feat: Store the ID token and use it to log the user out (#1334)

* fix: Retrieve the auth session before logging out The user is actually logged in for this session action, so we want to retrieve the auth credentials so that we can properly log the user out. * feat: Store the ID token and use it to log the user out This logout URL is the new structure for Keycloak version 19. --------- Co-authored-by: Erin Moore <[email protected]>
mbta · Jul 12, 2023 · a0eb66e · a0eb66e
1 parent 9c707b9
commit a0eb66e
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 9 deletions.
diff --git a/apps/concierge_site/lib/controllers/auth_controller.ex b/apps/concierge_site/lib/controllers/auth_controller.ex
@@ -26,7 +26,12 @@ defmodule ConciergeSite.AuthController do
                   other: %{
                     user_info: %{"mbta_uuid" => id, "email" => email} = user_info
                   }
-                } = credentials
+                } = credentials,
+              extra: %{
+                raw_info: %{
+                  tokens: %{"id_token" => id_token}
+                }
+              }
             }
           }
         } = conn,
@@ -44,7 +49,7 @@ defmodule ConciergeSite.AuthController do
       |> get_or_create_user(email, phone_number, role)
       |> use_props_from_token(email, phone_number, role)
 
-    SessionHelper.sign_in(conn, user)
+    SessionHelper.sign_in(conn, user, %{id_token: id_token})
   end
 
   def callback(%{assigns: %{ueberauth_failure: failure}} = conn, _params) do

diff --git a/apps/concierge_site/lib/helpers/session_helper.ex b/apps/concierge_site/lib/helpers/session_helper.ex
@@ -11,20 +11,22 @@ defmodule ConciergeSite.SessionHelper do
 
   @doc "Signs in a user with Guardian and redirects to the appropriate route."
   @spec sign_in(Conn.t(), User.t()) :: Conn.t()
-  def sign_in(conn, user) do
+  def sign_in(conn, user, claims \\ %{}) do
     conn
-    |> ConciergeSite.Guardian.Plug.sign_in(user)
+    |> ConciergeSite.Guardian.Plug.sign_in(user, claims)
     |> redirect(to: sign_in_redirect_path(user))
   end
 
   @spec sign_out(Conn.t()) :: Conn.t()
   def sign_out(conn) do
     redirect_to =
       if keycloak_auth?() do
+        id_token = conn |> Guardian.Plug.current_claims() |> Map.get("id_token")
+
         [
           external:
             URI.encode(
-              "#{System.get_env("KEYCLOAK_LOGOUT_URI")}?redirect_uri=#{page_url(conn, :landing)}"
+              "#{System.get_env("KEYCLOAK_LOGOUT_URI")}?post_logout_redirect_uri=#{page_url(conn, :landing)}&id_token_hint=#{id_token}"
             )
         ]
       else

diff --git a/apps/concierge_site/lib/router.ex b/apps/concierge_site/lib/router.ex
@@ -64,14 +64,16 @@ defmodule ConciergeSite.Router do
     post("/api/feedback", FeedbackController, :new)
     get("/digest/feedback", DigestFeedbackController, :feedback)
     post("/api/digest/feedback", DigestFeedbackController, :new)
-    resources("/login", SessionController, only: [:new, :create, :delete], singleton: true)
+    resources("/login", SessionController, only: [:new, :create], singleton: true)
     resources("/account", AccountController, only: [:new, :create])
     resources("/password_resets", PasswordResetController, only: [:new, :create, :edit, :update])
   end
 
   scope "/", ConciergeSite do
     pipe_through([:redirect_prod_http, :browser, :browser_auth, :layout])
 
+    resources("/login", SessionController, only: [:delete], singleton: true)
+
     get("/account/options", AccountController, :options_new)
     post("/account/options", AccountController, :options_create)
     get("/account/edit", AccountController, :edit)

diff --git a/apps/concierge_site/lib/templates/account/edit_keycloak.html.eex b/apps/concierge_site/lib/templates/account/edit_keycloak.html.eex
@@ -75,9 +75,7 @@
           <h2 style="font-size: 1.25rem;">Your MBTA Account</h2>
           <ul>
             <li class="mb-2">
-              <a href="https://login-sandbox.mbtace.com/auth/realms/MBTA/protocol/openid-connect/auth?client_id=t-alerts&amp;kc_action=MBTA_UPDATE_PROFILE&amp;response_type=code&amp;redirect_uri=https://alerts-concierge-dev.mbtace.com/account/edit">
-                Update your email address
-              </a>
+              <%= link to: update_profile_url(@conn) do %>Update your email address<% end %>
               <span>
               (currently <%= email(@current_user) %>)
               </span>

diff --git a/apps/concierge_site/test/web/controllers/auth_controller_test.exs b/apps/concierge_site/test/web/controllers/auth_controller_test.exs
@@ -163,6 +163,11 @@ defmodule ConciergeSite.Web.AuthControllerTest do
             "preferred_username" => email
           }
         }
+      },
+      extra: %{
+        raw_info: %{
+          tokens: %{"id_token" => "FAKE ID TOKEN"}
+        }
       }
     }
   end