Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LG-7434: Support HTTP POST for OIDC logout route #10573

Merged
merged 3 commits into from May 13, 2024
Merged

LG-7434: Support HTTP POST for OIDC logout route #10573

merged 3 commits into from May 13, 2024

Conversation

lmgeorge
Copy link
Contributor

@lmgeorge lmgeorge commented May 8, 2024
edited

🎫 Ticket

Link to the relevant ticket:
LG-7434: Add support for POST OIDC logout requests (this ticket has been superseded by the referenced this GitLab issue).

🛠 Summary of changes

  • Uses one action for both GET and POST. The route definition has been updated with a match statement
  • The tests are identical and have been extrapolated into shared_examples blocks to make working with different request methods simpler
  • To reduce confusion about Rails' default rendering behavior, the index.html.erb template as been renamed to confirm_logout.html.erb

📜 Testing Plan

Requires:

  • A configured partner app to sign-out users with POST
  • identity-idp app to have reject_id_token_hint_in_logout: true in application.yml OR the partner app must not send an id_token_hint

Steps

  1. Sign in to the partner app
  2. Sign out
  3. Confirm that the appropriate confirmation view is shown

@lmgeorge lmgeorge marked this pull request as draft May 8, 2024 19:41
@lmgeorge
LG-7434: Support HTTP POST for OIDC logout route
7913de6 
**Why**:

- The specification for OpenID Connect RP-Initiated Logout 1.0 requires
  both HTTP `GET` and `POST` methods to be supported. See: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout

- Data sent using the `POST` method remains encrypted during transport in the
  browser and in web application logs, preventing leakage of sensitive
  information

**How**:

- The same endpoint shall be used, `/openid_connect/logout`, but the
  request data must be sent as part of the body and use form
  serialization (RFC 9110, sec. 9.3.3)

resolves https://gitlab.login.gov/lg-people/lg-people-appdev/protocols/openid-connect/-/issues/3

changelog: Bug Fixes, Security, Support POST for OIDC RP-Initiated Logout 1.0
@lmgeorge
PR!10573: uses one method for both POST and GET, Rspec tests use shar…
756061e 
…ed_examples
@lmgeorge lmgeorge force-pushed the lmgeorge/LG-7434-add-support-for-post-oidc-logout-requests branch from d9ff5c7 to 756061e Compare May 10, 2024 23:44
@lmgeorge lmgeorge marked this pull request as ready for review May 10, 2024 23:48
@lmgeorge lmgeorge merged commit 9d24329 into main May 13, 2024
2 checks passed
@lmgeorge lmgeorge deleted the lmgeorge/LG-7434-add-support-for-post-oidc-logout-requests branch May 13, 2024 19:23
@amirbey amirbey mentioned this pull request May 14, 2024
Merged
@lmgeorge lmgeorge mentioned this pull request May 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zachmargolis zachmargolis zachmargolis approved these changes

@Sgtpluck Sgtpluck Awaiting requested review from Sgtpluck

@mitchellhenke mitchellhenke Awaiting requested review from mitchellhenke

@aduth aduth Awaiting requested review from aduth

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@lmgeorge @zachmargolis @mitchellhenke @aduth