fix: correct error handling in rp initiated logout

Previously the extractor would return `ExtractorError::Unauthorized` when the issuer does not provide a end_session_endpoint. Now it will return a `ExtractorError::RpInitiatedLogoutNotSupported`.
2024-11-21 11:02:50 +01:00 · 2024-08-30 10:33:07 +02:00 · 2024-08-30 10:33:07 +02:00 · 202b61fa83
commit 202b61fa83
parent 32ecc2041b
3 changed files with 15 additions and 10 deletions
--- a/src/error.rs
+++ b/src/error.rs
@ -11,11 +11,12 @@ pub enum ExtractorError {
    #[error("unauthorized")]
    Unauthorized,

-    #[error("rp initiated logout information not found")]
-    RpInitiatedLogoutInformationNotFound,
+    #[error("rp initiated logout not supported by issuer")]
+    RpInitiatedLogoutNotSupported,

    #[error("could not build rp initiated logout uri")]
    FailedToCreateRpInitiatedLogoutUri,
+
 }

 #[derive(Debug, Error)]
@ -88,7 +89,7 @@ impl IntoResponse for ExtractorError {
    fn into_response(self) -> axum_core::response::Response {
        match self {
            Self::Unauthorized => (StatusCode::UNAUTHORIZED, "unauthorized").into_response(),
-            Self::RpInitiatedLogoutInformationNotFound => {
+            Self::RpInitiatedLogoutNotSupported => {
                (StatusCode::INTERNAL_SERVER_ERROR, "intenal server error").into_response()
            }
            Self::FailedToCreateRpInitiatedLogoutUri => {
--- a/src/extractor.rs
+++ b/src/extractor.rs
@ -155,11 +155,14 @@ where
    type Rejection = ExtractorError;

    async fn from_request_parts(parts: &mut Parts, _: &S) -> Result<Self, Self::Rejection> {
-        parts
+        match parts
            .extensions
-            .get::<Self>()
+            .get::<Option<Self>>()
            .cloned()
-            .ok_or(ExtractorError::Unauthorized)
+            .ok_or(ExtractorError::Unauthorized)?{
+            Some(this) => Ok(this),
+            None => Err(ExtractorError::RpInitiatedLogoutNotSupported),
+            }
    }
 }

--- a/src/middleware.rs
+++ b/src/middleware.rs
@ -409,15 +409,16 @@ fn insert_extensions<AC: AdditionalClaims>(
    parts.extensions.insert(OidcAccessToken(
        authenticated_session.access_token.secret().to_string(),
    ));
-    if let Some(end_session_endpoint) = &client.end_session_endpoint {
-        parts.extensions.insert(OidcRpInitiatedLogout {
+    let rp_initiated_logout = client.end_session_endpoint.as_ref().map(|end_session_endpoint|
+OidcRpInitiatedLogout {
            end_session_endpoint: end_session_endpoint.clone(),
            id_token_hint: authenticated_session.id_token.to_string(),
            client_id: client.client_id.clone(),
            post_logout_redirect_uri: None,
            state: None,
-        });
        }
+    );
+        parts.extensions.insert(rp_initiated_logout);
 }

 /// Verify the access token hash to ensure that the access token hasn't been substituted for