From 202b61fa8375dc2c8ab10d244fc36b220434e890 Mon Sep 17 00:00:00 2001 From: Paul Zinselmeyer Date: Fri, 30 Aug 2024 10:33:07 +0200 Subject: [PATCH] fix: correct error handling in rp initiated logout Previously the extractor would return `ExtractorError::Unauthorized` when the issuer does not provide a end_session_endpoint. Now it will return a `ExtractorError::RpInitiatedLogoutNotSupported`. --- src/error.rs | 7 ++++--- src/extractor.rs | 9 ++++++--- src/middleware.rs | 9 +++++---- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/src/error.rs b/src/error.rs index c580d16..454dddc 100644 --- a/src/error.rs +++ b/src/error.rs @@ -11,11 +11,12 @@ pub enum ExtractorError { #[error("unauthorized")] Unauthorized, - #[error("rp initiated logout information not found")] - RpInitiatedLogoutInformationNotFound, + #[error("rp initiated logout not supported by issuer")] + RpInitiatedLogoutNotSupported, #[error("could not build rp initiated logout uri")] FailedToCreateRpInitiatedLogoutUri, + } #[derive(Debug, Error)] @@ -88,7 +89,7 @@ impl IntoResponse for ExtractorError { fn into_response(self) -> axum_core::response::Response { match self { Self::Unauthorized => (StatusCode::UNAUTHORIZED, "unauthorized").into_response(), - Self::RpInitiatedLogoutInformationNotFound => { + Self::RpInitiatedLogoutNotSupported => { (StatusCode::INTERNAL_SERVER_ERROR, "intenal server error").into_response() } Self::FailedToCreateRpInitiatedLogoutUri => { diff --git a/src/extractor.rs b/src/extractor.rs index 233f20d..9cd41ed 100644 --- a/src/extractor.rs +++ b/src/extractor.rs @@ -155,11 +155,14 @@ where type Rejection = ExtractorError; async fn from_request_parts(parts: &mut Parts, _: &S) -> Result { - parts + match parts .extensions - .get::() + .get::>() .cloned() - .ok_or(ExtractorError::Unauthorized) + .ok_or(ExtractorError::Unauthorized)?{ + Some(this) => Ok(this), + None => Err(ExtractorError::RpInitiatedLogoutNotSupported), + } } } diff --git a/src/middleware.rs b/src/middleware.rs index 97bbc09..8f0432a 100644 --- a/src/middleware.rs +++ b/src/middleware.rs @@ -409,15 +409,16 @@ fn insert_extensions( parts.extensions.insert(OidcAccessToken( authenticated_session.access_token.secret().to_string(), )); - if let Some(end_session_endpoint) = &client.end_session_endpoint { - parts.extensions.insert(OidcRpInitiatedLogout { + let rp_initiated_logout = client.end_session_endpoint.as_ref().map(|end_session_endpoint| +OidcRpInitiatedLogout { end_session_endpoint: end_session_endpoint.clone(), id_token_hint: authenticated_session.id_token.to_string(), client_id: client.client_id.clone(), post_logout_redirect_uri: None, state: None, - }); - } + } + ); + parts.extensions.insert(rp_initiated_logout); } /// Verify the access token hash to ensure that the access token hasn't been substituted for