Pass id_token_hint on logout

src/simple_openid_connect/data.py

@@ -4,9 +4,8 @@
 import enum
 import logging
 import time
-from typing import Any, Callable, List, Literal, Mapping, Optional, Type, Union
+from typing import Any, Callable, List, Literal, Mapping, Optional, Union
 
-from cryptojwt import JWK
 from pydantic import AnyHttpUrl, Extra, Field, root_validator
 
 from simple_openid_connect.base_data import OpenidBaseModel
@@ -166,7 +165,7 @@ class IdToken(OpenidBaseModel):
 
     class Config:
         extra = Extra.allow
-        allow_mutation = True
+        allow_mutation = False
 
     iss: AnyHttpUrl
     "REQUIRED. Issuer Identifier for the Issuer of the response The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components."
@@ -201,9 +200,6 @@ class Config:
     sid: Optional[str]
     "OPTIONAL. Session ID - String identifier for a Session. This represents a Session of a User Agent or device for a logged-in End-User at an RP. Different sid values are used to identify distinct sessions at an OP. The sid value need only be unique in the context of a particular issuer. Its contents are opaque to the RP."
 
-    raw_token: Optional[str]
-    "The raw token received from the issuer."
-
     def validate_extern(
         self,
         issuer: str,
@@ -297,14 +293,6 @@ def validate_extern(
                 "The session associated with this ID-Token was authenticated too far in the past",
             )
 
-    @classmethod
-    def parse_jwt(
-        cls: Type["IdToken"], value: str, signing_keys: List[JWK]
-    ) -> "IdToken":
-        token = super().parse_jwt(value, signing_keys)
-        token.raw_token = value
-        return token
-
 
 class JwtAccessToken(OpenidBaseModel):
     """

src/simple_openid_connect/integrations/django/migrations/0003_openidsession_add_raw_id_token.py

@@ -0,0 +1,17 @@
+# Generated by Django 4.2.1 on 2024-02-08 07:55
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("simple_openid_connect_django", "0002_move_sessions_id_token"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="openidsession",
+            name="raw_id_token",
+            field=models.TextField(blank=True),
+        ),
+    ]

src/simple_openid_connect/integrations/django/models.py

@@ -87,6 +87,7 @@ def update_session(
             refresh_token=token_response.refresh_token or "",
             refresh_token_expiry=_calc_expiry(token_response.refresh_expires_in),
             _id_token=id_token.json(),  # type: ignore[unused-ignore,misc]
+            raw_id_token=token_response.id_token,
         )
 
 
@@ -107,6 +108,7 @@ class OpenidSession(models.Model):
     refresh_token = models.TextField(blank=True)
     refresh_token_expiry = models.DateTimeField(null=True)
     _id_token = models.TextField("json representation of this sessions is token")
+    raw_id_token = models.TextField(blank=True)
 
     @property
     def id_token(self) -> IdToken:
@@ -116,13 +118,10 @@ def id_token(self) -> IdToken:
     def id_token(self, value: IdToken) -> None:
         self._id_token = value.json()
 
-    @property
-    def raw_id_token(self) -> Optional[str]:
-        return self.id_token.raw_token
-
     def update_session(self, token_response: TokenSuccessResponse) -> None:
         self.scope = str(token_response.scope)
         self.access_token = token_response.access_token
         self.access_token_expiry = _calc_expiry(token_response.expires_in)
         self.refresh_token = token_response.refresh_token or ""
         self.refresh_token_expiry = _calc_expiry(token_response.refresh_expires_in)
+        self.raw_id_token = token_response.id_token