Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle "next" query string param in CustomLogoutView #2064

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Handle "next" query string param in CustomLogoutView #2064

wants to merge 2 commits into from

Conversation

gumaerc
Copy link
Contributor

@gumaerc gumaerc commented Feb 20, 2025

What are the relevant tickets?

Closes https://github.com/mitodl/hq/issues/6789

Description (What does it do?)

This PR sets up the CustomLogoutView's _keycloak_logout_url function to properly pass the next query string param to Keycloak as post_logout_redirect_uri if it is passed along in the initial request to /logout. In this case, it would be sent instead of the value of settings.LOGOUT_REDIRECT_URL.

How can this be tested?

  • Spin up mit-learn locally on this branch
  • Log in to the site at http://localhost:8062/ in your usual way
  • Click the User Menu in the upper right, then right click on "Log Out" and click "Copy link address"
  • Open a new tab and paste in the URL, but don't go to it yet
  • At the end of the URL, add: `?next=https://www.google.com
  • Verify that when you hit enter, you are brought to Google
  • Navigate back to your instance of MIT Learn and verify that you are logged out

@gumaerc
if the "next" query string value is sent to the logout view, pass tha…
fc240a6 
…t along to keycloak as "post_logout_redirect_uri" instead of settings.LOGOUT_REDIRECT_URL
rhysyngsun
rhysyngsun reviewed Feb 20, 2025
View reviewed changes
authentication/views.py
@@ -33,12 +33,13 @@ def _keycloak_logout_url(self, user):
user, provider=OlOpenIdConnectAuth.name
).first()
id_token = user_social_auth_record.extra_data.get("id_token")
qs_next = self.request.GET.get("next")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use social auth's redirect sanitization for this: https://github.com/python-social-auth/social-core/blob/master/social_core/actions.py#L27-L31. You'll need to pull the value of allowed redirects more directly from the settings though.

@gumaerc gumaerc added the Needs Review An open Pull Request that is ready for review label Feb 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhysyngsun rhysyngsun rhysyngsun left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Needs Review An open Pull Request that is ready for review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gumaerc @rhysyngsun