mirror of
https://github.com/pfzetto/axum-oidc.git
synced 2024-11-24 04:22:50 +01:00
fix: correct error handling in rp initiated logout
Previously the extractor would return `ExtractorError::Unauthorized` when the issuer does not provide a end_session_endpoint. Now it will return a `ExtractorError::RpInitiatedLogoutNotSupported`.
This commit is contained in:
parent
32ecc2041b
commit
202b61fa83
3 changed files with 15 additions and 10 deletions
|
@ -11,11 +11,12 @@ pub enum ExtractorError {
|
||||||
#[error("unauthorized")]
|
#[error("unauthorized")]
|
||||||
Unauthorized,
|
Unauthorized,
|
||||||
|
|
||||||
#[error("rp initiated logout information not found")]
|
#[error("rp initiated logout not supported by issuer")]
|
||||||
RpInitiatedLogoutInformationNotFound,
|
RpInitiatedLogoutNotSupported,
|
||||||
|
|
||||||
#[error("could not build rp initiated logout uri")]
|
#[error("could not build rp initiated logout uri")]
|
||||||
FailedToCreateRpInitiatedLogoutUri,
|
FailedToCreateRpInitiatedLogoutUri,
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Debug, Error)]
|
#[derive(Debug, Error)]
|
||||||
|
@ -88,7 +89,7 @@ impl IntoResponse for ExtractorError {
|
||||||
fn into_response(self) -> axum_core::response::Response {
|
fn into_response(self) -> axum_core::response::Response {
|
||||||
match self {
|
match self {
|
||||||
Self::Unauthorized => (StatusCode::UNAUTHORIZED, "unauthorized").into_response(),
|
Self::Unauthorized => (StatusCode::UNAUTHORIZED, "unauthorized").into_response(),
|
||||||
Self::RpInitiatedLogoutInformationNotFound => {
|
Self::RpInitiatedLogoutNotSupported => {
|
||||||
(StatusCode::INTERNAL_SERVER_ERROR, "intenal server error").into_response()
|
(StatusCode::INTERNAL_SERVER_ERROR, "intenal server error").into_response()
|
||||||
}
|
}
|
||||||
Self::FailedToCreateRpInitiatedLogoutUri => {
|
Self::FailedToCreateRpInitiatedLogoutUri => {
|
||||||
|
|
|
@ -155,11 +155,14 @@ where
|
||||||
type Rejection = ExtractorError;
|
type Rejection = ExtractorError;
|
||||||
|
|
||||||
async fn from_request_parts(parts: &mut Parts, _: &S) -> Result<Self, Self::Rejection> {
|
async fn from_request_parts(parts: &mut Parts, _: &S) -> Result<Self, Self::Rejection> {
|
||||||
parts
|
match parts
|
||||||
.extensions
|
.extensions
|
||||||
.get::<Self>()
|
.get::<Option<Self>>()
|
||||||
.cloned()
|
.cloned()
|
||||||
.ok_or(ExtractorError::Unauthorized)
|
.ok_or(ExtractorError::Unauthorized)?{
|
||||||
|
Some(this) => Ok(this),
|
||||||
|
None => Err(ExtractorError::RpInitiatedLogoutNotSupported),
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -409,15 +409,16 @@ fn insert_extensions<AC: AdditionalClaims>(
|
||||||
parts.extensions.insert(OidcAccessToken(
|
parts.extensions.insert(OidcAccessToken(
|
||||||
authenticated_session.access_token.secret().to_string(),
|
authenticated_session.access_token.secret().to_string(),
|
||||||
));
|
));
|
||||||
if let Some(end_session_endpoint) = &client.end_session_endpoint {
|
let rp_initiated_logout = client.end_session_endpoint.as_ref().map(|end_session_endpoint|
|
||||||
parts.extensions.insert(OidcRpInitiatedLogout {
|
OidcRpInitiatedLogout {
|
||||||
end_session_endpoint: end_session_endpoint.clone(),
|
end_session_endpoint: end_session_endpoint.clone(),
|
||||||
id_token_hint: authenticated_session.id_token.to_string(),
|
id_token_hint: authenticated_session.id_token.to_string(),
|
||||||
client_id: client.client_id.clone(),
|
client_id: client.client_id.clone(),
|
||||||
post_logout_redirect_uri: None,
|
post_logout_redirect_uri: None,
|
||||||
state: None,
|
state: None,
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
);
|
||||||
|
parts.extensions.insert(rp_initiated_logout);
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Verify the access token hash to ensure that the access token hasn't been substituted for
|
/// Verify the access token hash to ensure that the access token hasn't been substituted for
|
||||||
|
|
Loading…
Reference in a new issue