Remove logout model

Author: lullis

oauth2_provider/admin.py

@@ -10,8 +10,6 @@
     get_grant_model,
     get_id_token_admin_class,
     get_id_token_model,
-    get_logout_token_admin_class,
-    get_logout_token_model,
     get_refresh_token_admin_class,
     get_refresh_token_model,
 )
@@ -53,14 +51,6 @@ class IDTokenAdmin(admin.ModelAdmin):
     list_select_related = ("application", "user")
 
 
-class LogoutTokenAdmin(admin.ModelAdmin):
-    list_display = ("user", "application", "id_token")
-    raw_id_fields = ("user",)
-    search_fields = ("user__email",) if has_email else ()
-    list_filter = ("application",)
-    list_select_related = ("application", "user", "id_token")
-
-
 class RefreshTokenAdmin(admin.ModelAdmin):
     list_display = ("token", "user", "application")
     raw_id_fields = ("user", "access_token")
@@ -72,19 +62,16 @@ class RefreshTokenAdmin(admin.ModelAdmin):
 access_token_model = get_access_token_model()
 grant_model = get_grant_model()
 id_token_model = get_id_token_model()
-logout_token_model = get_logout_token_model()
 refresh_token_model = get_refresh_token_model()
 
 application_admin_class = get_application_admin_class()
 access_token_admin_class = get_access_token_admin_class()
 grant_admin_class = get_grant_admin_class()
 id_token_admin_class = get_id_token_admin_class()
-logout_token_admin_class = get_logout_token_admin_class()
 refresh_token_admin_class = get_refresh_token_admin_class()
 
 admin.site.register(application_model, application_admin_class)
 admin.site.register(access_token_model, access_token_admin_class)
 admin.site.register(grant_model, grant_admin_class)
 admin.site.register(id_token_model, id_token_admin_class)
-admin.site.register(logout_token_model, logout_token_admin_class)
 admin.site.register(refresh_token_model, refresh_token_admin_class)

oauth2_provider/checks.py

@@ -13,7 +13,6 @@ def validate_token_configuration(app_configs, **kwargs):
             oauth2_settings.ACCESS_TOKEN_MODEL,
             oauth2_settings.ID_TOKEN_MODEL,
             oauth2_settings.REFRESH_TOKEN_MODEL,
-            oauth2_settings.LOGOUT_TOKEN_MODEL,
         )
     )
 

oauth2_provider/migrations/0013_application_backchannel_logout_uri.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.2 on 2025-06-06 12:42
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('oauth2_provider', '0012_add_token_checksum'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='application',
+            name='backchannel_logout_uri',
+            field=models.URLField(blank=True, help_text='Backchannel Logout URI where logout tokens will be sent', null=True),
+        ),
+    ]

oauth2_provider/migrations/0013_application_backchannel_logout_uri_logouttoken.py

@@ -12,7 +12,7 @@
 from django.conf import settings
 from django.contrib.auth.hashers import identify_hasher, make_password
 from django.core.exceptions import ImproperlyConfigured
-from django.db import IntegrityError, models, router, transaction
+from django.db import models, router, transaction
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
@@ -636,6 +636,48 @@ def revoke(self):
         """
         self.delete()
 
+    def send_backchannel_logout_request(self, ttl=timedelta(minutes=10)):
+        """
+        Send a token to
+        """
+        try:
+            assert oauth2_settings.OIDC_BACKCHANNEL_LOGOUT_ENABLED, "Backchannel logout is not enabled"
+            assert self.application.backchannel_logout_url is not None, (
+                "URL for backchannel logout not provided by client"
+            )
+
+            issued_at = timezone.now()
+            expiration_date = issued_at + ttl
+
+            claims = {
+                "iss": oauth2_settings.OIDC_ISS_ENDPOINT,
+                "sub": str(self.user.id),
+                "aud": str(self.application.client_id),
+                "iat": int(issued_at.timestamp()),
+                "exp": int(expiration_date.timestamp()),
+                "jti": self.jti,
+                "events": {"http://schemas.openid.net/event/backchannel-logout": {}},
+            }
+
+            # Standard JWT header
+            header = {"typ": "logout+jwt", "alg": self.application.algorithm}
+            # RS256 consumers expect a kid in the header for verifying the token
+            if self.application.algorithm == AbstractApplication.RS256_ALGORITHM:
+                header["kid"] = self.application.jwk_key.thumbprint()
+
+                token = jwt.JWT(
+                    header=json.dumps(header, default=str),
+                    claims=json.dumps(claims, default=str),
+                )
+                token.make_signed_token(self.application.jwk_key)
+
+            headers = {"Content-Type": "application/x-www-form-urlencoded"}
+            data = {"logout_token": token.serialize()}
+            response = requests.post(self.application.backchannel_logout_uri, headers=headers, data=data)
+            response.raise_for_status()
+        except (AssertionError, requests.RequestException) as exc:
+            raise BackchannelLogoutRequestError(str(exc))
+
     @property
     def scopes(self):
         """
@@ -657,71 +699,6 @@ class Meta(AbstractIDToken.Meta):
         swappable = "OAUTH2_PROVIDER_ID_TOKEN_MODEL"
 
 
-class AbstractLogoutToken(models.Model):
-    TTL = timedelta(minutes=10)
-
-    id = models.BigAutoField(primary_key=True)
-    user = models.ForeignKey(
-        settings.AUTH_USER_MODEL, on_delete=models.CASCADE, related_name="%(app_label)s_%(class)s"
-    )
-    application = models.ForeignKey(oauth2_settings.APPLICATION_MODEL, on_delete=models.CASCADE)
-    id_token = models.OneToOneField(oauth2_settings.ID_TOKEN_MODEL, null=True, on_delete=models.SET_NULL)
-    created = models.DateTimeField(auto_now_add=True)
-
-    @property
-    def expires(self):
-        return self.created + self.TTL
-
-    @property
-    def jwt_claim_dictionary(self):
-        claims = {
-            "iss": oauth2_settings.OIDC_ISS_ENDPOINT,
-            "sub": str(self.user.id),
-            "aud": str(self.application.client_id),
-            "iat": int(self.created.timestamp()),
-            "exp": int(self.expires.timestamp()),
-            "events": {"http://schemas.openid.net/event/backchannel-logout": {}},
-        }
-
-        if self.id_token and self.id_token.jti:
-            claims["jti"] = str(self.id_token.jti)
-
-        return claims
-
-    def get_serialized_jwt(self):
-        # Standard JWT header
-        header = {"typ": "logout+jwt", "alg": self.application.algorithm}
-        # RS256 consumers expect a kid in the header for verifying the token
-        if self.application.algorithm == AbstractApplication.RS256_ALGORITHM:
-            header["kid"] = self.application.jwk_key.thumbprint()
-
-        token = jwt.JWT(
-            header=json.dumps(header, default=str),
-            claims=json.dumps(self.jwt_claim_dictionary, default=str),
-        )
-        token.make_signed_token(self.application.jwk_key)
-        return token.serialize()
-
-    def send_backchannel_logout_request(self):
-        if not oauth2_settings.OIDC_BACKCHANNEL_LOGOUT_ENABLED:
-            return
-        try:
-            headers = {"Content-Type": "application/x-www-form-urlencoded"}
-            data = {"logout_token": self.get_serialized_jwt()}
-            response = requests.post(self.application.backchannel_logout_uri, headers=headers, data=data)
-            response.raise_for_status()
-        except (AssertionError, requests.RequestException) as exc:
-            raise BackchannelLogoutRequestError(str(exc))
-
-    class Meta:
-        abstract = True
-
-
-class LogoutToken(AbstractLogoutToken):
-    class Meta(AbstractLogoutToken.Meta):
-        swappable = "OAUTH2_PROVIDER_LOGOUT_TOKEN_MODEL"
-
-
 def get_application_model():
     """Return the Application model that is active in this project."""
     return apps.get_model(oauth2_settings.APPLICATION_MODEL)
@@ -742,11 +719,6 @@ def get_id_token_model():
     return apps.get_model(oauth2_settings.ID_TOKEN_MODEL)
 
 
-def get_logout_token_model():
-    """Return the IDToken model that is active in this project."""
-    return apps.get_model(oauth2_settings.LOGOUT_TOKEN_MODEL)
-
-
 def get_refresh_token_model():
     """Return the RefreshToken model that is active in this project."""
     return apps.get_model(oauth2_settings.REFRESH_TOKEN_MODEL)
@@ -776,12 +748,6 @@ def get_id_token_admin_class():
     return id_token_admin_class
 
 
-def get_logout_token_admin_class():
-    """Return the LogoutToken admin class that is active in this project."""
-    logout_token_admin_class = oauth2_settings.LOGOUT_TOKEN_ADMIN_CLASS
-    return logout_token_admin_class
-
-
 def get_refresh_token_admin_class():
     """Return the RefreshToken admin class that is active in this project."""
     refresh_token_admin_class = oauth2_settings.REFRESH_TOKEN_ADMIN_CLASS
@@ -812,7 +778,6 @@ def batch_delete(queryset, query):
     access_token_model = get_access_token_model()
     refresh_token_model = get_refresh_token_model()
     id_token_model = get_id_token_model()
-    logout_token_model = get_logout_token_model()
     grant_model = get_grant_model()
     REFRESH_TOKEN_EXPIRE_SECONDS = oauth2_settings.REFRESH_TOKEN_EXPIRE_SECONDS
 
@@ -840,11 +805,6 @@ def batch_delete(queryset, query):
     else:
         logger.info("refresh_expire_at is %s. No refresh tokens deleted.", refresh_expire_at)
 
-    logout_token_query = models.Q(created__lt=now - logout_token_model.TTL)
-    logout_tokens = logout_token_model.objects.filter(logout_token_query)
-    logout_tokens_delete_no = batch_delete(logout_tokens, logout_token_query)
-    logger.info("%s Expired logout tokens deleted", logout_tokens_delete_no)
-
     access_token_query = models.Q(refresh_token__isnull=True, expires__lt=now)
     access_tokens = access_token_model.objects.filter(access_token_query)
 
@@ -957,11 +917,6 @@ def send_backchannel_logout_requests(user):
     id_tokens = IDToken.objects.filter(application__backchannel_logout_uri__isnull=False, user=user)
     for id_token in id_tokens:
         try:
-            logout_token = LogoutToken.objects.create(
-                user=user, application=id_token.application, id_token=id_token
-            )
-            logout_token.send_backchannel_logout_request()
+            id_token.send_backchannel_logout_request()
         except BackchannelLogoutRequestError as exc:
             logger.warn(str(exc))
-        except IntegrityError:
-            logger.warn(f"Logout for {id_token} already exists")

oauth2_provider/models.py

@@ -30,7 +30,6 @@
 APPLICATION_MODEL = getattr(settings, "OAUTH2_PROVIDER_APPLICATION_MODEL", "oauth2_provider.Application")
 ACCESS_TOKEN_MODEL = getattr(settings, "OAUTH2_PROVIDER_ACCESS_TOKEN_MODEL", "oauth2_provider.AccessToken")
 ID_TOKEN_MODEL = getattr(settings, "OAUTH2_PROVIDER_ID_TOKEN_MODEL", "oauth2_provider.IDToken")
-LOGOUT_TOKEN_MODEL = getattr(settings, "OAUTH2_PROVIDER_LOGOUT_TOKEN_MODEL", "oauth2_provider.LogoutToken")
 GRANT_MODEL = getattr(settings, "OAUTH2_PROVIDER_GRANT_MODEL", "oauth2_provider.Grant")
 REFRESH_TOKEN_MODEL = getattr(settings, "OAUTH2_PROVIDER_REFRESH_TOKEN_MODEL", "oauth2_provider.RefreshToken")
 
@@ -62,14 +61,12 @@
     "APPLICATION_MODEL": APPLICATION_MODEL,
     "ACCESS_TOKEN_MODEL": ACCESS_TOKEN_MODEL,
     "ID_TOKEN_MODEL": ID_TOKEN_MODEL,
-    "LOGOUT_TOKEN_MODEL": LOGOUT_TOKEN_MODEL,
     "GRANT_MODEL": GRANT_MODEL,
     "REFRESH_TOKEN_MODEL": REFRESH_TOKEN_MODEL,
     "APPLICATION_ADMIN_CLASS": "oauth2_provider.admin.ApplicationAdmin",
     "ACCESS_TOKEN_ADMIN_CLASS": "oauth2_provider.admin.AccessTokenAdmin",
     "GRANT_ADMIN_CLASS": "oauth2_provider.admin.GrantAdmin",
     "ID_TOKEN_ADMIN_CLASS": "oauth2_provider.admin.IDTokenAdmin",
-    "LOGOUT_TOKEN_ADMIN_CLASS": "oauth2_provider.admin.LogoutTokenAdmin",
     "REFRESH_TOKEN_ADMIN_CLASS": "oauth2_provider.admin.RefreshTokenAdmin",
     "REQUEST_APPROVAL_PROMPT": "force",
     "ALLOWED_REDIRECT_URI_SCHEMES": ["http", "https"],