logout works now and queryparams are getting passed correctly on login now

spiffworkflow-backend/bin/save_all_bpmn.py

@@ -9,7 +9,6 @@ def main() -> None:
     """Main."""
     app = create_app()
     with app.app_context():
-        print("HEY")
         failing_process_models = DataSetupService.save_all_process_models()
         for bpmn_errors in failing_process_models:
             print(bpmn_errors)

spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py

@@ -4,7 +4,6 @@ from typing import Any
 from typing import Optional
 
 import flask.wrappers
-from flask import current_app
 from flask import g
 from flask import jsonify
 from flask import make_response
@@ -89,13 +88,7 @@ def process_group_list(
             "pages": pages,
         },
     }
-    # response = make_response(jsonify(response_json), 200)
+    return make_response(jsonify(response_json), 200)
-    response = Response(
-        json.dumps(response_json), status=200, mimetype="application/json"
-    )
-    current_app.logger.info("SETTING COOKIE")
-    response.set_cookie("TEST_COOKIE", "HEY1")
-    return response
 
 
 def process_group_show(

spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py

@@ -62,9 +62,7 @@ def verify_token(
         token = request.headers["Authorization"].removeprefix("Bearer ")
 
     # This should never be set here but just in case
-    tld = current_app.config["THREAD_LOCAL_DATA"]
+    _clear_auth_tokens_from_thread_local_data()
-    if hasattr(tld, "new_access_token"):
-        tld.new_access_token = None
 
     if token:
         user_model = None
@@ -100,9 +98,9 @@ def verify_token(
                                 )
                             )
                             if auth_token and "error" not in auth_token:
-                                print("SETTING NEW TOKEN")
+                                tld = current_app.config["THREAD_LOCAL_DATA"]
-                                print(f"auth_token: {auth_token}")
                                 tld.new_access_token = auth_token["access_token"]
+                                tld.new_id_token = auth_token["id_token"]
                                 # We have the user, but this code is a bit convoluted, and will later demand
                                 # a user_info object so it can look up the user.  Sorry to leave this crap here.
                                 user_info = {
@@ -178,11 +176,24 @@ def verify_token(
 def set_new_access_token_in_cookie(
     response: flask.wrappers.Response,
 ) -> flask.wrappers.Response:
-    """Set_new_access_token_in_cookie."""
+    """Checks if a new token has been set in THREAD_LOCAL_DATA and sets cookies if appropriate.
+
+    It will also delete the cookies if the user has logged out.
+    """
     tld = current_app.config["THREAD_LOCAL_DATA"]
     if hasattr(tld, "new_access_token") and tld.new_access_token:
         response.set_cookie("access_token", tld.new_access_token)
-        tld.new_access_token = None
+
+    # id_token is required for logging out since this gets passed back to the openid server
+    if hasattr(tld, "new_id_token") and tld.new_id_token:
+        response.set_cookie("id_token", tld.new_id_token)
+
+    if hasattr(tld, 'user_has_logged_out') and tld.user_has_logged_out:
+        response.set_cookie("id_token", '', max_age=0)
+        response.set_cookie("access_token", '', max_age=0)
+
+    _clear_auth_tokens_from_thread_local_data()
+
     return response
 
 
@@ -249,12 +260,12 @@ def login_return(code: str, state: str, session_state: str) -> Optional[Response
                     user_model.id, auth_token_object["refresh_token"]
                 )
                 redirect_url = (
-                    f"{state_redirect_url}?"
+                    f"{state_redirect_url}"
-                    + f"access_token={auth_token_object['access_token']}&"
-                    + f"id_token={id_token}"
                 )
                 tld = current_app.config["THREAD_LOCAL_DATA"]
                 tld.new_access_token = auth_token_object["access_token"]
+                tld.new_id_token = auth_token_object["id_token"]
+                print(f"REDIRECT_URL: {redirect_url}")
                 return redirect(redirect_url)
 
         raise ApiError(
@@ -300,6 +311,8 @@ def logout(id_token: str, redirect_url: Optional[str]) -> Response:
     """Logout."""
     if redirect_url is None:
         redirect_url = ""
+    tld = current_app.config["THREAD_LOCAL_DATA"]
+    tld.user_has_logged_out = True
     return AuthenticationService().logout(redirect_url=redirect_url, id_token=id_token)
 
 
@@ -328,15 +341,6 @@ def get_decoded_token(token: str) -> Optional[Dict]:
                 error_code="unknown_token",
                 message="Unknown token type in get_decoded_token",
             )
-    # try:
-    #     # see if we have an open_id token
-    #     decoded_token = AuthorizationService.decode_auth_token(token)
-    # else:
-    #     if 'sub' in decoded_token and 'iss' in decoded_token and 'aud' in decoded_token:
-    #         token_type = 'id_token'
-
-    # if 'token_type' in decoded_token and 'sub' in decoded_token:
-    #     return True
 
 
 def get_scope(token: str) -> str:
@@ -363,3 +367,14 @@ def get_user_from_decoded_internal_token(decoded_token: dict) -> Optional[UserMo
         return user
     user = UserService.create_user(service_id, service, service_id)
     return user
+
+
+def _clear_auth_tokens_from_thread_local_data() -> None:
+    """_clear_auth_tokens_from_thread_local_data."""
+    tld = current_app.config["THREAD_LOCAL_DATA"]
+    if hasattr(tld, "new_access_token"):
+        delattr(tld, "new_access_token")
+    if hasattr(tld, "new_id_token"):
+        delattr(tld, "new_id_token")
+    if hasattr(tld, "user_has_logged_out"):
+        delattr(tld, "user_has_logged_out")

spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py

@@ -64,9 +64,7 @@ class AuthenticationService:
         openid_config_url = f"{cls.server_url()}/.well-known/openid-configuration"
         print(f"openid_config_url: {openid_config_url}")
         if name not in AuthenticationService.ENDPOINT_CACHE:
-            print("BEFORE")
             response = requests.get(openid_config_url)
-            print("AFTER")
             AuthenticationService.ENDPOINT_CACHE = response.json()
         if name not in AuthenticationService.ENDPOINT_CACHE:
             raise Exception(
@@ -95,6 +93,7 @@ class AuthenticationService:
     @staticmethod
     def generate_state(redirect_url: str) -> bytes:
         """Generate_state."""
+        print(f"REDIRECT_URL_HEY: {redirect_url}")
         state = base64.b64encode(bytes(str({"redirect_url": redirect_url}), "UTF-8"))
         return state
 
@@ -103,6 +102,7 @@ class AuthenticationService:
     ) -> str:
         """Get_login_redirect_url."""
         return_redirect_url = f"{self.get_backend_url()}{redirect_url}"
+        print(f"RETURN_REDIRECT_URL_ONE: {return_redirect_url}")
         login_redirect_url = (
             self.open_id_endpoint_for_name("authorization_endpoint")
             + f"?state={state}&"

spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py

@@ -412,59 +412,6 @@ class AuthorizationService:
             status_code=403,
         )
 
-    # def refresh_token(self, token: str) -> str:
-    #     """Refresh_token."""
-    #     # if isinstance(token, str):
-    #     #     token = eval(token)
-    #     (
-    #         open_id_server_url,
-    #         open_id_client_id,
-    #         open_id_realm_name,
-    #         open_id_client_secret_key,
-    #     ) = AuthorizationService.get_open_id_args()
-    #     headers = {"Content-Type": "application/x-www-form-urlencoded"}
-    #     request_url = f"{open_id_server_url}/realms/{open_id_realm_name}/protocol/openid-connect/token"
-    #     data = {
-    #         "grant_type": "refresh_token",
-    #         "client_id": "spiffworkflow-frontend",
-    #         "subject_token": token,
-    #         "refresh_token": token,
-    #     }
-    #     refresh_response = requests.post(request_url, headers=headers, data=data)
-    #     refresh_token = json.loads(refresh_response.text)
-    #     return refresh_token
-
-    # def get_bearer_token(self, basic_token: str) -> dict:
-    #     """Get_bearer_token."""
-    #     (
-    #         open_id_server_url,
-    #         open_id_client_id,
-    #         open_id_realm_name,
-    #         open_id_client_secret_key,
-    #     ) = AuthorizationService.get_open_id_args()
-    #
-    #     backend_basic_auth_string = f"{open_id_client_id}:{open_id_client_secret_key}"
-    #     backend_basic_auth_bytes = bytes(backend_basic_auth_string, encoding="ascii")
-    #     backend_basic_auth = base64.b64encode(backend_basic_auth_bytes)
-    #
-    #     headers = {
-    #         "Content-Type": "application/x-www-form-urlencoded",
-    #         "Authorization": f"Basic {backend_basic_auth.decode('utf-8')}",
-    #     }
-    #     data = {
-    #         "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
-    #         "client_id": open_id_client_id,
-    #         "subject_token": basic_token,
-    #         "audience": open_id_client_id,
-    #     }
-    #     request_url = f"{open_id_server_url}/realms/{open_id_realm_name}/protocol/openid-connect/token"
-    #
-    #     backend_response = requests.post(request_url, headers=headers, data=data)
-    #     # json_data = json.loads(backend_response.text)
-    #     # bearer_token = json_data['access_token']
-    #     bearer_token: dict = json.loads(backend_response.text)
-    #     return bearer_token
-
     @staticmethod
     def decode_auth_token(auth_token: str) -> dict[str, Union[str, None]]:
         """Decode the auth token.

spiffworkflow-frontend/src/helpers.tsx

@@ -208,10 +208,10 @@ export const refreshAtInterval = (
   timeout: number,
   func: Function
 ) => {
-  const intervalRef = setInterval(() => func(), interval * 1000);
+  const intervalRef = setInterval(() => func(), interval * 100000);
   const timeoutRef = setTimeout(
     () => clearInterval(intervalRef),
-    timeout * 1000
+    timeout * 100000
   );
   return () => {
     clearInterval(intervalRef);

spiffworkflow-frontend/src/services/UserService.ts

@@ -19,25 +19,24 @@ const getCookie = (key: string) => {
   return null;
 };
 
-// const getCurrentLocation = (queryParams: string = window.location.search) => {
+const getCurrentLocation = (queryParams: string = window.location.search) => {
-const getCurrentLocation = () => {
+  let queryParamString = '';
-  const queryParamString = '';
+  if (queryParams) {
-  // if (queryParams) {
+    queryParamString = `${queryParams}`;
-  //   queryParamString = `?${queryParams}`;
+  }
-  // }
+  return encodeURIComponent(
-  return `${window.location.origin}${window.location.pathname}${queryParamString}`;
+    `${window.location.origin}${window.location.pathname}${queryParamString}`
+  );
 };
 
 const doLogin = () => {
   const url = `${BACKEND_BASE_URL}/login?redirect_url=${getCurrentLocation()}`;
-  console.log('URL', url);
   window.location.href = url;
 };
 
-// Use access_token for now since it seems to work but if we need the
+// required for logging out
-// id token then set that in a cookie in backend as well
 const getIdToken = () => {
-  return getCookie('access_token');
+  return getCookie('id_token');
 };
 
 const doLogout = () => {