feat: Possibly pass client in logout request #2483
Conversation
|
|
honzapatCZ
changed the title
| @@ -22,6 +22,9 @@ type LogoutRequest struct { | |||
|
|
|||
| // RPInitiated is set to true if the request was initiated by a Relying Party (RP), also known as an OAuth 2.0 Client. | |||
| RpInitiated bool `json:"rp_initiated,omitempty"` | |||
|
|
|||
| // client, only set if rp_initiated | |||
| Client *OAuth2Client `json:"client,omitempty"` | |||
There was a problem hiding this comment.
These files are auto-generated, you would need to add that to the actual type ( https://github.com/ory/hydra/blob/master/consent/types.go#L398 ) and of course it also needs to be set and stored!
There was a problem hiding this comment.
These files are auto-generated, you would need to add that to the actual type ( https://github.com/ory/hydra/blob/master/consent/types.go#L398 ) and of course it also needs to be set and stored!
OK, the thing is, the client is actually passed, so ory hydra works with it, it just isnt represented in the json form, so I suppose with my latest commit it works now?
There was a problem hiding this comment.
No, you still need to set the client somewhere. I suggest adding a test to see if it does what you want!
There was a problem hiding this comment.
But it already is set here
hydra/consent/strategy_default.go
Line 914 in 24f91ab
There was a problem hiding this comment.
Ah I see, my bad - these files are auto-generated! What you need to do is to change this line:
Line 451 in cf2fe0c
This will then update that file automatically! The we also need a test to check if the client is actually set in JSON. For example, by doing an assertion here:
hydra/consent/strategy_logout_test.go
Line 140 in cf2fe0c
There was a problem hiding this comment.
Ah I see, my bad - these files are auto-generated! What you need to do is to change this line:
Line 451 in cf2fe0c
This will then update that file automatically! The we also need a test to check if the client is actually set in JSON. For example, by doing an assertion here:
hydra/consent/strategy_logout_test.go
Line 140 in cf2fe0c
I already altered the types.go, but where should I put the test? There's also no test that epxects rp_inititated to be true, which is only case where client would be set.
There was a problem hiding this comment.
This test is doing rp_initiated:
hydra/consent/strategy_logout_test.go
Line 343 in cf2fe0c
You can add the assertion there!
There was a problem hiding this comment.
This test is doing rp_initiated:
hydra/consent/strategy_logout_test.go
Line 343 in cf2fe0c
You can add the assertion there!
Where exactly? I dont see an assert for rp_initiated, so Iam not sure.
You know I did this change a week ago? Also where should I put the test, there is no test that actually checks for rp_initiated being true, so idk. |
|
Not sure I understand? I linked the place where the tests needs to be added already, it is here: hydra/consent/strategy_logout_test.go Line 343 in cf2fe0c That test is RP Initiated, the call here hydra/consent/strategy_logout_test.go Line 366 in cf2fe0c so this call hydra/consent/strategy_logout_test.go Line 85 in cf2fe0c which ends up here hydra/consent/strategy_logout_test.go Line 140 in cf2fe0c and there you have access to the client. I linked these lines of codes already in my comments:
Sorry, but without tests I can't merge things. This is security software and needs thorough testing and good code quality. I know this might be frustrating to keep working on this but it's just the way this repo needs to work to prevent security issues. For example, I suspect that your change would currently expose the Maybe I misunderstand but I believe the instructions to be correct and accurate. |
aeneasr
added
the
pending reply
But that is for acceptLogoutRequest iam passing it in getLogoutRequest |
|
@honzapatCZ I updated the code to unblock you and also help understand what I meant. Check out my commit here: 58ac49a Hope this helps and sorry again for the frustrating contribution experience. But we got your feature merged! :) Thank you for the help |
aeneasr
removed
the
pending reply
|
So it's done and this can be closed? |
|
No, it's not merged yet. CI is also failing. If you have appetite to look into it, I would appreciate it! |
|
Found the issue I believe |
|
🎉 🥳 |
Related issue
#2468
Proposed changes
I haven't studied the api, but hopefully just extending the response model would work
Checklist
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
security@ory.sh) from the maintainers to push
the changes.
works.