Fix federated IdP logout #425
Conversation
| @@ -690,7 +690,7 @@ | |||
| %> | |||
| <td> | |||
| <button type="button" class="button" | |||
| onclick="document.location.href='<%=(String)session.getAttribute(OAuth2Constants.OIDC_LOGOUT_ENDPOINT)%>';"> | |||
| onclick="document.location.href='<%=(String)session.getAttribute(OAuth2Constants.OIDC_LOGOUT_ENDPOINT)%>?post_logout_redirect_uri=<%=ApplicationConfig.getPostLogoutRedirectUri()%>&client_id=<%=(String)session.getAttribute(OAuth2Constants.CONSUMER_KEY)%>';"> | |||
There was a problem hiding this comment.
What will happen if these params empty?
There was a problem hiding this comment.
If the post redirect uri and the client id/id token hint (as per the updated flow) are both empty, federated IdP logout will not be possible and the playground app will only log out of the Identity Server.
oauth2/playground2/src/main/org/wso2/sample/identity/oauth2/ApplicationConfig.java
Outdated
Show resolved
Hide resolved
| @@ -687,10 +687,16 @@ | |||
| <td><input type="submit" name="authorize" value="Get Access Token"></td> | |||
| <% | |||
| if (isOIDCLogoutEnabled) { | |||
| String logout_url = (String)session.getAttribute(OAuth2Constants.OIDC_LOGOUT_ENDPOINT) + "?post_logout_redirect_uri=" + ApplicationConfig.getPostLogoutRedirectUri(); | |||
There was a problem hiding this comment.
if we haven't configure PostLogoutRedirectUri what will be the behaviour? Ideally if it is empty we should redirect to default logout page right?
There was a problem hiding this comment.
At the moment, the post_logout_redirect_uri parameter is included in the logout request regardless of whether the "PostLogoutRedirectUri" config is provided or not. Therefore, if the "PostLogoutRedirectUri" config is empty, the parameter post_logout_redirect_uri will be included in the request without a value, for example https://<host>:<port>/oidc/logout?post_logout_redirect_uri=&client_id=<client_id_value>.
If either the client id or token id hint is available, but the post_logout_redirect_uri parameter is empty like https://<host>:<port>/oidc/logout?post_logout_redirect_uri=&client_id=<client_id_value>, logout from the Identity Server and federated IdP will be possible, but upon logout, an error like the one given below will be displayed in the browser.
"traceId": "<trace-id>",
"code": 401,
"description": "Authorization failure. Authorization information was invalid or missing from your request.",
"message": "Unauthorized"
}
However, if neither the client id nor token id hint are available and the post_logout_redirect_uri parameter is empty as well, the logout request will be in the format https://<host>:<port>/oidc/logout?post_logout_redirect_uri=. Here, the browser will be redirected to the default logout page upon logout. (Note that due to the lack of the client id/token id hint, only Identity Server logout will be possible, while federated IdP will not be possible.)
This will be fixed by conditionally adding the post_logout_redirect_uri parameter to the logout request only if the "PostLogoutRedirectUri" is configured, for example like https://<host>:<port>/oidc/logout?client_id=<client_id_value> or https://<host>:<port>/oidc/logout?token_id_hint=<token_id_hint>, in which case the browser will be redirected to the default logout page.
There was a problem hiding this comment.
This has been fixed as mentioned in the above comment; if the PostLogoutRedirectUri config is empty, the post_logout_redirect_uri parameter will not be included and the browser will be redirected to the default logout page.
| if (StringUtils.isNotBlank(idToken)) { | ||
| logout_url+= "&id_token_hint=" + idToken; | ||
| } else { | ||
| logout_url+= "&client_id=" + (String)session.getAttribute(OAuth2Constants.CONSUMER_KEY); |
There was a problem hiding this comment.
If client id and idTokenHint both not available what will happen?
There was a problem hiding this comment.
If neither the client id nor the id token hint are available, only Identity Server logout will be possible, while federated IdP logout will not as it is dependent on these values to identify the relying party and the browser will be redirected to the default logout page.
There was a problem hiding this comment.
However, the client id is expected to be available in all the logout flows as this value is provided prior to login in the relevant grant types.
Purpose
The playground app was not able to logout of federated IdPs previously. This PR fixes the issue and allows federated IdP logout. This is done by passing the id token hint as a logout parameter if it is not null or empty. However, if it is null or empty, the client id will be passed instead.
In the authorization code grant type flow, after logging in and prior to getting the access token, the id token hint will be not be available as is the expected behaviour. Therefore, the client id will be used in logout, which is only supported in IS version 6.0 onwards as of now. To enable client id logout in versions 6.0 and 6.1, add the following configurations to the deployment.toml file.
Goals
Fix federated IdP logout in the playground app.
Approach
Updates the logout request to include the id token hint or client id as a parameter.
Related Issues