Added: Implementation of POST login and logout (#345)

* Added: Implementation of POST login and logout * Fixed: Line length based on rule E501 * Improve formatting of django template integration docs. Co-authored-by: simon-spier0 <>
snok · Sep 30, 2024 · 5ea3c87 · 5ea3c87
1 parent 378f141
commit 5ea3c87
Show file tree

Hide file tree

Showing 4 changed files with 101 additions and 15 deletions.
diff --git a/README.rst b/README.rst
@@ -98,13 +98,36 @@ This will add these paths to Django:
 * ``/oauth2/callback`` where ADFS redirects back to after login. So make sure you set the redirect URI on ADFS to this.
 * ``/oauth2/logout`` which logs out the user from both Django and ADFS.
 
-You can use them like this in your django templates:
-
-.. code-block:: html
-
-    <a href="{% url 'django_auth_adfs:logout' %}">Logout</a>
-    <a href="{% url 'django_auth_adfs:login' %}">Login</a>
-    <a href="{% url 'django_auth_adfs:login-no-sso' %}">Login (no SSO)</a>
+Below is sample Django template code to use these paths depending if
+you'd like to use GET or POST requests. Logging out was deprecated in
+`Django 4.1 <https://docs.djangoproject.com/en/5.1/releases/4.1/#features-deprecated-in-4-1>`_.
+
+- Using GET requests:
+
+    .. code-block:: html
+
+        <a href="{% url 'django_auth_adfs:logout' %}">Logout</a>
+        <a href="{% url 'django_auth_adfs:login' %}">Login</a>
+        <a href="{% url 'django_auth_adfs:login-no-sso' %}">Login (no SSO)</a>
+
+- Using POST requests:
+
+    .. code-block:: html+django
+
+        <form method="post" action="{% url 'django_auth_adfs:logout' %}">
+            {% csrf_token %}
+            <button type="submit">Logout</button>
+        </form>
+        <form method="post" action="{% url 'django_auth_adfs:login' %}">
+            {% csrf_token %}
+            <input type="hidden" name="next" value="{{ next }}">
+            <button type="submit">Login</button>
+        </form>
+        <form method="post" action="{% url 'django_auth_adfs:login-no-sso' %}">
+            {% csrf_token %}
+            <input type="hidden" name="next" value="{{ next }}">
+            <button type="submit">Login (no SSO)</button>
+        </form>
 
 Contributing
 ------------

diff --git a/django_auth_adfs/config.py b/django_auth_adfs/config.py
@@ -337,7 +337,10 @@ def build_authorization_endpoint(self, request, disable_sso=None, force_mfa=Fals
 
         """
         self.load_config()
-        redirect_to = request.GET.get(REDIRECT_FIELD_NAME, None)
+        if request.method == 'POST':
+            redirect_to = request.POST.get(REDIRECT_FIELD_NAME, None)
+        else:
+            redirect_to = request.GET.get(REDIRECT_FIELD_NAME, None)
         if not redirect_to:
             redirect_to = django_settings.LOGIN_REDIRECT_URL
         redirect_to = base64.urlsafe_b64encode(redirect_to.encode()).decode()

diff --git a/django_auth_adfs/views.py b/django_auth_adfs/views.py
@@ -84,6 +84,15 @@ def get(self, request):
         """
         return redirect(provider_config.build_authorization_endpoint(request))
 
+    def post(self, request):
+        """
+        Initiates the OAuth2 flow and redirect the user agent to ADFS
+
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        return redirect(provider_config.build_authorization_endpoint(request))
+
 
 class OAuth2LoginNoSSOView(View):
     def get(self, request):
@@ -95,6 +104,15 @@ def get(self, request):
         """
         return redirect(provider_config.build_authorization_endpoint(request, disable_sso=True))
 
+    def post(self, request):
+        """
+        Initiates the OAuth2 flow and redirect the user agent to ADFS
+
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        return redirect(provider_config.build_authorization_endpoint(request, disable_sso=True))
+
 
 class OAuth2LoginForceMFA(View):
     def get(self, request):
@@ -106,6 +124,15 @@ def get(self, request):
         """
         return redirect(provider_config.build_authorization_endpoint(request, force_mfa=True))
 
+    def post(self, request):
+        """
+        Initiates the OAuth2 flow and redirect the user agent to ADFS
+
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        return redirect(provider_config.build_authorization_endpoint(request, force_mfa=True))
+
 
 class OAuth2LogoutView(View):
     def get(self, request):
@@ -117,3 +144,13 @@ def get(self, request):
         """
         logout(request)
         return redirect(provider_config.build_end_session_endpoint())
+
+    def post(self, request):
+        """
+        Logs out the user from both Django and ADFS
+
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        logout(request)
+        return redirect(provider_config.build_end_session_endpoint())
diff --git a/docs/install.rst b/docs/install.rst
@@ -102,10 +102,33 @@ This will add these paths to Django:
 * ``/oauth2/callback`` where ADFS redirects back to after login. So make sure you set the redirect URI on ADFS to this.
 * ``/oauth2/logout`` which logs out the user from both Django and ADFS.
 
-You can use them like this in your django templates:
-
-.. code-block:: html
-
-    <a href="{% url 'django_auth_adfs:logout' %}">Logout</a>
-    <a href="{% url 'django_auth_adfs:login' %}">Login</a>
-    <a href="{% url 'django_auth_adfs:login-no-sso' %}">Login (no SSO)</a>
+Below is sample Django template code to use these paths depending if
+you'd like to use GET or POST requests. Logging out was deprecated in
+`Django 4.1 <https://docs.djangoproject.com/en/5.1/releases/4.1/#features-deprecated-in-4-1>`_.
+
+- Using GET requests:
+
+    .. code-block:: html
+
+        <a href="{% url 'django_auth_adfs:logout' %}">Logout</a>
+        <a href="{% url 'django_auth_adfs:login' %}">Login</a>
+        <a href="{% url 'django_auth_adfs:login-no-sso' %}">Login (no SSO)</a>
+
+- Using POST requests:
+
+    .. code-block:: html+django
+
+        <form method="post" action="{% url 'django_auth_adfs:logout' %}">
+            {% csrf_token %}
+            <button type="submit">Logout</button>
+        </form>
+        <form method="post" action="{% url 'django_auth_adfs:login' %}">
+            {% csrf_token %}
+            <input type="hidden" name="next" value="{{ next }}">
+            <button type="submit">Login</button>
+        </form>
+        <form method="post" action="{% url 'django_auth_adfs:login-no-sso' %}">
+            {% csrf_token %}
+            <input type="hidden" name="next" value="{{ next }}">
+            <button type="submit">Login (no SSO)</button>
+        </form>