Refactor RPInitiatedLogoutView #1274
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1274 +/- ##
==========================================
- Coverage 97.39% 97.34% -0.05%
==========================================
Files 32 32
Lines 2035 2073 +38
==========================================
+ Hits 1982 2018 +36
- Misses 53 55 +2
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
tonial
changed the title
tonial
changed the title
|
I'm sorry I haven't been present the last month or so. I've been dealing with some personal issues. I'm catching up on my OSS backlog the next two weeks. I should get to this review next week. Thank you for your patience. |
There was a problem hiding this comment.
This adds a lot of lines of code that approve logout functionality, but without added documentation, it's not clear to me if DOT users who would benefit from this new functionality without reading the source code. Is the current documentation of RP-Initiated Logout sufficient or is there new configuration info that it would help to document?
|
This PR intends to make the code easier to read and to override. Here are the two reasons why :
Regarding the documentation : I feel like the current documentation is already enough. Maybe we could add a part explaining how to easily override OIDC views, by defining a urlpattern that replaces |
|
Thanks @tonial. I believe that was @dopry's comment. It appears they have become too busy lately and I am trying to bring this PR to closure without a deep understanding of this part of OIDC. Yes, a short example with the urls, etc. that would help people understand how to configure it would be helpful I think. |
|
@n2ygk thanks for pinging me. My time is freeing up with my kiddo back in school and summer break coming to an end. I'll dive into this today. |
|
Oh, I'm sorry for mixing up your usernames... 🤦 I've added some documentation in the Advanced topics. |
There was a problem hiding this comment.
This is a move in the right direction. I think we could break out a few additional methods to make the logout validation a little simpler and allow developers to surgically override id_token/client validation and redirect_uri validation. I could see someone overriding user/client validation to send events to security logging infrastructure. I could see post_logout_redirect_uri validation being overriding to hard code restraints at a global level independent of Application.
@n2ygk there isn't any new configuration here, just some implementation refactoring to make it more flexible for developers.
I don't think we need to worry too much about documenting how to extend the view class or override urlpatterns. I hope most developers who are getting tasked with OIDC Provider implementations are savvy with regard to Django routing and extending classes to override methods in python. At the very least I feel that is outside of the scope of this issue and should be a separate documentation PR
|
@dopry I've split the validation as you suggested. I even added a |
|
@tonial This is looking very svelte now! From just a code review perspective we're looking very good. I'll run it through it's paces early next week. |
|
@tonial looking at codecov, it looks like we're missing coverage for a few lines as well... https://app.codecov.io/gh/jazzband/django-oauth-toolkit/pull/1274/blob/oauth2_provider/views/oidc.py I don't think I'd block merging this over those 2 branches, but they'd be super nice to have. |
Description of the Change
Following this comment : #1270 (comment) I tried to refactor the view.
@dopry I didn't have a revelation on how to completely clean those multiple variables.
The fact that we need to call
validate_logout_request()from bothform_valid()and'get()does not help.Checklist
CHANGELOG.mdupdated (only for user relevant changes)AUTHORS