You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are at least two variants of this issue, but I think they're closely related enough to report as one issue.
Issue 1: Logging into a second app with login.gov leads to an incorrect CSP in the first app's OIDC logout
Steps to reproduce the issue
Go to USAJOBS and click "Sign in" (it uses login.gov).
Complete the login flow with your login.gov account.
Go to SBA Connect and click the "Sign in with login.gov" button.
Accept the terms.
Continue with the same login.gov account and complete the login flow.
Go to USAJOBS and click "Sign out", which leads to the OIDC logout confirmation page.
Click "Yes, sign out of Login.gov".
Expected behavior
Clicking "Yes, sign out of Login.gov" should redirect back to USAJOBS.
The CSP in the GET response from https://secure.login.gov... should include form-action 'self' https://login.usajobs.gov https://agencyportal.usajobs.gov;
Actual behavior
The "Yes..." button does not redirect.
The CSP has form-action 'self' https://connect.sba.gov;, but that's the wrong app's URL.
Additional notes
I tested with Windows 10, Chrome 117.0.5938.149 (Official Build) (64-bit), at 11 am PT on 10/5/23.
This is a security issue for apps that don't log out until they are redirected back from OIDC logout. USAJOBS logs out before initiating OIDC logout, so in that case it's only a UX problem, but SBA Connect waits to logout until being redirected back, which means the flow is broken before the user gets logged out from the app.
We think it's worth recommending that apps log out first before initiating OIDC logout. This is what the dashboard does, but the example Sinatra/Ruby app doesn't log out until after the redirect back.
Issue 2: Choosing "No" in the OIDC logout confirmation page can lead to an incorrect CSP in the next logout request
Steps to reproduce the issue
Go to SBA Connect and click the "Sign in with login.gov" button.
Accept the terms.
Complete the login flow, which leads back to the SBA Connect homepage.
Click "Sign Out".
On the OIDC logout confirmation page, click "No, go to my account page".
Go to SBA Connect (where you are still signed in) and click Sign Out, which will lead again to the OIDC logout confirmation page.
Click "Yes, sign out of Login.gov".
Expected behavior
Clicking "Yes, sign out of Login.gov" should redirect back to SBA Connect.
The CSP in the GET response from https://secure.login.gov... should include form-action 'self' https://connect.sba.gov;.
Actual behavior
The "Yes..." button does not redirect.
The CSP has form-action 'self';.
Additional notes
Like Issue 1, this is a security issue for apps that don't log out until the redirect back from login.gov. This second issue does not affect apps that log out before initiating OIDC logout, such as USAJOBS and the Partner Dashboard. This further supports the recommendation for apps to log out first.
Another way to reach this same state (call it Issue 2b) is to sign into SBA Connect, go to https://secure.login.gov/account, sign out, sign in, then go to SBA Connect where you're still signed in, and try to sign out. The CSP will again have form-action 'self';.
The text was updated successfully, but these errors were encountered:
There are at least two variants of this issue, but I think they're closely related enough to report as one issue.
Issue 1: Logging into a second app with login.gov leads to an incorrect CSP in the first app's OIDC logout
Steps to reproduce the issue
Expected behavior
https://secure.login.gov...
should includeform-action 'self' https://login.usajobs.gov https://agencyportal.usajobs.gov;
Actual behavior
form-action 'self' https://connect.sba.gov;
, but that's the wrong app's URL.Additional notes
I tested with Windows 10, Chrome 117.0.5938.149 (Official Build) (64-bit), at 11 am PT on 10/5/23.
This issue affects other apps as well, such as the login.gov Partner Dashboard.
This is a security issue for apps that don't log out until they are redirected back from OIDC logout. USAJOBS logs out before initiating OIDC logout, so in that case it's only a UX problem, but SBA Connect waits to logout until being redirected back, which means the flow is broken before the user gets logged out from the app.
We think it's worth recommending that apps log out first before initiating OIDC logout. This is what the dashboard does, but the example Sinatra/Ruby app doesn't log out until after the redirect back.
Issue 2: Choosing "No" in the OIDC logout confirmation page can lead to an incorrect CSP in the next logout request
Steps to reproduce the issue
Expected behavior
https://secure.login.gov...
should includeform-action 'self' https://connect.sba.gov;
.Actual behavior
form-action 'self';
.Additional notes
Like Issue 1, this is a security issue for apps that don't log out until the redirect back from login.gov. This second issue does not affect apps that log out before initiating OIDC logout, such as USAJOBS and the Partner Dashboard. This further supports the recommendation for apps to log out first.
Another way to reach this same state (call it Issue 2b) is to sign into SBA Connect, go to https://secure.login.gov/account, sign out, sign in, then go to SBA Connect where you're still signed in, and try to sign out. The CSP will again have
form-action 'self';
.The text was updated successfully, but these errors were encountered: