Merge pull request #541 from bheesham/oidc-logout-endpoint

Jira: IAM-1493

dashboard/app.py

@@ -16,6 +16,7 @@
 from flask import request
 from flask import send_from_directory
 from flask import session
+from flask import url_for
 from flask.sessions import SessionInterface
 
 from flask_assets import Bundle  # type: ignore
@@ -176,10 +177,47 @@ def forbidden():
 @oidc.oidc_logout
 def logout():
     """
-    Redirect to new feature in NLX that destroys autologin preferences.
-    Aka Logout is REALLY logout.
+    Uses the RP-Initiated Logout End Session Endpoint [0] if the app was
+    started up with knowledge of it. Flask-pyoidc will make use of this
+    endpoint if it's in the provider metadata [1].
+
+    If the app was _not_ started with the End Session Endpoint, then we'll
+    fallback to using the `v2/logout` [2] endpoint.
+
+    These two methods cover all cases where:
+
+    * the tenant does not have the End Session Endpoint turned on/off;
+    * the Universal Login page has/has not been customized.
+
+    Note: As the Auth0 docs state [3], this _does not_ log users out of all
+    applications. This simply ends their session with Auth0 and clears their
+    SSO Dashboard session. Refer to the docs on what we'd need to do to achieve
+    a global logout.
+
+    [0]: https://auth0.com/docs/authenticate/login/logout/log-users-out-of-auth0#example
+    [1]: https://github.com/zamzterz/Flask-pyoidc/blob/26b123572cba0b3fa84482c6c0270900042a73c9/src/flask_pyoidc/flask_pyoidc.py#L263
+    [2]: https://auth0.com/docs/api/authentication#auth0-logout
+    [3]: https://manage.mozilla-dev.auth0.com/docs/authenticate/login/logout/log-users-out-of-applications
     """
-    logout_url = "https://{}/login?client={}&action=logout".format(oidc_config.OIDC_DOMAIN, oidc_config.OIDC_CLIENT_ID)
+    try:
+        has_provider_endpoint = oidc.clients["default"].provider_end_session_endpoint is not None
+    except (AttributeError, KeyError):
+        has_provider_endpoint = False
+    if has_provider_endpoint:
+        app.logger.info("Used provider_end_session_endpoint for logout")
+        return render_template("signout.html")
+    # Old-school redirect. If we get here this means we haven't enabled the
+    # RP-initiated logout end session endpoint on Auth0, and so we need to do
+    # manual logout (in a non-breaking way).
+    app.logger.info("Redirecting to v2/logout")
+    # Build up the logout and signout URLs
+    signout_url = "http"
+    if request.is_secure:
+        signout_url += "s"
+    signout_url += f"://{app.config["SERVER_NAME"]}{url_for("signout")}"
+    logout_url = (
+        f"https://{oidc_config.OIDC_DOMAIN}/v2/logout?client_id={oidc_config.OIDC_CLIENT_ID}&returnTo={signout_url}"
+    )
     return redirect(logout_url, code=302)
 
 

dashboard/templates/forbidden.html

@@ -22,7 +22,7 @@ <h2>
 
   <div class="mui-row section">
     <div class="mui-col-md-6 mui-col-md-offset-3">
-      <a href="https://sso.mozilla.com/logout" class="mui-btn help">Logout</a>
+      <a href="/logout" class="mui-btn help">Logout</a>
       <a href="https://discourse.mozilla.org/c/iam" class="mui-btn help">Need Help?</a>
       <a href="/dashboard" class="mui-btn return">Return to dashboard</a>
     </div>

dashboard/templates/signout.html

@@ -18,7 +18,7 @@ <h2 class="card__heading card__heading--success">
       </h2>
         <p>Make sure you also log out of each individual application used this session.</p>
         <hr>
-        <a href="https://sso.mozilla.com" class="button button--secondary">Log in to Mozilla</a>
+        <a href="/" class="button button--secondary">Log in to Mozilla</a>
       <ul class="legal-links list list--plain">
         <li><a href="https://www.mozilla.org/en-US/about/legal/" target="_blank">Legal</a></li>
         <li><a href="https://www.mozilla.org/en-US/privacy/websites/" target="_blank">Privacy</a></li>