Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Logout trigger OP unauthneticated session creation #1473

yurem opened this issue Jan 21, 2019 · 3 comments


Copy link

commented Jan 21, 2019

After processing oxTrust logout request oxAuth sends next page:

<!DOCTYPE html><html><head><script>window.onload=function() {window.location=''}</script><title>Gluu Generated logout page</title></head>
<body>Logout requests sent.<br/><iframe height="0" width="0" src=""></iframe></body></html>

As result browser make 2 requests:

First request calls page which triggered this RP Logout flow. But this led to start authentication flow creation because /logout is protected page. We can add flag to oxtrust session that end_session request was send and refactor code to avoid trigger security excretion when user logged out (after redirect from OP).

But how to mix OP Logout with RP initiated logout in all another cases to avoid such issues in future? Are there OP spec recommendation about this? @qbert2k @yuriyz What do you think?


This comment has been minimized.

Copy link

commented Jan 21, 2019

The purpose of Front channel logout uri is to clean up RP session and set RP in logout state. Front channel logout uri can be hit by this RP (1) or any other RP (2) that take part in authentication flow. Imagine that RP2 initiated logout, then front channel logout uri is hit, so RP1 goes to logout state too. I think we should not initiate authentication flow for it since we can get many such calls (think about use case when RP does not provide frontchannel_logout_uri thus are not in logout state and as result will hit RP1 logout endpoint) . I guess post_logout_redirect_uri can initiate authentication flow if needed.

  • frontchannel_logout_uri -
  • post_logout_redirect_uri -

From spec:

OPTIONAL. RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be.

This comment has been minimized.

Copy link
Contributor Author

commented Jan 25, 2019

Fixed OP logout in oxTrust

@yurem yurem closed this Jan 25, 2019


This comment has been minimized.

Copy link

commented Feb 7, 2019

@yurem does this require any updates to the documentation?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
4 participants
You can’t perform that action at this time.