From 99553229f9b373b08bcecbaab4135696eb33acb6 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 20 Aug 2024 15:37:19 +0200 Subject: [PATCH] Device authorization logout --- .../java/oidc/endpoints/AuthorizationEndpoint.java | 9 --------- .../oidc/endpoints/DeviceAuthorizationEndpoint.java | 9 ++++++--- src/main/java/oidc/endpoints/OidcEndpoint.java | 13 +++++++++++++ src/main/java/oidc/endpoints/TokenEndpoint.java | 1 + 4 files changed, 20 insertions(+), 12 deletions(-) diff --git a/src/main/java/oidc/endpoints/AuthorizationEndpoint.java b/src/main/java/oidc/endpoints/AuthorizationEndpoint.java index b8535dc0..8a4a2618 100644 --- a/src/main/java/oidc/endpoints/AuthorizationEndpoint.java +++ b/src/main/java/oidc/endpoints/AuthorizationEndpoint.java @@ -248,15 +248,6 @@ private static String adStateToQueryParameters(UriComponentsBuilder builder, Sta return uriString; } - private void logout(HttpServletRequest request) { - SecurityContextHolder.getContext().setAuthentication(null); - SecurityContextHolder.clearContext(); - HttpSession session = request.getSession(false); - if (session != null) { - session.invalidate(); - } - } - private ModelAndView doConsent(MultiValueMap parameters, OpenIDClient client, Set scopes, diff --git a/src/main/java/oidc/endpoints/DeviceAuthorizationEndpoint.java b/src/main/java/oidc/endpoints/DeviceAuthorizationEndpoint.java index 4d7d9a54..c84ecabf 100644 --- a/src/main/java/oidc/endpoints/DeviceAuthorizationEndpoint.java +++ b/src/main/java/oidc/endpoints/DeviceAuthorizationEndpoint.java @@ -45,7 +45,7 @@ import static oidc.endpoints.AuthorizationEndpoint.validateScopes; @RestController -public class DeviceAuthorizationEndpoint { +public class DeviceAuthorizationEndpoint implements OidcEndpoint{ private static final Log LOG = LogFactory.getLog(DeviceAuthorizationEndpoint.class); @@ -161,8 +161,11 @@ public ModelAndView postVerify(@RequestParam Map body, HttpServl ModelAndView modelAndView = findByUserCode(userCode) //avoid replay's .filter(deviceAuthorization -> deviceAuthorization.getStatus().equals(DeviceAuthorizationStatus.authorization_pending)) - .map(deviceAuthorization -> - new ModelAndView(new RedirectView(deviceAuthorizeURL(deviceAuthorization), true))) + .map(deviceAuthorization -> { + //We do not provide SSO as does EB not - up to the identity provider + logout(request); + return new ModelAndView(new RedirectView(deviceAuthorizeURL(deviceAuthorization), true)); + }) .orElseGet(() -> this.verification(null, "true", request)); return modelAndView; } diff --git a/src/main/java/oidc/endpoints/OidcEndpoint.java b/src/main/java/oidc/endpoints/OidcEndpoint.java index 1f5791bb..a2471234 100644 --- a/src/main/java/oidc/endpoints/OidcEndpoint.java +++ b/src/main/java/oidc/endpoints/OidcEndpoint.java @@ -4,7 +4,10 @@ import com.nimbusds.openid.connect.sdk.AuthenticationRequest; import com.nimbusds.openid.connect.sdk.ClaimsRequest; import oidc.model.OpenIDClient; +import org.springframework.security.core.context.SecurityContextHolder; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; import java.time.LocalDateTime; import java.time.ZoneId; import java.util.ArrayList; @@ -50,4 +53,14 @@ default Date tokenValidity(int validity) { LocalDateTime ldt = LocalDateTime.now().plusSeconds(validity); return Date.from(ldt.atZone(ZoneId.systemDefault()).toInstant()); } + default void logout(HttpServletRequest request) { + SecurityContextHolder.getContext().setAuthentication(null); + SecurityContextHolder.clearContext(); + HttpSession session = request.getSession(false); + if (session != null) { + session.invalidate(); + } + } + + } diff --git a/src/main/java/oidc/endpoints/TokenEndpoint.java b/src/main/java/oidc/endpoints/TokenEndpoint.java index db8385c9..d225429e 100644 --- a/src/main/java/oidc/endpoints/TokenEndpoint.java +++ b/src/main/java/oidc/endpoints/TokenEndpoint.java @@ -293,6 +293,7 @@ private ResponseEntity handleDeviceCodeFlow(DeviceAuthorization deviceAuthorizat //We only permit one request for a success authorization LOG.debug(String.format("Deleting deviceAuthorization as token is returned for client %s", client.getName())); deviceAuthorizationRepository.delete(deviceAuthorization); + return new ResponseEntity<>(body, responseHttpHeaders, HttpStatus.OK); }