Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[management] invalid logout url construction with external OIDC Provider #5593

Closed
apoddany opened this issue May 17, 2021 · 0 comments
Closed

[management] invalid logout url construction with external OIDC Provider #5593

apoddany opened this issue May 17, 2021 · 0 comments
Labels
project: APIM type: bug
Milestone
APIM - 3.5.13

Comments

@apoddany
Copy link

apoddany commented May 17, 2021
edited
Loading

When using external OIDC Provider, the logout URL is incorrectly built (missing ? character)

OIDC Provider used is CAS from Apereo with the following configuration :

{
    "id": "cas",
    "name": "My IDP",
    "description": "IDP CAS 6.3.x",
    "type": "oidc",
    "enabled": true,
    "configuration": {
        "tokenEndpoint": "https://<idp_host>/oidc/token",
        "clientId": "mysolution",
        "color": "#f39c12",
        "tokenIntrospectionEndpoint": "https://<idp_host>/oidc/introspect",
        "userLogoutEndpoint": "https://<idp_host>/oidc/logout",
        "authorizeEndpoint": "https://<idp_host>/oidc/authorize",
        "clientSecret": "xxx",
        "scopes": [
            "openid",
            "email",
            "profile"
        ],
        "userInfoEndpoint": "https://<idp_host>/oidc/profile"
    },
    "roleMappings": [
...

For the Console, the generated URL will look like :

https://<idp_host>/oidc/logoutahttps%3A%2F%2F<gravitee_host>

It is missing the "?" character.

Currently one workaround is to add the following "?a=a" for the userLogoutEndpoint as :

"userLogoutEndpoint": "https://<idp_host>/oidc/logout?a=a",

This will make the logout Url look like :

https://<idp_host>/oidc/logout?a=ahttps%3A%2F%2F<gravitee_host>

This url is wrong but will allow to disconnect the user.

Adding ?post_logout_redirect_uri=does not improve behavior.

Your Environment

  • Version used: 3.5.10
  • Browser Name and version:
  • Operating System and version:
@apoddany apoddany added this to the APIM - 3.5.13 milestone May 17, 2021
phiz71 added a commit to gravitee-io/gravitee-management-webui that referenced this issue May 25, 2021
@phiz71
fix(management): OIDC logout uses the right URL
ff28bff 
* Instead of using only `window.location.href`, use also `window.location.pathname` to determine the correct redirect URL
* Also manage `post_logout_redirect_uri` path parameter correctly depending on the idp type to be able to handle the logout process.

Fixes gravitee-io/issues#5633
Fixes gravitee-io/issues#5593
@phiz71 phiz71 mentioned this issue May 25, 2021
Merged
phiz71 added a commit to gravitee-io/gravitee-management-webui that referenced this issue May 25, 2021
@phiz71
fix(management): OIDC logout uses the right URL
6a8c49e 
* Instead of using only `window.location.href`, use also `window.location.pathname` to determine the correct redirect URL
* Also manage `post_logout_redirect_uri` path parameter correctly depending on the idp type to be able to handle the logout process.

Fixes gravitee-io/issues#5633
Fixes gravitee-io/issues#5593
NicolasGeraud pushed a commit to gravitee-io/gravitee-management-webui that referenced this issue May 26, 2021
@phiz71 @NicolasGeraud
fix(management): OIDC logout uses the right URL
e9cd173 
* Instead of using only `window.location.href`, use also `window.location.pathname` to determine the correct redirect URL
* Also manage `post_logout_redirect_uri` path parameter correctly depending on the idp type to be able to handle the logout process.

Fixes gravitee-io/issues#5633
Fixes gravitee-io/issues#5593
@phiz71 phiz71 closed this as completed May 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
project: APIM type: bug
Projects
None yet
Milestone
APIM - 3.5.13
Development

No branches or pull requests
2 participants
@phiz71 @apoddany