-
-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add possibility to flexible match OIDC post_logout_redirect_uri against configured logout url #5116
Add possibility to flexible match OIDC post_logout_redirect_uri against configured logout url #5116
Conversation
…onfigured logout url
Thank you so much for opening your first pull request here! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the pull request. Please review, and always make sure your pull request passes CI checks on your own fork. There are quite few styling violations here that would not pass CI.
...i/src/main/java/org/apereo/cas/oidc/web/controllers/logout/OidcLogoutEndpointController.java
Outdated
Show resolved
Hide resolved
...i/src/main/java/org/apereo/cas/oidc/web/controllers/logout/OidcLogoutEndpointController.java
Outdated
Show resolved
Hide resolved
support/cas-server-support-oidc/src/main/java/org/apereo/cas/oidc/config/OidcConfiguration.java
Outdated
Show resolved
Hide resolved
support/cas-server-support-oidc/src/main/java/org/apereo/cas/oidc/config/OidcConfiguration.java
Outdated
Show resolved
Hide resolved
...ava/org/apereo/cas/oidc/web/controllers/logout/OidcLogoutEndpointControllerMatcherTests.java
Outdated
Show resolved
Hide resolved
…m/Interessierter/cas into oidc-logout-url-flexible-matching
- adjustments as requested by devs
thanks for the review! intention was to leave the currently functionality as-is while adding the possibility to configure the matching more flexible. If you're fine with always doing regex-matching that is fine with me as well - makes it an even simpler change :) Could you advise please how to activate CI on my fork? I've activated the actions in the forked project but still after pushing the latest commit nothing is run automatically. I also cannot find any information on this in the contributions documentation: https://apereo.github.io/cas/developer/Contributor-Guidelines.html |
- adjustments as requested by devs
I am fine with regex-matching be the default in fact. Can't see an issue with it, but I'll ping @hdeadman to be sure. And for CI, I suspect what you have to do is to modify the GH workflow configuration to look at your branch for the CI builds. Things like this: Set the branch to be yours, for all workflows and do test. When you're ready and everything is passing, please post here and we'll activate CI here. (This is specifically done to ensure CI here for the repo only triggers for things we want to pursue, so as to not hog the CI backlog for when we actually do need something to go through) For the time being, I'll activate CI here once so you can take a first stab at it. |
CI is now activated for one build: https://github.com/apereo/cas/actions |
Codecov Report
@@ Coverage Diff @@
## master #5116 +/- ##
======================================================
- Coverage 79.41449% 17.49244% -61.92205%
+ Complexity 14366 3364 -11002
======================================================
Files 2517 2517
Lines 58206 58208 +2
Branches 4699 4699
======================================================
- Hits 46224 10182 -36042
- Misses 9390 47311 +37921
+ Partials 2592 715 -1877
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
- adjustments as requested by devs
- fix wrong order
Hi Misagh, I fixed the styling problems (with some I would disagree but ok, its not my project) and an embarassing bug and now the CI is mostly fine: https://github.com/Interessierter/cas/actions (the test failures are unrelated to my changes: at the time running there seem to be a regression with the registeredservice-tests within the official master branch and there are some infrastructure-related failures for MacOS and couchbase I did not investigate) - could you have another look if this is fine now for you? I did merge the changes from the feature branch into master branch for easily triggering the CI on my fork. Running the CI is actually quite useful (although it really runs forever: ;( ) and should be mentioned on the Contributor Guide (I wanted to add such section but this guide seems to be not part of this repo)
|
Thanks much. Make sure you have merged with the latest master branch. I'll take a look.
It is. The CI system is Github Actions, and it's common sense for one to be familiar with GH actions and figure out where the workflow configuration and triggers are. We are not going to document how GH action works and what triggers are available and where the workflow files are, etc and how the rules work. GH does that. Having said that, if you prefer, you can always post a PR to the Apereo blog and document your experience for others.
It is. See gh-pages branch. |
LOGGER.debug("Logout urls assigned to registered service are [{}]", urls); | ||
if (StringUtils.isNotBlank(postLogoutRedirectUrl)) { | ||
val matchResult = registeredService.matches(postLogoutRedirectUrl) | ||
|| urls.stream().anyMatch(url -> url.getUrl().equalsIgnoreCase(postLogoutRedirectUrl)); | ||
|| urls.stream().anyMatch(url -> postLogoutRedirectUrl.matches(url)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use the service matching strategy here. See #5123 as an example.
...i/src/main/java/org/apereo/cas/oidc/web/controllers/logout/OidcLogoutEndpointController.java
Outdated
Show resolved
Hide resolved
...ava/org/apereo/cas/oidc/web/controllers/logout/OidcLogoutEndpointControllerMatcherTests.java
Show resolved
Hide resolved
ok, made the changes you requested except that one with the matchingStrategy because it is already there (just one line above! otherwise you have to elaborate more about what you mean) |
There is:
Should be (pseudocode):
Watch out for |
why?!? OIDC RP-initiated logout is something different to the (assumed, this is very sparsely documented) purpose of |
The matching strategy of the service is and should be controlled via the There is a possibility (though remote) that one would want to have a different matching strategy for logouts separate from what operates on redirect-uri, but I think that is overkill. So, let's stick with the matching strategy API for now, and possibly come up with a global option to control matching strategies. Correction: Or do this as a custom patch in a way that works best for your use case. |
I do not think this is wise, as a custom matching strategy will more likely fail on completely artifical RegisteredServices (remember: I need to create one for each configured logoutURL just for this) but OK, as you wish, have pushed the requested changes |
Could you elaborate please? I am not sure I follow. What I have in mind is, conceptually you have a service that does matching operations. The purpose of the matching API is to exactly handle this sort of thing, and allow customizations and injections on a per application basis. You can of course decide whether the match would operate on the full text with The danger with using this API is that a deployment may want to use a "full" matching strategy on redirect-uris, and yet use some other custom strategy for logout uris. That's what I was referring to as "overkill" and possibly very suspicious. This does not sound like something you have to work with, and certainly not something we'd want to support (at least not yet!) And yes, you have to do the customization for every application to define your own matching strategy. If you have a large number of services, this would be impractical. All true. So I was suggesting that we keep the "per service" option and use the API that is available for now, and then fall back onto creating a more global option, so you would not have to create this matching strategy for every service every time. This is also consistent with how everything else works with CAS; There is a global option, and then there is the ability to override it on a per application basis. In this case, we just have the per-application bit. The global stuff would come in later, and I am happy to work with you on that, possibly in a separate PR to handle the global route. Or if you prefer, you can punt that over to me. And the global option would be something like: I think this works, but please let me know if I am missing something. |
kindly have a look at my latest commit (3fd4f4f) , i think this illustrates it: In order to do the IMHO you should withdraw your request of matching the
again. |
Thanks for the notes. It does clearly illustrate the issue. What you have in the patch is really a non-issue, because of course the matching API can be very slightly and humbly adjusted to not require a "pointless" service. That said, I do see your point and would have no problem reverting back to what was the original change, not because it's inapplicable but mainly because the solution is almost identical as what exists now and I see the argument for not complicating matters any more. It would be great to have others like @hdeadman or @leleuj chime in. I appreciate your patience here; let's pause for the time being. Thanks for your patience. |
I am not sure I understand all the issues being discussed here but if the allowed logout URL is changing from an exact URL to a regular expression, would that allow a case where someone has configured an allowed logout URL of |
Thanks for your input! The scenario you described IMHO isnt possible because before the OIDC @mmoayyed now how to proceed?
This was supposed to be a very simple yet useful addition to CAS (fully implemented, no side effects, with tests!) for a specific usecase but unfortunately due to the numerous change requests this has now already taken way more time then I imagined - I would be glad if we can soon finalize it - please advise! |
Apologies for the delay. Having reviewed this some more and discussed internally, I think the best option for now is one of the following:
Or
It's possible that we might consider changing this in the future; to introduce APIs for logout URL matching, or control this behavior globally, etc. For now, it's best to move on with immediate progress and not let those future ambitions be the enemy of the good. |
Hi @mmoayyed thanks for your reply! I choose variant 1 because it keeps the current functionality for all others which is safest (although like I said I think the scenario that Hal mentioned is not possible there are certain others possible if someone has taken over a website completely and is able to obtain control over the IdToken and what postLogoutRedirectUrl then the issue with I pushed the branch and also merged it to master in my repo-fork so when the CI build there is done and you're OK with it I would be most happy if you accept the PR. Of course I am fine with future changes/refactorings of this - as long as the functionality (for us now we need to match the postLogoutRedirectUrl with a regex against the configured logoutUrl) is kept. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Minor comments on formatting and structure
...i/src/main/java/org/apereo/cas/oidc/web/controllers/logout/OidcLogoutEndpointController.java
Outdated
Show resolved
Hide resolved
support/cas-server-support-oidc/src/main/java/org/apereo/cas/oidc/config/OidcConfiguration.java
Outdated
Show resolved
Hide resolved
support/cas-server-support-oidc/src/main/java/org/apereo/cas/oidc/config/OidcConfiguration.java
Outdated
Show resolved
Hide resolved
support/cas-server-support-oidc/src/main/java/org/apereo/cas/oidc/config/OidcConfiguration.java
Outdated
Show resolved
Hide resolved
Thanks for the follow-up adjustments. Once this is merged, I see no issues with porting this back to 6.3. I can cherry-pick on your behalf, or you're welcome to submit a separate PR. |
made the requested adjustments and also fixed the code style issues (sorry, I have to work on a corporate on-demand antivirus scan infested machine, IntelliJ isnt really responsive when working with a large project like cas ) |
Wonderful, thanks very much. Let's proceed. As ever, you're most welcome to submit another PR to handle the change for 6.3.x, or you could let me know and I can always cherry-pick on your behalf, preserving credit. |
would be nice if you could cherry-pick it into 6.3 - thanks in advance! |
uri against configured logout url (#5116)
Hello,
we're using CAS that is configured as central IDP in authorisation systems like Keycloak which sometimes host authorization data for a multitude of applications. When users logout, they send the logout to e.g. Keycloak which sends the logout to CAS with a
post_logout_redirect_uri
specific to this application. As we just have one Service in CAS for the authorization system we currently need to configure a all application specific logout URLs which are really a lot, this is not maintainable.With the change of this pull request I've added the possibility that the given logout URLs can be matched more flexible against the configured URLs - like I did for example in the test included as a configured regular expression.
If you agree I would also like to port this feature to the 6.3 branch.
best regards,
christian