Log error on unexpected 'state' returned to 'post_logout_redirect_uri…

…'. (#33)

src/flask_pyoidc/flask_pyoidc.py

@@ -210,7 +210,8 @@ def oidc_logout(self, view_func):
         def wrapper(*args, **kwargs):
             if 'state' in flask.request.args:
                 # returning redirect from provider
-                assert flask.request.args['state'] == flask.session.pop('end_session_state')
+                if flask.request.args['state'] != flask.session.pop('end_session_state'):
+                    logger.error("Got unexpected state '%s' after logout redirect.", flask.request.args['state'])
                 return view_func(*args, **kwargs)
 
             redirect_to_provider = self._logout()

tests/test_flask_pyoidc.py

@@ -2,6 +2,7 @@
 
 import flask
 import json
+import logging
 import pytest
 import responses
 from datetime import datetime
@@ -272,6 +273,21 @@ def test_logout_handles_redirect_back_from_provider(self):
 
         self.assert_view_mock(logout_view_mock, result)
 
+    def test_logout_handles_redirect_back_from_provider_with_incorrect_state(self, caplog):
+        authn = self.get_authn_instance()
+        logout_view_mock = self.get_view_mock()
+        state = 'some_state'
+        with self.app.test_request_context('/logout?state={}'.format(state)):
+            flask.session['end_session_state'] = 'other_state'
+            result = authn.oidc_logout(logout_view_mock)()
+            assert 'end_session_state' not in flask.session
+
+        self.assert_view_mock(logout_view_mock, result)
+        assert caplog.record_tuples[-1] == ('flask_pyoidc.flask_pyoidc',
+                                            logging.ERROR,
+                                            "Got unexpected state '{}' after logout redirect.".format(state))
+
+
     def test_authentication_error_response_calls_to_error_view_if_set(self):
         state = 'test_tate'
         error_response = {'error': 'invalid_request', 'error_description': 'test error'}