Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Second logout request from another RP returns error #992

Closed
yurem opened this issue Jan 26, 2019 · 4 comments

Comments

@yurem
Copy link
Contributor

commented Jan 26, 2019

Original issue is this one.

Here is root case which caused wrong redirect after log into second RP. I fixed it.

I think oxTrust issue GluuFederation/oxTrust#1474 was resolved. But the question is till open. Should oxAuth return successful result aftert second logout from another RP. Or it's RP responsibility to check error code and cover it properly. @nynymike @yuriyz @jgomer2001 what do you think?

@yurem yurem added the enhancement label Jan 26, 2019

@yurem yurem added this to the 3.1.6 milestone Jan 26, 2019

@yurem

This comment has been minimized.

Copy link
Contributor Author

commented Jan 26, 2019

We discussed similar issue already. We tried to fix issue with id_token expiration which need to end_session call. I have one idea. I offer instead of storing data about expired tokens/session in local LDAP to add new cookie for each RP. The value will be signed JWT or JWE. On end session if the id_token/session cookie were expired already we can use this additional cookie. oxAuth can check it signature. Also it should check if iat claim is lower than maximum session lifetime. If these 2 validation returns true end_session can return right response to specified client_idi claim n this token.

@jgomer2001

This comment has been minimized.

Copy link
Contributor

commented Jan 29, 2019

Or it's RP responsibility to check error code and cover it properly

How to catch the error code? I mean, after obtaining a logout URL from OP, the browser is sent there. Then the json error (referenced in issue 1474) is displayed when the browser is still at OP, more exactly at https://host/oxauth/restv1/end_session?id_token_hint=...&session_state=...&post_logout_redirect_uri=...

@yuriyz

This comment has been minimized.

Copy link
Contributor

commented Jan 30, 2019

@jgomer2001 @yurem I propose stick to spec. And spec says that each RP should register frontchannel_logout_uri. So lets say we have: RP1 and RP2. If RP1 calls /end_session, then both frontchannel_logout_uri1 (from RP1) and frontchannel_logout_uri2 (from RP2) are loaded and thus RP2 knows that session is ended. So if user clicks logout on RP2 and it already knows that session ended then it should simply show login page or say that session is ended. It doesn't make sense for RP2 call /end_session at this point thus nothing to handle. What do you think?

@yurem

This comment has been minimized.

Copy link
Contributor Author

commented Jan 30, 2019

yes, all RP should register frontchannel_logout_uri

@yurem yurem closed this Jan 30, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.