Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issues after two successive logoffs take place #1474

Closed
jgomer2001 opened this issue Jan 21, 2019 · 4 comments

Comments

@jgomer2001
Copy link
Contributor

commented Jan 21, 2019

I faced a couple of issues when testing an application, and using oxTrust at the same time

Not sure if this is a general CE issue (arbitrary applications) or if this is exclusively when oxTrust is present. In that case, this might be related to #1473

Suppose app A (using a client requisting an acr with level = 1). Particularly for log out, this app uses "RP-Initiated Logout" as described in section 5 of spec.

Suppose oxTrust as it comes by default in CE (default acr level = -1)

Here I list some flows with the corresponding outcomes after the 2nd logout (4th step takes place):


Flow 1

  1. Login to app A
  2. Login to oxTrust
  3. Logout from app A
  4. Logout from oxTrust

In this case, no thank-you-page is shown. Browser is taken directly to the SSO login form


Flow 2

  1. Login to app A
  2. Login to oxTrust
  3. Logout from oxTrust
  4. Logout from app A

The browser shows

{"error":"post_logout_uri_not_associated_with_client","error_description":"The provided post logout uri is
 not associated with client.","reason":"Session was removed successfully but redirect to post_logout_redirect_uri fails since AS failed to validate it against clients associated with session (which
 was just removed)."}

Flow 3

  1. Login to oxTrust
  2. Login to app A
  3. Logout from oxTrust
  4. Logout from app A

Again this appears:

{"error":"post_logout_uri_not_associated_with_client","error_description":"The provided post logout uri is
 not associated with client.","reason":"Session was removed successfully but redirect to 
post_logout_redirect_uri fails since AS failed to validate it against clients associated with session (which
 was just removed)."}

Flow 4

  1. Login to oxTrust
  2. Login to app A
  3. Logout from app A
  4. Logout from oxTrust
{"error":"invalid_grant_and_session","error_description":"The provided access token and session state are
 invalid or were issued to another client.","reason":"Failed to identify session by session_id query 
parameter or by session_id cookie."}

@jgomer2001 jgomer2001 added this to the 3.1.6 milestone Jan 21, 2019

@syntrydy syntrydy removed their assignment Jan 22, 2019

@yurem

This comment has been minimized.

Copy link
Contributor

commented Jan 23, 2019

@jgomer2001 Here is ticket with same or similar issue description

@jgomer2001

This comment has been minimized.

Copy link
Contributor Author

commented Jan 25, 2019

@yurem After your latest oxauth/oxtrust update, the situation changed in the following way:

Flow 1: it works fine. Oxtrust shows the thank-you page

Flows 2, 3, and 4: they all show the following error:

{"error":"invalid_grant_and_session","error_description":"
The provided access token and session state are invalid or were issued to another client.",
"reason":"Failed to identify session by session_id query parameter or by session_id cookie."}
@yurem

This comment has been minimized.

Copy link
Contributor

commented Jan 26, 2019

I think the main issue flow 1 was resolved. Now oxAuth end_sesison works according to coded rule.

I open oxAuth issue GluuFederation/oxAuth#992 to discuss how we can add second logout support.

@yurem yurem closed this Jan 26, 2019

@jgomer2001

This comment has been minimized.

Copy link
Contributor Author

commented Feb 9, 2019

With latest oxauth/oxtrust wars (3.1.6), the problems in flow 4 persists

@jgomer2001 jgomer2001 reopened this Feb 9, 2019

yuriyz added a commit to GluuFederation/oxAuth that referenced this issue Feb 27, 2019

oxauth : fixed flow 4, if acr is changed, session state is set to una…
…uthenticated which leads to re-generation of the object. Copy permission map when it happens. However we have to re-visit this approach.

GluuFederation/oxTrust#1474

yuriyz added a commit to GluuFederation/oxAuth that referenced this issue Feb 27, 2019

@jgomer2001 jgomer2001 closed this Feb 28, 2019

yuriyz added a commit to GluuFederation/oxAuth that referenced this issue Mar 1, 2019

oxauth (4.0) : fixed flow 4, if acr is changed, session state is set …
…to unauthenticated which leads to re-generation of the object. Copy permission map when it happens. However we have to re-visit this approach.

GluuFederation/oxTrust#1474

(cherry picked from commit fc66495)

yuriyz added a commit to GluuFederation/oxAuth that referenced this issue Mar 1, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.