unstaged

Makefile

@@ -42,9 +42,7 @@ docker:
 .PHONY: e2e
 e2e:
 		make test-resetdb
-		export TEST_DATABASE_MYSQL='mysql://root:secret@(127.0.0.1:3444)/mysql?parseTime=true'
-		export TEST_DATABASE_POSTGRESQL='postgres://postgres:secret@127.0.0.1:3445/hydra?sslmode=disable'
-		export TEST_DATABASE_COCKROACHDB='cockroach://root@127.0.0.1:3446/defaultdb?sslmode=disable'
+		source ./scripts/test-env.sh
 		./test/e2e/circle-ci.bash memory
 		./test/e2e/circle-ci.bash memory-jwt
 		./test/e2e/circle-ci.bash postgres

consent/manager_sql.go

@@ -528,7 +528,7 @@ func (m *SQLManager) ListUserAuthenticatedClientsWithBackChannelLogout(ctx conte
 
 func (m *SQLManager) listUserAuthenticatedClients(ctx context.Context, subject, sid, channel string) ([]client.Client, error) {
 	var ids []string
-	if err := m.DB.SelectContext(ctx, &ids, m.DB.Rebind(fmt.Sprintf(`SELECT DISTINCT(c.id) FROM hydra_client as c JOIN hydra_oauth2_consent_request as r ON (c.id = r.client_id) JOIN hydra_oauth2_authentication_session AS s ON (r.login_session_id = s.id) WHERE r.subject=? AND c.%schannel_logout_uri!='' AND c.%schannel_logout_uri IS NOT NULL AND s.id = ?`, channel, channel)), subject, sid); err != nil {
+	if err := m.DB.SelectContext(ctx, &ids, m.DB.Rebind(fmt.Sprintf(`SELECT DISTINCT(c.id) FROM hydra_client as c JOIN hydra_oauth2_consent_request as r ON (c.id = r.client_id) WHERE r.subject=? AND c.%schannel_logout_uri!='' AND c.%schannel_logout_uri IS NOT NULL AND r.login_session_id = ?`, channel, channel)), subject, sid); err != nil {
 		if err == sql.ErrNoRows {
 			return nil, errors.WithStack(x.ErrNotFound)
 		}

consent/strategy_default.go

@@ -900,36 +900,44 @@ func (s *DefaultStrategy) completeLogout(w http.ResponseWriter, r *http.Request)
 	}
 
 	if !lr.RPInitiated {
+		// If this is true it means that no id_token_hint was given, so the session id and subject id
+		// came from an original cookie.
+
 		session, err := s.authenticationSession(w, r)
 		if errors.Cause(err) == ErrNoAuthenticationSessionFound {
+			// If we end up here it means that the cookie was revoked between the initial logout request
+			// and ending up here - possibly due to a duplicate submit. In that case, we really have nothing to
+			// do because the logout was already completed, apparently!
+
+			// We also won't call any front- or back-channel logouts because that would mean we had called them twice!
+
 			// OP initiated log out but no session was found. So let's just redirect back...
 			http.Redirect(w, r, lr.PostLogoutRedirectURI, http.StatusFound)
 			return nil, errors.WithStack(ErrAbortOAuth2Request)
 		} else if err != nil {
 			return nil, err
 		}
 
-		if err := s.revokeAuthenticationSession(w, r); err != nil {
-			return nil, err
-		}
-
 		if session.Subject != lr.Subject {
-			// Seems like the session changed mid-flight, so we won't revoke the login cookie...
+			// If we end up here it means that the authentication cookie changed between the initial logout request
+			// and landing here. That could happen because the user signed in in another browser window. In that
+			// case there isn't really a lot to do because we don't want to sign out a different ID, so let's just
+			// go to the post redirect uri without actually doing anything!
 			http.Redirect(w, r, lr.PostLogoutRedirectURI, http.StatusFound)
 			return nil, errors.WithStack(ErrAbortOAuth2Request)
 		}
 	}
 
-	if err := s.revokeAuthenticationSession(w, r); err != nil {
+	urls, err := s.generateFrontChannelLogoutURLs(r.Context(), lr.Subject, lr.SessionID)
+	if err != nil {
 		return nil, err
 	}
 
 	if err := s.executeBackChannelLogout(r.Context(), lr.Subject, lr.SessionID); err != nil {
 		return nil, err
 	}
 
-	urls, err := s.generateFrontChannelLogoutURLs(r.Context(), lr.Subject, lr.SessionID)
-	if err != nil {
+	if err := s.revokeAuthenticationSession(w, r); err != nil {
 		return nil, err
 	}
 

scripts/test-env.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+export TEST_DATABASE_MYSQL='mysql://root:secret@(127.0.0.1:3444)/mysql?parseTime=true'
+export TEST_DATABASE_POSTGRESQL='postgres://postgres:secret@127.0.0.1:3445/hydra?sslmode=disable'
+export TEST_DATABASE_COCKROACHDB='cockroach://root@127.0.0.1:3446/defaultdb?sslmode=disable'