diff --git a/servicex_app/servicex_app/web/auth_callback.py b/servicex_app/servicex_app/web/auth_callback.py index e1c1ea08c..8e9684a3c 100644 --- a/servicex_app/servicex_app/web/auth_callback.py +++ b/servicex_app/servicex_app/web/auth_callback.py @@ -26,7 +26,10 @@ def auth_callback(): tokens = oauth.oauth.authorize_access_token() id_token = tokens["userinfo"] - session_tokens = {"access_token": tokens["access_token"]} + session_tokens = { + "access_token": tokens["access_token"], + "id_token": tokens["id_token"], + } session.update( tokens=session_tokens, diff --git a/servicex_app/servicex_app/web/sign_out.py b/servicex_app/servicex_app/web/sign_out.py index 3230af7c9..e11088f2b 100644 --- a/servicex_app/servicex_app/web/sign_out.py +++ b/servicex_app/servicex_app/web/sign_out.py @@ -16,8 +16,9 @@ def sign_out(): scope=oauth.oauth.client_kwargs["scope"], ) oauth.oauth.load_server_metadata() - for ty in ("access_token", "refresh_token"): - if ty in session["tokens"]: + id_token = session["tokens"].get("id_token") + for ty in ("access_token",): + if ty in session["tokens"]: # pragma: no branch client.revoke_token( oauth.oauth.server_metadata["revocation_endpoint"], token=session["tokens"][ty], @@ -30,9 +31,9 @@ def sign_out(): ga_logout_url = "".join( [ oauth.oauth.server_metadata["end_session_endpoint"], - f"?client={current_app.config['OAUTH_CLIENT_ID']}", - f"&redirect_uri={redirect_uri}", - "&redirect_name=ServiceX Portal", + f"?client_id={current_app.config['OAUTH_CLIENT_ID']}", + f"&id_token_hint={id_token}" if id_token else "", + f"&post_logout_redirect_uri={redirect_uri}", ] ) return redirect(ga_logout_url) diff --git a/servicex_app/servicex_app_test/web/test_sign_out.py b/servicex_app/servicex_app_test/web/test_sign_out.py index fe6cda8c9..3870bffc7 100644 --- a/servicex_app/servicex_app_test/web/test_sign_out.py +++ b/servicex_app/servicex_app_test/web/test_sign_out.py @@ -1,5 +1,3 @@ -from urllib.parse import quote - from flask import Response, url_for, session from .web_test_base import WebTestBase @@ -12,9 +10,7 @@ def test_sign_out(self, mocker, oauth_client, oauth_session, client): sess["tokens"] = oauth_tokens response: Response = client.get(url_for("sign_out")) relevant_tokens = [ - _[1] - for _ in oauth_tokens.items() - if _[0] in ("access_token", "refresh_token") + _[1] for _ in oauth_tokens.items() if _[0] in ("access_token",) ] calls = [ mocker.call( @@ -28,9 +24,9 @@ def test_sign_out(self, mocker, oauth_client, oauth_session, client): ga_logout_url = "".join( [ "https://auth.globus.org/v2/web/logout", - f"?client={client.application.config['OAUTH_CLIENT_ID']}", - f"&redirect_uri={url_for('home', _external=True)}", - f"&redirect_name={quote('ServiceX Portal')}", + f"?client_id={client.application.config['OAUTH_CLIENT_ID']}", + "&id_token_hint=opaque" + f"&post_logout_redirect_uri={url_for('home', _external=True)}", ] ) assert response.status_code == 302 diff --git a/servicex_app/servicex_app_test/web/web_test_base.py b/servicex_app/servicex_app_test/web/web_test_base.py index 7ca7cbc48..d803c59cb 100644 --- a/servicex_app/servicex_app_test/web/web_test_base.py +++ b/servicex_app/servicex_app_test/web/web_test_base.py @@ -122,13 +122,7 @@ def _auth_url(): @staticmethod def _oauth_tokens(): - return { - "access_token": "globus-auth-access-token", - "expires_at_seconds": 1596734412, - "resource_server": "auth.globus.org", - "scope": "email profile openid", - "token_type": "Bearer", - } + return {"access_token": "opaque", "id_token": "opaque"} @staticmethod def _globus_metadata():