From 120a7471fdc32224fead248fee1fc40ee4fee560 Mon Sep 17 00:00:00 2001 From: Peter Onyisi Date: Mon, 17 Nov 2025 15:11:36 -0600 Subject: [PATCH 1/4] Fix logout on OIDC --- servicex_app/servicex_app/web/auth_callback.py | 3 ++- servicex_app/servicex_app/web/sign_out.py | 9 +++++---- servicex_app/servicex_app_test/web/test_sign_out.py | 8 ++++---- servicex_app/servicex_app_test/web/web_test_base.py | 7 ++----- 4 files changed, 13 insertions(+), 14 deletions(-) diff --git a/servicex_app/servicex_app/web/auth_callback.py b/servicex_app/servicex_app/web/auth_callback.py index e1c1ea08c..f46a1860a 100644 --- a/servicex_app/servicex_app/web/auth_callback.py +++ b/servicex_app/servicex_app/web/auth_callback.py @@ -26,7 +26,8 @@ def auth_callback(): tokens = oauth.oauth.authorize_access_token() id_token = tokens["userinfo"] - session_tokens = {"access_token": tokens["access_token"]} + session_tokens = {"access_token": tokens["access_token"], + "id_token": tokens["id_token"]} session.update( tokens=session_tokens, diff --git a/servicex_app/servicex_app/web/sign_out.py b/servicex_app/servicex_app/web/sign_out.py index 3230af7c9..20b8f24a2 100644 --- a/servicex_app/servicex_app/web/sign_out.py +++ b/servicex_app/servicex_app/web/sign_out.py @@ -16,7 +16,8 @@ def sign_out(): scope=oauth.oauth.client_kwargs["scope"], ) oauth.oauth.load_server_metadata() - for ty in ("access_token", "refresh_token"): + id_token = session["tokens"].get("id_token") + for ty in ("access_token",): if ty in session["tokens"]: client.revoke_token( oauth.oauth.server_metadata["revocation_endpoint"], @@ -30,9 +31,9 @@ def sign_out(): ga_logout_url = "".join( [ oauth.oauth.server_metadata["end_session_endpoint"], - f"?client={current_app.config['OAUTH_CLIENT_ID']}", - f"&redirect_uri={redirect_uri}", - "&redirect_name=ServiceX Portal", + f"?client_id={current_app.config['OAUTH_CLIENT_ID']}", + f"&id_token_hint={id_token}" if id_token else "", + f"&post_logout_redirect_uri={redirect_uri}", ] ) return redirect(ga_logout_url) diff --git a/servicex_app/servicex_app_test/web/test_sign_out.py b/servicex_app/servicex_app_test/web/test_sign_out.py index fe6cda8c9..27b90608a 100644 --- a/servicex_app/servicex_app_test/web/test_sign_out.py +++ b/servicex_app/servicex_app_test/web/test_sign_out.py @@ -14,7 +14,7 @@ def test_sign_out(self, mocker, oauth_client, oauth_session, client): relevant_tokens = [ _[1] for _ in oauth_tokens.items() - if _[0] in ("access_token", "refresh_token") + if _[0] in ("access_token",) ] calls = [ mocker.call( @@ -28,9 +28,9 @@ def test_sign_out(self, mocker, oauth_client, oauth_session, client): ga_logout_url = "".join( [ "https://auth.globus.org/v2/web/logout", - f"?client={client.application.config['OAUTH_CLIENT_ID']}", - f"&redirect_uri={url_for('home', _external=True)}", - f"&redirect_name={quote('ServiceX Portal')}", + f"?client_id={client.application.config['OAUTH_CLIENT_ID']}", + "&id_token_hint=opaque" + f"&post_logout_redirect_uri={url_for('home', _external=True)}", ] ) assert response.status_code == 302 diff --git a/servicex_app/servicex_app_test/web/web_test_base.py b/servicex_app/servicex_app_test/web/web_test_base.py index 7ca7cbc48..1795555c6 100644 --- a/servicex_app/servicex_app_test/web/web_test_base.py +++ b/servicex_app/servicex_app_test/web/web_test_base.py @@ -123,11 +123,8 @@ def _auth_url(): @staticmethod def _oauth_tokens(): return { - "access_token": "globus-auth-access-token", - "expires_at_seconds": 1596734412, - "resource_server": "auth.globus.org", - "scope": "email profile openid", - "token_type": "Bearer", + "access_token": "opaque", + "id_token": "opaque" } @staticmethod From 359bbb3a20331bde33cc3f102727078a91e1be2f Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 17 Nov 2025 21:12:55 +0000 Subject: [PATCH 2/4] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- servicex_app/servicex_app/web/auth_callback.py | 6 ++++-- servicex_app/servicex_app_test/web/test_sign_out.py | 4 +--- servicex_app/servicex_app_test/web/web_test_base.py | 5 +---- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/servicex_app/servicex_app/web/auth_callback.py b/servicex_app/servicex_app/web/auth_callback.py index f46a1860a..8e9684a3c 100644 --- a/servicex_app/servicex_app/web/auth_callback.py +++ b/servicex_app/servicex_app/web/auth_callback.py @@ -26,8 +26,10 @@ def auth_callback(): tokens = oauth.oauth.authorize_access_token() id_token = tokens["userinfo"] - session_tokens = {"access_token": tokens["access_token"], - "id_token": tokens["id_token"]} + session_tokens = { + "access_token": tokens["access_token"], + "id_token": tokens["id_token"], + } session.update( tokens=session_tokens, diff --git a/servicex_app/servicex_app_test/web/test_sign_out.py b/servicex_app/servicex_app_test/web/test_sign_out.py index 27b90608a..6a1c76d9b 100644 --- a/servicex_app/servicex_app_test/web/test_sign_out.py +++ b/servicex_app/servicex_app_test/web/test_sign_out.py @@ -12,9 +12,7 @@ def test_sign_out(self, mocker, oauth_client, oauth_session, client): sess["tokens"] = oauth_tokens response: Response = client.get(url_for("sign_out")) relevant_tokens = [ - _[1] - for _ in oauth_tokens.items() - if _[0] in ("access_token",) + _[1] for _ in oauth_tokens.items() if _[0] in ("access_token",) ] calls = [ mocker.call( diff --git a/servicex_app/servicex_app_test/web/web_test_base.py b/servicex_app/servicex_app_test/web/web_test_base.py index 1795555c6..d803c59cb 100644 --- a/servicex_app/servicex_app_test/web/web_test_base.py +++ b/servicex_app/servicex_app_test/web/web_test_base.py @@ -122,10 +122,7 @@ def _auth_url(): @staticmethod def _oauth_tokens(): - return { - "access_token": "opaque", - "id_token": "opaque" - } + return {"access_token": "opaque", "id_token": "opaque"} @staticmethod def _globus_metadata(): From cc8d80b4beeb2b473c48724edeab4d4d98345b09 Mon Sep 17 00:00:00 2001 From: Peter Onyisi Date: Mon, 17 Nov 2025 15:13:55 -0600 Subject: [PATCH 3/4] Flake8 fix --- servicex_app/servicex_app_test/web/test_sign_out.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/servicex_app/servicex_app_test/web/test_sign_out.py b/servicex_app/servicex_app_test/web/test_sign_out.py index 6a1c76d9b..3870bffc7 100644 --- a/servicex_app/servicex_app_test/web/test_sign_out.py +++ b/servicex_app/servicex_app_test/web/test_sign_out.py @@ -1,5 +1,3 @@ -from urllib.parse import quote - from flask import Response, url_for, session from .web_test_base import WebTestBase From e2ca40f67dc2fc7b79e8fafcb441ea58f055d5bb Mon Sep 17 00:00:00 2001 From: Peter Onyisi Date: Mon, 17 Nov 2025 15:33:55 -0600 Subject: [PATCH 4/4] Coverage pragma --- servicex_app/servicex_app/web/sign_out.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/servicex_app/servicex_app/web/sign_out.py b/servicex_app/servicex_app/web/sign_out.py index 20b8f24a2..e11088f2b 100644 --- a/servicex_app/servicex_app/web/sign_out.py +++ b/servicex_app/servicex_app/web/sign_out.py @@ -18,7 +18,7 @@ def sign_out(): oauth.oauth.load_server_metadata() id_token = session["tokens"].get("id_token") for ty in ("access_token",): - if ty in session["tokens"]: + if ty in session["tokens"]: # pragma: no branch client.revoke_token( oauth.oauth.server_metadata["revocation_endpoint"], token=session["tokens"][ty],