Incorrect CSP prevents redirect from OIDC logout confirmation page

[tvharris]

There are at least two variants of this issue, but I think they're closely related enough to report as one issue.

Issue 1: Logging into a second app with login.gov leads to an incorrect CSP in the first app's OIDC logout

Steps to reproduce the issue

1. Go to USAJOBS and click "Sign in" (it uses login.gov).
2. Complete the login flow with your login.gov account.
3. Go to SBA Connect and click the "Sign in with login.gov" button.
4. Accept the terms.
5. Continue with the same login.gov account and complete the login flow.
6. Go to USAJOBS and click "Sign out", which leads to the OIDC logout confirmation page.
7. Click "Yes, sign out of Login.gov".

Expected behavior

• Clicking "Yes, sign out of Login.gov" should redirect back to USAJOBS.
• The CSP in the GET response from https://secure.login.gov... should include form-action 'self' https://login.usajobs.gov https://agencyportal.usajobs.gov;

Actual behavior

• The "Yes..." button does not redirect.
• The CSP has form-action 'self' https://connect.sba.gov;, but that's the wrong app's URL.

Additional notes

I tested with Windows 10, Chrome 117.0.5938.149 (Official Build) (64-bit), at 11 am PT on 10/5/23.

This issue affects other apps as well, such as the login.gov Partner Dashboard.

This is a security issue for apps that don't log out until they are redirected back from OIDC logout. USAJOBS logs out before initiating OIDC logout, so in that case it's only a UX problem, but SBA Connect waits to logout until being redirected back, which means the flow is broken before the user gets logged out from the app.

We think it's worth recommending that apps log out first before initiating OIDC logout. This is what the dashboard does, but the example Sinatra/Ruby app doesn't log out until after the redirect back.

Issue 2: Choosing "No" in the OIDC logout confirmation page can lead to an incorrect CSP in the next logout request

Steps to reproduce the issue

1. Go to SBA Connect and click the "Sign in with login.gov" button.
2. Accept the terms.
3. Complete the login flow, which leads back to the SBA Connect homepage.
4. Click "Sign Out".
5. On the OIDC logout confirmation page, click "No, go to my account page".
6. Go to SBA Connect (where you are still signed in) and click Sign Out, which will lead again to the OIDC logout confirmation page.
7. Click "Yes, sign out of Login.gov".

Expected behavior

• Clicking "Yes, sign out of Login.gov" should redirect back to SBA Connect.
• The CSP in the GET response from https://secure.login.gov... should include form-action 'self' https://connect.sba.gov;.

Actual behavior

• The "Yes..." button does not redirect.
• The CSP has form-action 'self';.

Additional notes

Like Issue 1, this is a security issue for apps that don't log out until the redirect back from login.gov. This second issue does not affect apps that log out before initiating OIDC logout, such as USAJOBS and the Partner Dashboard. This further supports the recommendation for apps to log out first.

Another way to reach this same state (call it Issue 2b) is to sign into SBA Connect, go to https://secure.login.gov/account, sign out, sign in, then go to SBA Connect where you're still signed in, and try to sign out. The CSP will again have form-action 'self';.

[mitchellhenke]

Thanks for the excellent and detailed bug report!

I think I see where the issue is and plan to have a fix deployed next week.

[mitchellhenke]

Thank you again for reporting this.

The bug should be fixed in #9328, and it was deployed to production in RC 322 yesterday.