pfzetto/axum-oidc
1
0
Fork 0
mirror of https://github.com/pfzetto/axum-oidc.git synced 2024-11-21 19:12:49 +01:00
Code Issues Projects Releases Packages Wiki Activity

fix: correct error handling in rp initiated logout

Browse source 
Previously the extractor would return `ExtractorError::Unauthorized` when the issuer
does not provide a end_session_endpoint.
Now it will return a `ExtractorError::RpInitiatedLogoutNotSupported`.
This commit is contained in:
Paul Zinselmeyer 2024-08-30 10:33:07 +02:00
parent 32ecc2041b
commit 202b61fa83
Signed by: pfzetto
GPG key ID: B471A1AF06C895FD
3 changed files with 15 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/error.rs
View file

@ -11,11 +11,12 @@ pub enum ExtractorError {
#[error("unauthorized")] #[error("unauthorized")]
Unauthorized, Unauthorized,
#[error("rp initiated logout information not found")] #[error("rp initiated logout not supported by issuer")]
RpInitiatedLogoutInformationNotFound, RpInitiatedLogoutNotSupported,
#[error("could not build rp initiated logout uri")] #[error("could not build rp initiated logout uri")]
FailedToCreateRpInitiatedLogoutUri, FailedToCreateRpInitiatedLogoutUri,
} }
#[derive(Debug, Error)] #[derive(Debug, Error)]
@ -88,7 +89,7 @@ impl IntoResponse for ExtractorError {
fn into_response(self) -> axum_core::response::Response { fn into_response(self) -> axum_core::response::Response {
match self { match self {
Self::Unauthorized => (StatusCode::UNAUTHORIZED, "unauthorized").into_response(), Self::Unauthorized => (StatusCode::UNAUTHORIZED, "unauthorized").into_response(),
Self::RpInitiatedLogoutInformationNotFound => { Self::RpInitiatedLogoutNotSupported => {
(StatusCode::INTERNAL_SERVER_ERROR, "intenal server error").into_response() (StatusCode::INTERNAL_SERVER_ERROR, "intenal server error").into_response()
} }
Self::FailedToCreateRpInitiatedLogoutUri => { Self::FailedToCreateRpInitiatedLogoutUri => {

9
src/extractor.rs
View file

@ -155,11 +155,14 @@ where
type Rejection = ExtractorError; type Rejection = ExtractorError;
async fn from_request_parts(parts: &mut Parts, _: &S) -> Result<Self, Self::Rejection> { async fn from_request_parts(parts: &mut Parts, _: &S) -> Result<Self, Self::Rejection> {
parts match parts
.extensions .extensions
.get::<Self>() .get::<Option<Self>>()
.cloned() .cloned()
.ok_or(ExtractorError::Unauthorized) .ok_or(ExtractorError::Unauthorized)?{
Some(this) => Ok(this),
None => Err(ExtractorError::RpInitiatedLogoutNotSupported),
}
} }
} }

9
src/middleware.rs
View file

@ -409,15 +409,16 @@ fn insert_extensions<AC: AdditionalClaims>(
parts.extensions.insert(OidcAccessToken( parts.extensions.insert(OidcAccessToken(
authenticated_session.access_token.secret().to_string(), authenticated_session.access_token.secret().to_string(),
)); ));
if let Some(end_session_endpoint) = &client.end_session_endpoint { let rp_initiated_logout = client.end_session_endpoint.as_ref().map(|end_session_endpoint|
parts.extensions.insert(OidcRpInitiatedLogout { OidcRpInitiatedLogout {
end_session_endpoint: end_session_endpoint.clone(), end_session_endpoint: end_session_endpoint.clone(),
id_token_hint: authenticated_session.id_token.to_string(), id_token_hint: authenticated_session.id_token.to_string(),
client_id: client.client_id.clone(), client_id: client.client_id.clone(),
post_logout_redirect_uri: None, post_logout_redirect_uri: None,
state: None, state: None,
}); }
} );
parts.extensions.insert(rp_initiated_logout);
} }
/// Verify the access token hash to ensure that the access token hasn't been substituted for /// Verify the access token hash to ensure that the access token hasn't been substituted for