From a13dcb94df6d946a8b529cbe3ce124fa35bf0206 Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Thu, 28 Jul 2022 12:08:31 -0400
Subject: [PATCH] added logout_return call w/ cullerton

---
 src/spiffworkflow_backend/api.yml             | 21 +++++++++++++++++++
 src/spiffworkflow_backend/config/default.py   |  4 ++--
 src/spiffworkflow_backend/routes/user.py      | 13 +++++++-----
 .../services/authentication_service.py        | 12 ++++++++---
 4 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/src/spiffworkflow_backend/api.yml b/src/spiffworkflow_backend/api.yml
index fdc2e2e7..ff7d8d32 100755
--- a/src/spiffworkflow_backend/api.yml
+++ b/src/spiffworkflow_backend/api.yml
@@ -52,6 +52,17 @@ paths:
         '200':
           description: Test Return Response
   /logout:
+    parameters:
+      - name: id_token
+        in: query
+        required: true
+        schema:
+          type: string
+      - name: redirect_url
+        in: query
+        required: false
+        schema:
+          type: string
     get:
       security: []
       operationId: spiffworkflow_backend.routes.user.logout
@@ -61,6 +72,16 @@ paths:
       responses:
         '200':
           description: Logout Authenticated User
+  /logout_return:
+    get:
+      security: []
+      operationId: spiffworkflow_backend.routes.user.logout_return
+      summary: Logout authenticated user
+      tags:
+        - Authentication
+      responses:
+        '200':
+          description: Logout Authenticated User
 
   /login_swagger:
     parameters:
diff --git a/src/spiffworkflow_backend/config/default.py b/src/spiffworkflow_backend/config/default.py
index 833f0924..3a7bcd6c 100644
--- a/src/spiffworkflow_backend/config/default.py
+++ b/src/spiffworkflow_backend/config/default.py
@@ -15,6 +15,6 @@ CORS_ALLOW_ORIGINS = re.split(
 
 # Keycloak server
 KEYCLOAK_SERVER_URL = environ.get("KEYCLOAK_SERVER_URL", default="http://localhost:7002")
-KEYCLOAK_CLIENT_ID = environ.get("KEYCLOAK_CLIENT_ID", default="spiffworkflow_backend")
+KEYCLOAK_CLIENT_ID = environ.get("KEYCLOAK_CLIENT_ID", default="spiffworkflow-backend")
 KEYCLOAK_REALM_NAME = environ.get("KEYCLOAK_REALM_NAME", default="spiffworkflow")
-KEYCLOAK_CLIENT_SECRET_KEY = environ.get("KEYCLOAK_CLIENT_SECRET_KEY", default="seciKpRanUReL0ksZaFm5nfjhMUKHVAO")  # noqa: S105
+KEYCLOAK_CLIENT_SECRET_KEY = environ.get("KEYCLOAK_CLIENT_SECRET_KEY", default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q")  # noqa: S105
diff --git a/src/spiffworkflow_backend/routes/user.py b/src/spiffworkflow_backend/routes/user.py
index 3e93eb6a..9d8e725a 100644
--- a/src/spiffworkflow_backend/routes/user.py
+++ b/src/spiffworkflow_backend/routes/user.py
@@ -77,7 +77,7 @@ def verify_token(token: Optional[str] = None) -> Dict[str, Optional[str]]:
                 except Exception as e:
                     current_app.logger.error(f"Exception raised while adding user in get_token: {e}")
                     raise ApiError(code="fail_add_user_model",
-                                   message="Cannot add user in verify_token")
+                                   message="Cannot add user in verify_token") from e
             if user_model:
                 g.user = user_model.id
 
@@ -174,14 +174,17 @@ def login_return(code, state, session_state):
             if user_model:
                 g.user = user_model.id
 
-            return redirect(f"http://localhost:7001/?token={id_token_object['access_token']}")
+            return redirect(f"http://localhost:7001/?access_token={id_token_object['access_token']}&id_token={id_token}")
 
             # return f"{code} {state} {id_token}"
 
-def logout():
-    return PublicAuthenticationService().logout()
+def logout(id_token: str, redirect_url: str | None):
+    return PublicAuthenticationService().logout(id_token=id_token, redirect_url=redirect_url)
+
+def logout_return():
+    return redirect(f"http://localhost:7001/")
 
 def is_internal_token(token) -> bool:
     decoded_token = UserModel.decode_auth_token(token)
     print("is_internal_token")
-    return True
\ No newline at end of file
+    return True
diff --git a/src/spiffworkflow_backend/services/authentication_service.py b/src/spiffworkflow_backend/services/authentication_service.py
index 21a7fe93..ae9ab5b4 100644
--- a/src/spiffworkflow_backend/services/authentication_service.py
+++ b/src/spiffworkflow_backend/services/authentication_service.py
@@ -38,9 +38,15 @@ class PublicAuthenticationService:
     It uses a separate public keycloak client: spiffworkflow-frontend
     Used during development to make testing easy.
     """
-    def logout(self):
+    def logout(self, redirect_url: str='/', id_token: str | None=None):
+        if id_token is None:
+            raise ApiError(code='missing_id_token',
+                           message="id_token is missing",
+                           status_code=400)
+
+        return_redirect_url = 'http://localhost:7000/v1.0/logout_return'
         keycloak_server_url, keycloak_client_id, keycloak_realm_name, keycloak_client_secret_key = get_keycloak_args()
-        request_url = f"{keycloak_server_url}/realms/{keycloak_realm_name}/protocol/openid-connect/logout"
+        request_url = f"{keycloak_server_url}/realms/{keycloak_realm_name}/protocol/openid-connect/logout?post_logout_redirect_uri={return_redirect_url}&id_token_hint={id_token}"
 
         return redirect(request_url)
 
@@ -216,4 +222,4 @@ class KeycloakAuthenticationService:
 
 class KeyCloak:
 
-    """Class to interact with KeyCloak server for authorization"""
\ No newline at end of file
+    """Class to interact with KeyCloak server for authorization"""