New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ECOSYS-118 OpenID Connect session timeout association with access and/or identity token expiry #4570
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copyright year needs updating
Hello @jGauravGupta. First of all, thank you for writing the OIDC adapter. My company is preparing to use it in production and it's been easy to use so far. I'm not an OIDC expert, but I've done some reading and I have a few comments about patch. The description states:
I have two suggestions regarding this implementation (and a suggested alternative): One: This is not a bugI don't think this is a bug. The Core specification doesn't describe a relationship between the access token or ID token and the client session. The optional Session Management specification states that "An ID Token typically comes with an expiration date. The RP MAY rely on it to expire the RP session." In Robert Broeckelmann's article on OIDC logout, he writes (emphasis mine):
And in this question on StackOverflow, the consensus is that "The ID token has to be un-expired at this point of use (which it should be, since it has just been issued). But after this it is not used again, so it does not matter if it expires while the user still has an active session. The Client has the authentication information it needs, and in turn can choose its own policy for how long the session lasts before the user has to log in again." Two: If we do want to associate token expiry with client session expiry, use the ID token expiry, not the access token expiryThis is supported by all of the above citations -- the specifications, the blog post, and the StackOverflow answer. OIDC really concerns itself with the ID token, not the access token. The access token is used to access secure resources, such as the OpenID Provider's userinfo endpoint and other OAuth secured resources. Suggested implementation: Don't store the tokensAfter you have proof that the user is authenticated with the OpenID Provider, create the client session and discard the tokens. This is Core spec-compliant and easier to implement. We can look into implementing the optional specifications later if there's interest.
I hope this is helpful, but again, I don't pretend to be an expert. I've read some of the specifications, and some of your code. |
Signed-off-by: Gaurav Gupta <gaurav.gupta@payara.fish>
…/or identity token expiry Signed-off-by: Gaurav Gupta <gaurav.gupta@payara.fish>
Signed-off-by: Gaurav Gupta <gaurav.gupta@payara.fish>
jenkins test please |
Hi @sharpedavid, Thanks for your suggestion, I have updated the PR with optional Access & Identity token expiry validation and session timeout association, please check out the updated PR description for more detail. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did not test it and I really miss automatic tests here, but the code looks well.
If it was tested manually - could you instruct anyone in the team to verify it once more? Or could @sharpedavid confirm that it works es expected?
Hi @dmatej I'm happy to test it, but I don't know how to build Payara from source. Do you have a guide? After I have that, I can easily test it. I would use Keycloak as the OpenID Provider, and I have a sample application ready. |
If you have Linux, JDK8, Maven and Docker installed, you can run this to get all artifacts at once. On my machine it takes some 8 minutes:
If you need only payara.zip and no embedded, docker containers etc., you can run this (takes only 2 minutes):
In both cases the Payara Server zip file will be in On Windows and Mac it should be similar. |
Thanks @dmatej I'm going to try this now and tomorrow. |
...security-openid/src/main/java/fish/payara/security/openid/OpenIdAuthenticationMechanism.java
Outdated
Show resolved
Hide resolved
I ran a few ad hoc tests. I was not exhaustive. Everything I tried worked. I didn't test Environment
Test 1: PASS
I refresh the page every 5 seconds. When the access token expires, it's refreshed and the user is not signed out. If I wait three minutes and the refresh token expires, then refresh the page, the user is signed-out. The user is also signed-out at the OP, which means Test 2: PASS
Works as expected. User is signed-out on RP, but not OP. Test 3: PASS
Token are never refreshed! I found this surprising and commented on it in the code. QuestionAs described above, the automatic logout functionality is working. Can I trigger a programmatic logout? My test application has a "Logout" button, and I want it to do the same thing as the automatic logout: logout of the RP and the OP if Glossary
Thank you for this new feature! It seems to be working well. |
Signed-off-by: Gaurav Gupta <gaurav.gupta@payara.fish>
This comment has been minimized.
This comment has been minimized.
Hi @sharpedavid , Thanks for your valuable feedback and time, I have added the programmatic logout feature via |
This comment has been minimized.
This comment has been minimized.
No problem @jGauravGupta . Please let me know if you want me to re-test the new features. I don't know if that Jenkins failure is important. |
Hi @sharpedavid , I have tested the feature on Azure OIDC provider. Jenkins issue is not related to this PR. |
jenkins test please |
Description
This is a feature to validate the Access Token and/or Identity Token expiry and setting the correct expiry datatype.
It also provides the support for
end_session_endpoint
to redirect the User-Agent to the OP logout page after the log out from the RP application.To enable the validation, add the
@LogoutDefinition
to@OpenIdAuthenticationDefinition
or respective provider annotation:end_session_endpoint
.authorization_endpoint
for re-authentication.Programmatic logout:
Programmatic logout feature via
OpenIdContext#logout()
function which Invalidates the RP's active OpenId Connect session and iffish.payara.security.annotations.LogoutDefinition#notifyProvider
set to true then redirects the End-User's User Agent to theend_session_endpoint
to notify the OP that the user has logged out of the RP's application and ask the user whether they want to logout from the OP as well. After successful logout, the End-User's User Agent redirect back to the RP'spost_redirect_uri
configured viafish.payara.security.annotations.LogoutDefinition#redirectURI
Related PRs
payara/ecosystem-security-connectors#24
Testing
Testing Performed
Manual tested with Google and Azure OIDC provider
@LogoutDefinition#notifyProvider
feature tested on Azure OIDC provider asend_session_endpoint
not available on Google OIDC provider metadata.