Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix logout token iss when issuer is missing #1486

Merged
merged 4 commits into from
Dec 14, 2023
Merged

Fix logout token iss when issuer is missing #1486

merged 4 commits into from
Dec 14, 2023

Conversation

josephdecock
Copy link
Member

Fixes #1481

@josephdecock
Add failing test
2da61b1 
Demonstrates that the back channel logout service will create tokens
with a bad issuer if it is missing from the logout request
@josephdecock
Fix xmldoc typo, add a todo
c7dd81b
@josephdecock
Fix logout token iss claim when issuer is missing
2f575dc
@josephdecock josephdecock added this to the 6.3.7 milestone Dec 13, 2023
@josephdecock josephdecock changed the title Joe/6.3.x/logout token issuer Fix logout token iss when issuer is missing Dec 13, 2023
josephdecock
josephdecock commented Dec 13, 2023
View reviewed changes
src/IdentityServer/IdentityServerTools.cs Outdated
/// <param name="claims">The claims.</param>
/// <returns></returns>
/// <exception cref="System.ArgumentNullException">claims</exception>
public virtual Task<string> IssueJwtAsync(int lifetime, string issuer, IEnumerable<Claim> claims)
public virtual async Task<string> IssueJwtAsync(int lifetime, string tokenType, IEnumerable<Claim> claims)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh wait, this is a breaking change. Need to fix the caller instead I think.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To fix the caller, we have to add a dependency on the IssuerNameService from the DefaultBackChannelLogoutService, which technically is also a breaking change. Maybe we don't need this in a 6.3 patch release?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it's a bug and not working as expected, then I don't think it's a problem to make a breaking change.

Copy link
Member Author

@josephdecock josephdecock Dec 14, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, then I'll keep this for the 6.3 branch, but still rework the fix slightly so that we're not changing semantics of the method in IdentityServerTools. This way the "breaking" change only affects the bug, and won't surprise people (the other change would probably have compiled without an error vs being a new ctor parameter that the compiler will make you fix in an obvious way)

@josephdecock josephdecock marked this pull request as draft December 13, 2023 20:28
@josephdecock josephdecock linked an issue Dec 13, 2023 that may be closed by this pull request
Back channel logout token might incorrectly contain logout_token as iss #1481
Closed
@josephdecock
Rework fix for logout token issuer bug
ea5617b 
Moved the fix from IdentityServerTools into the back channel logout
service to avoid breaking changes in IdentityServerTools. While
technically this is a breaking change in the back channel service too,
this makes the impact much smaller, and more likely to be caught by the
compiler. The previous implementation changed the semantics of a string
parameter in a way that could have been surprising, vs this way adds a
new constructor parameter in a way that will be totally obvious and
caught by the compiler.
@josephdecock josephdecock marked this pull request as ready for review December 14, 2023 03:03
@brockallen brockallen added the bug Something isn't working label Dec 14, 2023
@brockallen brockallen merged commit a23764b into releases/6.3.x Dec 14, 2023
3 checks passed
@brockallen brockallen deleted the joe/6.3.x/logout-token-issuer branch December 14, 2023 18:40
@josephdecock
Copy link
Member Author

josephdecock commented Dec 14, 2023
edited
Loading

Note that we now rely on the issuer name service, which indirectly relies on http context, so it is possible that server side session expiry will fail, unless an issuer is explicitly configured.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brockallen brockallen brockallen approved these changes

@AndersAbel AndersAbel Awaiting requested review from AndersAbel

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
6.3.7
Development

Successfully merging this pull request may close these issues.

Back channel logout token might incorrectly contain logout_token as iss
2 participants
@josephdecock @brockallen