New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

If session_id is not passed in logout request, oxAuth responds as if session termination succeed, while it didn't #849

Closed
aliaksander-samuseu opened this Issue Jul 12, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@aliaksander-samuseu
Contributor

aliaksander-samuseu commented Jul 12, 2018

Environment:
CentOS 7.4, gluu-server--3.1.3-1-4.centos7

Preconditions:

  1. Some RP is configured which will use Gluu Server as OP for a regular OIDC authz code flow

  2. Some measures are in place which will allow to retrieve session_id, session_state and id_token issued during the flow

Steps to reproduce:

  1. Complete the OIDC authz code flow, retrieving session_id, session_state and id_token issued during it

  2. With a tool allowing to construct and send HTTP request (curl, Postman etc) send a logout request which does contain only session_state and id_token parameters, and doesn't contain any session-related cookies.

Example of such request is below:

GET /oxauth/restv1/end_session?id_token_hint=eyJ0eXAiOiJK...ljK8og&session_state=1e3849fe-3a08-4ef0-829f-792620b5007a&session_id=76a40799-d741-42e4-bf45-43e28fa5b30a&post_logout_redirect_uri=https%3A%2F%2Fidp.host.loc%2Fidentity%2Fauthentication%2Ffinishlogout HTTP/1.1
Host: idp.host.loc
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en,en-US;q=0.8,fr;q=0.6
Content-Length: 2
  1. Kill the session at RP (remove its cookies from browser's storage), and start the OIDC flow again using the same browser as before

Result:

At step 2) the usual oxAuth's post-logout page is displayed, making user believe the session has been terminated. Yet at step 3) no authentication is needed at oxAuth as its the session apparently still exists.

In oxAuth log next messages are registered at step 2):

2018-07-12 13:43:33,824 DEBUG [qtp1744347043-15] [xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl] (EndSessionRestWebServiceImpl.java:92) - Attempting to end session, idTokenHint: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2lkcC51YWV4LmVkdSIsImF1ZCI6IkAhN0M5Ri5BNzI3LjI4NTYuOEFEQyEwMDAxITVFMDguMUNDMiEwMDA4ITkyQ0QuRTdENyIsImV4cCI6MTUzMTQyMDg5MSwiaWF0IjoxNTMxNDE3MjkxLCJhY3IiOiJwYXNzcG9ydF9zYW1sIiwiYW1yIjpbIjUwIl0sIm5vbmNlIjoiNDQ2YTlkNDMtOTFmZS00OThhLWE0ZmEtNWYwMTJmNGMwYzZiIiwiYXV0aF90aW1lIjoxNTMxNDE3MTM0LCJhdF9oYXNoIjoiajB6N3FRejhyd0xaOENHbk5pUVlMQSIsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCIsInN1YiI6IkAhN0M5Ri5BNzI3LjI4NTYuOEFEQyEwMDAxITVFMDguMUNDMiEwMDAwIUE4RjIuREUxRS5EN0ZCIn0.TK28TluVZkK8LwZbpO8gBMJdza8VBbKmhGfxNDBcBEU, postLogoutRedirectUri: https://idp.host.loc/identity/authentication/finishlogout, sessionId: null, Is Secure = false
2018-07-12 13:43:33,824 DEBUG [qtp1744347043-15] [org.xdi.oxauth.service.UserService] (UserService.java:87) - Getting user information from LDAP: userId = admin
2018-07-12 13:43:33,834 DEBUG [qtp1744347043-15] [org.xdi.oxauth.service.UserService] (UserService.java:96) - Found 1 entries for user id = admin
2018-07-12 13:43:33,843 DEBUG [qtp1744347043-15] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!7C9F.A727.2856.8ADC!0001!5E08.1CC2!0008!92CD.E7D7
2018-07-12 13:43:33,846 DEBUG [qtp1744347043-15] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!7C9F.A727.2856.8ADC!0001!5E08.1CC2!0008!92CD.E7D7
2018-07-12 13:43:33,848 DEBUG [qtp1744347043-15] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:119) - Validating post logout redirect URI: clientId = @!7C9F.A727.2856.8ADC!0001!5E08.1CC2!0008!92CD.E7D7, postLogoutRedirectUri = https://idp.host.loc/identity/authentication/finishlogout
2018-07-12 13:43:33,848 DEBUG [qtp1744347043-15] [org.xdi.oxauth.service.RedirectionUriService] (RedirectionUriService.java:123) - Comparing https://idp.host.loc/identity/authentication/finishlogout == https://idp.host.loc/identity/authentication/finishlogout
2018-07-12 13:43:33,849 ERROR [qtp1744347043-15] [xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl] (EndSessionRestWebServiceImpl.java:190) - session_id is not passed to endpoint (as cookie or manually). Therefore unable to match clients for session_id.Http based html will contain no iframes.
2018-07-12 13:43:33,850 DEBUG [qtp1744347043-15] [xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl] (EndSessionRestWebServiceImpl.java:129) - Constructed http logout page: <!DOCTYPE html><html><head><script>window.onload=function() {window.location='https://idp.host.loc/identity/authentication/finishlogout'}</script><title>Gluu Generated logout page</title></head><body>Logout requests sent.<br/></body></html>

Apparently, if no session_id parameter is passed, either via url query string, or in cookies, oxAuth cannot properly finalize the session's end.

Expected result:
Thought it's an open question whether terminating session should be allowed with just an id_token alone (and no session_id), oxAuth for sure must not make user believe session is terminated properly while it wasn't. Some error page must be displayed instead, warning them, perhaps with a button which user can click to proceed further down the flow.

@aliaksander-samuseu

This comment has been minimized.

Contributor

aliaksander-samuseu commented Jul 12, 2018

The issue was first reported in this ticket.

@yuriyz yuriyz assigned yuriyz and unassigned qbert2k Oct 10, 2018

@yuriyz

This comment has been minimized.

Contributor

yuriyz commented Nov 28, 2018

In this particular case in request both id_token_hint and session_id are provided. As described in docs since 3.1.4 server validates both of them. It means that if session is not identified (for provided id_token_hint or session_id) then error will be returned. In addition if RP intention is to remove current session then /end_session can be called without id_token_hint and without session_id parameters. Server will identify existing session by cookie.

https://gluu.org/docs/ce/3.1.4/operation/logout/

New behavior was introduced as part of #831

@yuriyz yuriyz closed this Nov 28, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment