Merge branch '173-clean-up-logout-procedure' into 177-support-enforcing-2fa

97db8098 · Arie Peterson · bd3a1997 · ddaf5123 · 97db8098
Commit 97db8098 authored 1 year ago by Arie Peterson
--- a/backend/web/login/login.py
+++ b/backend/web/login/login.py
@@ -589,28 +589,41 @@ def logout():
    Returns:
        Redirect to the url that is provided by the LogoutRequest object.
    """
+    # Generally, if we encounter errors during these steps we redirect the user
+    # to the beginning of the logout procedure, which is
+    # `https://${hydra_domain}/oauth2/sessions/logout`.
+    new_logout_url = "https://{}/oauth2/sessions/logout".format(HYDRA_PUBLIC_URL)
+
+    # We should have been redirected here by hydra which also sets the
+    # `logout_challenge` parameter.
    challenge = request.args.get("logout_challenge")
    current_app.logger.info("Logout request: challenge=%s", challenge)
    if not challenge:
-        abort(403)
+        current_app.logger.info("No challenge set.")
+        current_app.logger.info("Redirecting to hydra logout: %s", new_logout_url)
+        return redirect(new_logout_url)
    try:
        # hydra v2
        # logout_request = oauth2_api.get_o_auth2_logout_request(challenge)
        logout_request = hydra_admin_api.get_logout_request(challenge)
    except hydra_exceptions.NotFoundException:
        current_app.logger.error("Logout request with challenge '%s' not found", challenge)
-        abort(404, "Hydra session invalid or not found")
+        return redirect(new_logout_url)
    except hydra_exceptions.ApiException:
        current_app.logger.error(
            "Conflict. Logout request with challenge '%s' has been used already.",
            challenge)
-        abort(404, "Logout request has been accepted already.")
+        current_app.logger.info("Redirecting to hydra logout: %s", new_logout_url)
+        return redirect(new_logout_url)

    current_app.logger.info("Logout request hydra, subject %s", logout_request.subject)

-    # Accept logout request. We ignore the redirect URL
-    # (`hydra_return.redirect_to`) because we also need to do the kratos logout
-    # browser flow and we can't do both.
+    # Accept logout request. The `redirect_to` that we get is what we have to
+    # redirect the browser to to finish the hydra logout (clear cookies, etc.)
+    # and after that get redirected to the configured post-logout URL. We store
+    # the `redirect_to` URL so we can pass it to kratos below (as `return_to`),
+    # so the browser will get redirected to `redirect_to` after the kratos
+    # logout is finished.
    try:
        hydra_return = hydra_admin_api.accept_logout_request(challenge)
        next_redirect = hydra_return.redirect_to
@@ -622,7 +635,7 @@ def logout():
    kratos_cookie = get_kratos_cookie()
    if not kratos_cookie:
        # No kratos cookie, already logged out from kratos.
-        current_app.logger.info("Expected kratos cookie but not found. Redirecting to hydra post-logout");
+        current_app.logger.info("Expected kratos cookie but not found. Skipping kratos logout but continuing other logout steps.");
        # We skip the Kratos logout, but we still need to follow
        # `next_redirect` -- probably the Hydra logout URL -- and clear
        # dashboard storage.
@@ -642,7 +655,8 @@ def logout():
        current_app.logger.error("Exception when calling"
            " create_browser_logout_flow: %s\n",
            ex)
-        return redirect(DASHBOARD_URL)
+        current_app.logger.info("Redirecting to hydra logout: %s", new_logout_url)
+        return redirect(new_logout_url)


 if DEMO_INSTANCE: