post_logout_redirect_uri in logout request. post_logout_redirect_uris in registration request.

Author: rohe

example/flask_rp/views.py

@@ -160,7 +160,7 @@ def get_op_identifier_by_cb_uri(url: str):
     for k, v in current_app.rph.issuer2rp.items():
         _cntx = v.get_service_context()
         for endpoint in ("redirect_uris",
-                         "post_logout_redirect_uri",
+                         "post_logout_redirect_uris",
                          "frontchannel_logout_uri",
                          "backchannel_logout_uri"):
             if uri in _cntx.get(endpoint, []):

src/oidcrp/configure.py

@@ -100,7 +100,7 @@ def extend(self, entity_conf, conf, base_path, file_attributes, domain, port):
 
 
 URIS = [
-    "redirect_uris", 'post_logout_redirect_uri', 'frontchannel_logout_uri',
+    "redirect_uris", 'post_logout_redirect_uris', 'frontchannel_logout_uri',
     'backchannel_logout_uri', 'issuer', 'base_url']
 
 

src/oidcrp/oidc/end_session.py

@@ -55,13 +55,16 @@ def get_id_token_hint(self, request_args=None, **kwargs):
     def add_post_logout_redirect_uri(self, request_args=None, **kwargs):
         if 'post_logout_redirect_uri' not in request_args:
             _context = self.client_get("service_context")
-            _uri = _context.register_args.get('post_logout_redirect_uri')
+            _uri = _context.register_args.get('post_logout_redirect_uris')
             if _uri:
-                request_args['post_logout_redirect_uri'] = _uri
+                if isinstance(_uri, str):
+                    request_args['post_logout_redirect_uri'] = _uri
+                else:  # assume list
+                    request_args['post_logout_redirect_uri'] = _uri[0]
             else:
-                _uri = _context.callback.get("post_logout_redirect_uri")
+                _uri = _context.callback.get("post_logout_redirect_uris")
                 if _uri:
-                    request_args['post_logout_redirect_uri'] = _uri
+                    request_args['post_logout_redirect_uri'] = _uri[0]
 
         return request_args, {}
 

src/oidcrp/oidc/registration.py

@@ -80,7 +80,7 @@ def create_callbacks(issuer: str,
         res["request_uris"] = f"{base_url}/req_uri/{_hex}"
 
     if backchannel_logout_uri or frontchannel_logout_uri:
-        res["post_logout_redirect_uri"] = f"{base_url}/session_logout/{_hex}"
+        res["post_logout_redirect_uris"] = [f"{base_url}/session_logout/{_hex}"]
 
     if backchannel_logout_uri:
         res["backchannel_logout_uri"] = f"{base_url}/bc_logout/{_hex}"
@@ -162,7 +162,7 @@ def add_callbacks(context, ignore: Optional[List[str]] = None):
     context.set('callback', callbacks)
 
 
-CALLBACK_URIS = ["post_logout_redirect_uri", "backchannel_logout_uri", "frontchannel_logout_uri",
+CALLBACK_URIS = ["post_logout_redirect_uris", "backchannel_logout_uri", "frontchannel_logout_uri",
                  "request_uris", 'redirect_uris']
 
 

src/oidcrp/service_context.py

@@ -103,7 +103,7 @@ class ServiceContext(OidcContext):
         "httpc_params": None,
         'issuer': None,
         "kid": None,
-        "post_logout_redirect_uri": '',
+        "post_logout_redirect_uris": None,
         'provider_info': None,
         'redirect_uris': None,
         "requests_dir": None,
@@ -137,7 +137,7 @@ def __init__(self, base_url="", keyjar=None, config=None, state=None, **kwargs):
         self.client_secret_expires_at = 0
         self.behaviour = {}
         self.provider_info = {}
-        self.post_logout_redirect_uri = ''
+        self.post_logout_redirect_uris = []
         self.redirect_uris = []
         self.register_args = {}
         self.registration_response = {}

tests/test_13_oidc_service.py

@@ -608,11 +608,11 @@ def test_construct(self):
 
     def test_config_with_post_logout(self):
         self.service.client_get("service_context").register_args[
-            'post_logout_redirect_uri'] = 'https://example.com/post_logout'
+            'post_logout_redirect_uris'] = ['https://example.com/post_logout']
         _req = self.service.construct()
         assert isinstance(_req, RegistrationRequest)
         assert len(_req) == 5
-        assert 'post_logout_redirect_uri' in _req
+        assert 'post_logout_redirect_uris' in _req
 
 
 def test_config_with_required_request_uri():
@@ -666,7 +666,7 @@ def test_config_logout_uri():
     assert len(_req) == 7
     assert 'request_uris' in _req
     assert 'frontchannel_logout_uri' in _req
-    assert 'post_logout_redirect_uri' in _req
+    assert 'post_logout_redirect_uris' in _req
 
 
 class TestUserInfo(object):
@@ -874,7 +874,7 @@ def create_request(self):
             'redirect_uris': ['https://example.com/cli/authz_cb'],
             'issuer': self._iss, 'requests_dir': 'requests',
             'base_url': 'https://example.com/cli/',
-            'post_logout_redirect_uri': 'https://example.com/post_logout'
+            'post_logout_redirect_uris': ['https://example.com/post_logout']
         }
         services = {
             "checksession": {

tests/test_20_rp_handler_oidc.py

@@ -312,7 +312,7 @@ def test_do_client_registration(self):
         # only 2 things should have happened
 
         assert self.rph.hash2issuer['github'] == issuer
-        assert client.client_get("service_context").callback.get("post_logout_redirect_uri") is None
+        assert client.client_get("service_context").callback.get("post_logout_redirect_uris") is None
 
     def test_do_client_setup(self):
         client = self.rph.client_setup('github')

tests/test_40_rp_handler_persistent.py

@@ -247,7 +247,7 @@ def test_do_client_registration(self):
         # only 2 things should have happened
 
         assert rph_1.hash2issuer['github'] == issuer
-        assert not client.client_get("service_context").callback.get('post_logout_redirect_uri')
+        assert not client.client_get("service_context").callback.get('post_logout_redirect_uris')
 
     def test_do_client_setup(self):
         rph_1 = RPHandler(BASE_URL, client_configs=CLIENT_CONFIG,