handle logout when no session is present

2025-05-15 00:57:02 +02:00 · 2024-02-14 12:09:27 -05:00 · 2024-02-14 12:09:27 -05:00 · 3387ec032b
commit 3387ec032b
parent 7ec4b32f88
2 changed files with 25 additions and 1 deletions
--- a/src/djangooidc/tests/test_views.py
+++ b/src/djangooidc/tests/test_views.py
@ -327,6 +327,26 @@ class ViewsTest(TestCase):
            self.assertEqual(response.status_code, 302)
            self.assertEqual(actual, expected)

+    def test_logout_redirect_url_with_no_session_state(self, mock_client):
+        """Test that logout redirects to the configured post_logout_redirect_uris."""
+        with less_console_noise():
+            # MOCK
+            mock_client.callback.side_effect = self.user_info
+            mock_client.registration_response = {"post_logout_redirect_uris": ["http://example.com/back"]}
+            mock_client.provider_info = {"end_session_endpoint": "http://example.com/log_me_out"}
+            mock_client.client_id = "TEST"
+            # TEST
+            with less_console_noise():
+                response = self.client.get(reverse("logout"))
+            # ASSERTIONS
+            expected = (
+                "http://example.com/log_me_out?client_id=TEST"
+                "&post_logout_redirect_uri=http%3A%2F%2Fexample.com%2Fback"
+            )
+            actual = response.url
+            self.assertEqual(response.status_code, 302)
+            self.assertEqual(actual, expected)
+
    @patch("djangooidc.views.auth_logout")
    def test_logout_always_logs_out(self, mock_logout, _):
        """Without additional mocking, logout will always fail.
--- a/src/djangooidc/views.py
+++ b/src/djangooidc/views.py
@ -145,8 +145,12 @@ def logout(request, next_page=None):
        user = request.user
        request_args = {
            "client_id": CLIENT.client_id,
-            "state": request.session["state"],
        }
+        # if state is not in request session, still redirect to the identity
+        # provider's logout url, but don't include the state in the url; this
+        # will successfully log out of the identity provider
+        if "state" in request.session:
+            request_args["state"] = request.session["state"]
        if (
            "post_logout_redirect_uris" in CLIENT.registration_response.keys()
            and len(CLIENT.registration_response["post_logout_redirect_uris"]) > 0