Skip to content

Commit 6acd8ae

Browse files
refactor: remove unknown domain check in backchannel logout for MCD mode
1 parent fca3612 commit 6acd8ae

2 files changed

Lines changed: 0 additions & 36 deletions

File tree

src/auth0_server_python/auth_server/server_client.py

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -823,11 +823,6 @@ async def handle_backchannel_logout(
823823
raise BackchannelLogoutError(
824824
"Cannot determine domain: logout token has no valid issuer"
825825
)
826-
if domain not in self._discovery_cache:
827-
raise BackchannelLogoutError(
828-
f"Unknown domain in logout token issuer: {domain}. "
829-
f"Only domains from active sessions are accepted."
830-
)
831826
except BackchannelLogoutError:
832827
raise
833828
except Exception as e:

src/auth0_server_python/tests/test_server_client.py

Lines changed: 0 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -1523,37 +1523,6 @@ async def domain_resolver(context):
15231523
)
15241524

15251525

1526-
@pytest.mark.asyncio
1527-
async def test_backchannel_logout_mcd_unknown_domain_rejected(mocker):
1528-
"""Test that backchannel logout rejects unknown domains in MCD mode (SSRF protection)."""
1529-
async def domain_resolver(context):
1530-
return "tenant1.auth0.com"
1531-
1532-
client = ServerClient(
1533-
domain=domain_resolver,
1534-
client_id="test_client",
1535-
client_secret="test_secret",
1536-
state_store=AsyncMock(),
1537-
secret="test_secret_key_32_chars_long!!",
1538-
)
1539-
1540-
# Discovery cache is empty — no prior logins
1541-
assert len(client._discovery_cache) == 0
1542-
1543-
# Mock unverified decode — attacker's token has evil issuer
1544-
mocker.patch("jwt.decode", return_value={
1545-
"iss": "https://evil.internal.server/",
1546-
"events": {"http://schemas.openid.net/event/backchannel-logout": {}},
1547-
"sub": "user123",
1548-
"sid": "session123"
1549-
})
1550-
1551-
with pytest.raises(BackchannelLogoutError) as exc:
1552-
await client.handle_backchannel_logout("crafted_logout_token")
1553-
assert "Unknown domain" in str(exc.value)
1554-
assert "evil.internal.server" in str(exc.value)
1555-
1556-
15571526
# Test For AuthLib Helpers
15581527

15591528
@pytest.mark.asyncio

0 commit comments

Comments
 (0)