Update validation log message for applications without logout permission

7 years ago · 002eeb8dd3
2 changed files with 42 additions and 2 deletions
--- a/src/OpenIddict.Server/Internal/OpenIddictServerProvider.Session.cs
+++ b/src/OpenIddict.Server/Internal/OpenIddictServerProvider.Session.cs
@ -142,8 +142,9 @@ namespace OpenIddict.Server.Internal

                if (!await ValidatePostLogoutRedirectUriAsync(context.PostLogoutRedirectUri))
                {
-                    _logger.LogError("The logout request was rejected because the specified post_logout_redirect_uri " +
-                                     "was unknown: {PostLogoutRedirectUri}.", context.PostLogoutRedirectUri);
+                    _logger.LogError("The logout request was rejected because no application with the specified " +
+                                     "post_logout_redirect_uri and with a logout endpoint permission was found: " +
+                                     "{PostLogoutRedirectUri}.", context.PostLogoutRedirectUri);

                    context.Reject(
                        error: OpenIddictConstants.Errors.InvalidRequest,
--- a/test/OpenIddict.Server.Tests/Internal/OpenIddictServerProviderTests.Session.cs
+++ b/test/OpenIddict.Server.Tests/Internal/OpenIddictServerProviderTests.Session.cs
@ -118,6 +118,45 @@ namespace OpenIddict.Server.Internal.Tests
            Mock.Get(manager).Verify(mock => mock.FindByPostLogoutRedirectUriAsync("http://www.fabrikam.com/path", It.IsAny<CancellationToken>()), Times.Once());
        }

+        [Fact]
+        public async Task ValidateLogoutRequest_RequestIsRejectedWhenApplicationHasNoLogoutPermission()
+        {
+            // Arrange
+            var application = new OpenIddictApplication();
+
+            var manager = CreateApplicationManager(instance =>
+            {
+                instance.Setup(mock => mock.FindByPostLogoutRedirectUriAsync("http://www.fabrikam.com/path", It.IsAny<CancellationToken>()))
+                    .ReturnsAsync(ImmutableArray.Create(application));
+
+                instance.Setup(mock => mock.HasPermissionAsync(application,
+                    OpenIddictConstants.Permissions.Endpoints.Logout, It.IsAny<CancellationToken>()))
+                    .ReturnsAsync(false);
+            });
+
+            var server = CreateAuthorizationServer(builder =>
+            {
+                builder.Services.AddSingleton(manager);
+
+                builder.Configure(options => options.IgnoreEndpointPermissions = false);
+            });
+
+            var client = new OpenIdConnectClient(server.CreateClient());
+
+            // Act
+            var response = await client.PostAsync(LogoutEndpoint, new OpenIdConnectRequest
+            {
+                PostLogoutRedirectUri = "http://www.fabrikam.com/path"
+            });
+
+            // Assert
+            Assert.Equal(OpenIddictConstants.Errors.InvalidRequest, response.Error);
+            Assert.Equal("The specified 'post_logout_redirect_uri' parameter is not valid.", response.ErrorDescription);
+
+            Mock.Get(manager).Verify(mock => mock.HasPermissionAsync(application,
+                OpenIddictConstants.Permissions.Endpoints.Logout, It.IsAny<CancellationToken>()), Times.Once());
+        }
+
        [Fact]
        public async Task HandleLogoutRequest_RequestIsPersistedInDistributedCache()
        {