Handle post logout callback from One Login

stephencdaly · stephencdaly · commit e9acc65e96b8 · 2026-04-29T15:20:55.000+01:00
When One Login redirects the user back to us after logging out,
retrieve the form path parameters from the session to redirect to the
submitted page.

If the user's session cookie has been lost and we're unable to
determine the form path parameters, let an exception bubble up and
show an internal error page for now. We'll probably update this to
show something more user friendly in a future commit.
diff --git a/app/controllers/users/omniauth_controller.rb b/app/controllers/users/omniauth_controller.rb
@@ -4,35 +4,39 @@ class OmniAuthLoggedInDataMissingError < StandardError; end
 
     class OmniAuthFailure < StandardError; end
 
-    rescue_from Store::ReturnFromOneLoginStore::MissingReturnParamsError do
-      Rails.logger.warn("Missing return params in session for One Login callback")
-      redirect_to error_404_path
-    end
-
     def callback
       auth_hash = request.env["omniauth.auth"]
       raise OmniAuthLoggedInDataMissingError, "Auth hash is missing on request" if auth_hash.blank?
 
       email = auth_hash.dig("info", "email")
       raise OmniAuthLoggedInDataMissingError, "Email is missing in OmniAuth auth hash" if email.blank?
 
-      token = auth_hash.dig("credentials", "token")
+      token = auth_hash.dig("credentials", "id_token")
       raise OmniAuthLoggedInDataMissingError, "Token is missing in OmniAuth auth hash" if token.blank?
 
       auth_store.store_token(token)
 
-      return_from_one_login_store = Store::ReturnFromOneLoginStore.new(session)
       form_id = return_from_one_login_store.form_id
       path_params = return_from_one_login_store.get_path_params
 
       Store::ConfirmationDetailsStore.new(session, form_id).save_copy_of_answers_email_address(email)
 
       redirect_to check_your_answers_path(**path_params)
+    rescue Store::ReturnFromOneLoginStore::MissingReturnParamsError
+      Rails.logger.warn("Missing return params in session for One Login callback")
+      redirect_to error_404_path
     end
 
     def failure
       error = request.env["omniauth.error"]
       raise OmniAuthFailure, error
     end
+
+    def logged_out
+      auth_store.clear
+
+      path_params = return_from_one_login_store.get_path_params
+      redirect_to form_submitted_path(**path_params)
+    end
   end
 end
diff --git a/app/lib/store/auth_store.rb b/app/lib/store/auth_store.rb
@@ -17,6 +17,10 @@ def get_token
       @store.dig(AUTH_KEY, TOKEN_KEY)
     end
 
+    def clear
+      @store.delete(AUTH_KEY)
+    end
+
     def logged_in?
       get_token.present?
     end
diff --git a/spec/requests/users/omniauth_controller_spec.rb b/spec/requests/users/omniauth_controller_spec.rb
@@ -1,24 +1,28 @@
 require "rails_helper"
 
 RSpec.describe Users::OmniauthController, type: :request do
+  let(:form_id) { 42 }
+  let(:form_slug) { "test-form" }
+  let(:mode) { "preview-draft" }
+  let(:locale) { "cy" }
+  let(:return_from_one_login_session) do
+    {
+      "last_form_id" => form_id,
+      "last_form_slug" => form_slug,
+      "last_mode" => mode,
+      "last_locale" => locale,
+    }
+  end
+
   describe "GET #callback" do
-    let(:form_id) { 42 }
-    let(:form_slug) { "test-form" }
-    let(:mode) { "preview-draft" }
-    let(:locale) { "cy" }
     let(:store) do
       {
-        "return_from_one_login" => {
-          "last_form_id" => form_id,
-          "last_form_slug" => form_slug,
-          "last_mode" => mode,
-          "last_locale" => locale,
-        },
+        "return_from_one_login" => return_from_one_login_session,
       }.with_indifferent_access
     end
 
     let(:email) { "test@example.com" }
-    let(:token) { Faker::Alphanumeric.alphanumeric }
+    let(:id_token) { Faker::Alphanumeric.alphanumeric }
     let(:auth_hash) do
       {
         provider: :govuk_one_login,
@@ -27,7 +31,7 @@
           email:,
         },
         credentials: {
-          token: token,
+          id_token:,
         },
       }.with_indifferent_access
     end
@@ -61,7 +65,7 @@
       end
 
       it "stores the token on the session" do
-        expect(store["auth"]["token"]).to eq token
+        expect(store["auth"]["token"]).to eq id_token
       end
     end
 
@@ -98,4 +102,46 @@
       expect { get omniauth_failure_path, env: { "omniauth.error" => error_message } }.to raise_error(Users::OmniauthController::OmniAuthFailure, error_message)
     end
   end
+
+  describe "GET #logged_out" do
+    let(:token) { Faker::Alphanumeric.alphanumeric }
+
+    before do
+      allow(Store::ReturnFromOneLoginStore).to receive(:new).and_wrap_original do |original_method, *_args|
+        original_method.call(store)
+      end
+      allow(Store::AuthStore).to receive(:new).and_wrap_original do |original_method, *_args|
+        original_method.call(store)
+      end
+    end
+
+    context "when the return from one login params are set on the session" do
+      let(:store) do
+        {
+          "return_from_one_login" => return_from_one_login_session,
+          "auth": { "token": token },
+        }.with_indifferent_access
+      end
+
+      before do
+        get omniauth_logged_out_path
+      end
+
+      it "clears the auth details on the session" do
+        expect(store).not_to have_key("auth")
+      end
+
+      it "redirects to the form submitted page" do
+        expect(response).to redirect_to(form_submitted_path(form_id:, form_slug:, mode:, locale:))
+      end
+    end
+
+    context "when the return from one login params are not set on the session" do
+      let(:store) { {} }
+
+      it "raises a Store::ReturnFromOneLoginStore::MissingReturnParamsError error" do
+        expect { get omniauth_logged_out_path }.to raise_error Store::ReturnFromOneLoginStore::MissingReturnParamsError
+      end
+    end
+  end
 end
