()
                values.Set("client_id", ctrl.ClientID)
                values.Set("post_logout_redirect_uri", resp.RedirectLocation)
-               values.Del("id_token_hint")
-               for _, token := range creds.Tokens {
-                       values.Add("id_token_hint", token)
-               }
                u := *ctrl.endSessionURL
                u.RawQuery = values.Encode()
                resp.RedirectLocation = u.String()
diff --git a/lib/controller/localdb/login_oidc_test.go b/lib/controller/localdb/login_oidc_test.go
index 1367fb61581018a564fc347a56c57d95bb857f70..7384935246e13dda071a3725840cca39a12ee3d3 100644 (file)
--- a/lib/controller/localdb/login_oidc_test.go
+++ b/lib/controller/localdb/login_oidc_test.go
@@ -132,7 +132,6 @@ func (s *OIDCLoginSuite) checkRPInitiatedLogout(c *check.C, returnTo string) {
        }
        values := loc.Query()
        c.Check(values.Get("client_id"), check.Equals, s.cluster.Login.Google.ClientID)
-       c.Check(values.Get("id_token_hint"), check.Equals, accessToken)
        c.Check(values.Get("post_logout_redirect_uri"), check.Equals, expReturn)
 }