Add end session support

Original-author: Sergiy Mokiyenko <[email protected]>

Author: agologan

README.md

@@ -419,6 +419,78 @@ authState.performActionWithFreshTokens(service, new AuthStateAction() {
 });
 ```
 
+### Ending current session (Draft)
+
+Given you have a logged in session and you want to end it. In that case you need to get:
+- `AuthorizationServiceConfiguration`
+- valid Open Id Token that you should get after authentication
+- End of session URI that should be provided within you OpenId service config
+
+First you have to build EndSessionRequest
+
+```java
+EndSessionRequest endSessionRequest =
+    new EndSessionRequest.Builder(
+        authorizationServiceConfiguration,
+        idToken,
+        endSessionRedirectUri
+    ).build();
+```
+This request can then be dispatched using one of two approaches.
+
+a `startActivityForResult` call using an Intent returned from the `AuthorizationService`,
+or by calling `performEndSessionRequest` and providing pending intent for completion
+and cancelation handling activities.
+
+The startActivityForResult approach is simpler to use but may require more processing of the result:
+
+```java
+private void endSession() {
+  AuthorizationService authService = new AuthorizationService(this);
+  Intent endSessionItent = authService.getEndSessionRequestIntent(endSessionRequest);
+  startActivityForResult(endSessionItent, RC_END_SESSION);
+}
+
+@Override
+protected void onActivityResult(int requestCode, int resultCode, Intent data) {
+  if (requestCode == RC_END_SESSION) {
+    EndSessionResonse resp = EndSessionResonse.fromIntent(data);
+    AuthorizationException ex = AuthorizationException.fromIntent(data);
+    // ... process the response or exception ...
+  } else {
+    // ...
+  }
+}
+```
+If instead you wish to directly transition to another activity on completion or cancelation,
+you can use `performEndSessionRequest`:
+
+```java
+AuthorizationService authService = new AuthorizationService(this);
+
+authService.performEndSessionRequest(
+    endSessionRequest,
+    PendingIntent.getActivity(this, 0, new Intent(this, MyAuthCompleteActivity.class), 0),
+    PendingIntent.getActivity(this, 0, new Intent(this, MyAuthCanceledActivity.class), 0));
+```
+
+End session flow will also work involving browser mechanism that is described in authorization
+mechanism session.
+Handling response mechanism with transition to another activity should be as follows:
+
+ ```java
+public void onCreate(Bundle b) {
+  EndSessionResponse resp = EndSessionResponse.fromIntent(getIntent());
+  AuthorizationException ex = AuthorizationException.fromIntent(getIntent());
+  if (resp != null) {
+    // authorization completed
+  } else {
+    // authorization failed, check ex for more details
+  }
+  // ...
+}
+```
+
 ### AuthState persistence
 
 Instances of `AuthState` keep track of the authorization and token

app/README-Okta.md

@@ -13,7 +13,8 @@ You can create an Okta developer account at [https://developer.okta.com/](https:
 | Setting             | Value                                               |
 | ------------------- | --------------------------------------------------- |
 | Application Name    | OpenId Connect App *(must be unique)* |
-| Redirect URIs       | com.oktapreview.yoursubdomain://callback_url|
+| Login redirect URIs | com.oktapreview.yoursubdomain://callback_url|
+| Logout redirect URIs| com.oktapreview.yoursubdomain://callback_url|
 | Allowed grant types | Authorization Code |
 
   1. Click **Finish** to redirect back to the *General Settings* of your application.
@@ -27,6 +28,7 @@ You can create an Okta developer account at [https://developer.okta.com/](https:
 {
 "client_id": "{{YourClientID}}",
 "redirect_uri": "com.oktapreview.{{yourOrg}}:/oauth",
+"end_session_uri": "com.oktapreview.{{yourOrg}}:/{logoutCallback}",
 "authorization_scope": "openid email profile",
 "discovery_uri": "https://{{yourOrg}}.okta.com/.well-known/openid-configuration"
 }

app/README.md

@@ -16,6 +16,15 @@ The configuration file MUST contain a JSON object. The following properties can
     The value specified here should match the value specified for `appAuthRedirectScheme` in the
     `build.gradle` (Module: app), so that the demo app can capture the response.
 
+  - `end_sesion_uri` (required): The redirect URI to use for receiving the end session response.
+    This should be a custom scheme URI (com.example.app:/oauth2redirect/example-provider). 
+    Consult the documentation for your authorization server. 
+
+    The value specified here should match the value specified for `appAuthRedirectScheme` in the
+    `build.gradle` (Module: app), so that the demo app can capture the response.
+    
+    NOTE: Scheme of the URI should be the same as `redirect_uri` but callback should be different.
+
   - `authorization_scope` (required): The scope string to use for the authorization request.
     For the purposes of the demo, we recommend the value "openid profile email", though any value
     understood by your authorization server can be used.

app/java/net/openid/appauthdemo/Configuration.java

@@ -61,9 +61,11 @@ public final class Configuration {
     private String mClientId;
     private String mScope;
     private Uri mRedirectUri;
+    private Uri mEndSessionUri;
     private Uri mDiscoveryUri;
     private Uri mAuthEndpointUri;
     private Uri mTokenEndpointUri;
+    private Uri mEndSessionEndpoint;
     private Uri mRegistrationEndpointUri;
     private Uri mUserInfoEndpointUri;
     private boolean mHttpsRequired;
@@ -141,6 +143,11 @@ public Uri getDiscoveryUri() {
         return mDiscoveryUri;
     }
 
+    @Nullable
+    public Uri getEndSessionUri() {
+        return mEndSessionUri;
+    }
+
     @Nullable
     public Uri getAuthEndpointUri() {
         return mAuthEndpointUri;
@@ -151,6 +158,11 @@ public Uri getTokenEndpointUri() {
         return mTokenEndpointUri;
     }
 
+    @Nullable
+    public Uri getEndSessionEndpoint() {
+        return mEndSessionEndpoint;
+    }
+
     @Nullable
     public Uri getRegistrationEndpointUri() {
         return mRegistrationEndpointUri;
@@ -195,6 +207,7 @@ private void readConfiguration() throws InvalidConfigurationException {
         mClientId = getConfigString("client_id");
         mScope = getRequiredConfigString("authorization_scope");
         mRedirectUri = getRequiredConfigUri("redirect_uri");
+        mEndSessionUri = getRequiredConfigUri("end_session_uri");
 
         if (!isRedirectUriRegistered()) {
             throw new InvalidConfigurationException(
@@ -209,6 +222,7 @@ private void readConfiguration() throws InvalidConfigurationException {
 
             mTokenEndpointUri = getRequiredConfigWebUri("token_endpoint_uri");
             mUserInfoEndpointUri = getRequiredConfigWebUri("user_info_endpoint_uri");
+            mEndSessionEndpoint = getRequiredConfigUri("end_session_endpoint");
 
             if (mClientId == null) {
                 mRegistrationEndpointUri = getRequiredConfigWebUri("registration_endpoint_uri");

app/java/net/openid/appauthdemo/LoginActivity.java

@@ -216,6 +216,7 @@ private void initializeAppAuth() {
             AuthorizationServiceConfiguration config = new AuthorizationServiceConfiguration(
                     mConfiguration.getAuthEndpointUri(),
                     mConfiguration.getTokenEndpointUri(),
+                    mConfiguration.getEndSessionEndpoint(),
                     mConfiguration.getRegistrationEndpointUri());
 
             mAuthStateManager.replace(new AuthState(config));

app/java/net/openid/appauthdemo/TokenActivity.java

@@ -14,6 +14,7 @@
 
 package net.openid.appauthdemo;
 
+import android.app.Activity;
 import android.content.Intent;
 import android.net.Uri;
 import android.os.Bundle;
@@ -36,6 +37,7 @@
 import net.openid.appauth.AuthorizationService;
 import net.openid.appauth.AuthorizationServiceDiscovery;
 import net.openid.appauth.ClientAuthentication;
+import net.openid.appauth.EndSessionRequest;
 import net.openid.appauth.TokenRequest;
 import net.openid.appauth.TokenResponse;
 import okio.Okio;
@@ -65,6 +67,8 @@ public class TokenActivity extends AppCompatActivity {
 
     private static final String KEY_USER_INFO = "userInfo";
 
+    private static final int END_SESSION_REQUEST_CODE = 911;
+
     private AuthorizationService mAuthService;
     private AuthStateManager mStateManager;
     private final AtomicReference<JSONObject> mUserInfoJson = new AtomicReference<>();
@@ -186,7 +190,7 @@ private void displayAuthorized() {
 
         AuthState state = mStateManager.getCurrent();
 
-        TextView refreshTokenInfoView = (TextView) findViewById(R.id.refresh_token_info);
+        TextView refreshTokenInfoView = findViewById(R.id.refresh_token_info);
         refreshTokenInfoView.setText((state.getRefreshToken() == null)
                 ? R.string.no_refresh_token_returned
                 : R.string.refresh_token_returned);
@@ -230,7 +234,7 @@ private void displayAuthorized() {
             viewProfileButton.setOnClickListener((View view) -> fetchUserInfo());
         }
 
-        ((Button)findViewById(R.id.sign_out)).setOnClickListener((View view) -> signOut());
+        findViewById(R.id.sign_out).setOnClickListener((View view) -> endSession());
 
         View userInfoCard = findViewById(R.id.userinfo_card);
         JSONObject userInfo = mUserInfoJson.get();
@@ -380,6 +384,24 @@ private void fetchUserInfo(String accessToken, String idToken, AuthorizationExce
         });
     }
 
+    @Override
+    protected void onActivityResult(int requestCode, int resultCode, Intent data) {
+        super.onActivityResult(requestCode, resultCode, data);
+        if (requestCode == END_SESSION_REQUEST_CODE && resultCode == Activity.RESULT_OK) {
+            signOut();
+            finish();
+        } else {
+            displayEndSessionCancelled();
+        }
+    }
+
+    private void displayEndSessionCancelled() {
+        Snackbar.make(findViewById(R.id.coordinator),
+            "Sign out canceled",
+            Snackbar.LENGTH_SHORT)
+                .show();
+    }
+
     @MainThread
     private void showSnackbar(String message) {
         Snackbar.make(findViewById(R.id.coordinator),
@@ -388,6 +410,16 @@ private void showSnackbar(String message) {
                 .show();
     }
 
+    @MainThread
+    private void endSession() {
+        Intent endSessionEnten = mAuthService.getEndSessionRequestIntent(
+                new EndSessionRequest.Builder(
+                mStateManager.getCurrent().getAuthorizationServiceConfiguration(),
+                mStateManager.getCurrent().getIdToken(),
+                mConfiguration.getEndSessionUri()).build());
+        startActivityForResult(endSessionEnten, END_SESSION_REQUEST_CODE);
+    }
+
     @MainThread
     private void signOut() {
         // discard the authorization and token state, but retain the configuration and

app/res/raw/auth_config.json

@@ -1,6 +1,7 @@
 {
   "client_id": "",
   "redirect_uri": "net.openid.appauthdemo:/oauth2redirect",
+  "end_session_uri":"",
   "authorization_scope": "openid email profile",
   "discovery_uri": "",
   "authorization_endpoint_uri": "",