RP requests end session from OP. session_state not available

By: Ernst Arnold user 16 Oct 2016 at 10:54 p.m. CDT

4 Responses
Ernst Arnold gravatar
Hi, The RP is not able to terminate the session on the OP. /opt/tomcat/logs# tail -f wrapper.log ``` INFO | jvm 1 | 2016/10/17 02:17:23 | 2016-10-17 02:17:23,683 ERROR [xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl] session_state is not passed to endpoint (as cookie or manually). Therefore unable to match clients for session_state.Http based html will contain no iframes. ``` This error is reported when the RP sends a request according to https://www.gluu.org/docs/api/oic-end-session/ However it uses the uri from discovery: oid.provider.config.raw["end_session_endpoint"] and ``` my_params = {id_token_hint: oid.id_token, post_logout_redirect_uri: redir, state: 'something387', session_id: session[:session_id]} ``` which in my case is something like: ``` {:id_token_hint=> "eyJraWQiOiI1Mz<...>EyNEEhMDAwMSFBQzhCLjRERUIhMDAwMCExMkQ0LkRFQUYifQ.ja1P1MZAQU_HJw1QniTSeHd1QSfIfJTrSMzuqpXKb91UGfx_n8k1HIiUHUhD5c6KCboTtXevgV38hWCJDezb6pIpBdDYFr1y9UAQI-U<...>MW-RUx19sJe9UG48E4NxYvV-6xV4iRCbyRfaR<...>WPAQL7x65wB7BxpGBLJmdSe6bQ", :post_logout_redirect_uri=>"https://<RP-fqdn>/destroy_devise_session", :state=>"something387", :session_id=>"3f2f8b2ca10824be1ccf90c60098822e"} ``` It looks like the session_id gets lost. The error message comes from ``` https://github.com/GluuFederation/oxAuth/blob/master/Server/src/main/java/org/xdi/oxauth/session/ws/rs/EndSessionRestWebServiceImpl.java#L72 ``` Thanks Ernst Ubuntu 16.04.1 LTS Gluu Identity Appliance 2.4.4.sp1
U1404
closed

Answers

By Ernst Arnold user 17 Oct 2016 at 9:13 a.m. CDT

Copy
Ernst Arnold gravatar
Hi, The client is registered with the OP: ``` /opt/opendj/bin/ldapsearch -h localhost -p 1636 -Z -X -D "cn=directory manager" -j ~/.pw -b "o=gluu" 'inum=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0008!F56D.A8EF' ``` ``` dn: inum=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0008!F56D.A8EF,ou=clients,o=@!A81A .15E8.A8C3.124A!0001!AC8B.4DEB,o=gluu objectClass: oxAuthClient objectClass: top objectClass: oxAuthClientCustomAttributes oxAuthRegistrationAccessToken: abb1eef1-ae99-44ae-b8c8-8c227382573b oxAuthScope: inum=@!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0009!F0C4,ou=scopes,o=@!A 81A.15E8.A8C3.124A!0001!AC8B.4DEB,o=gluu oxLastLogonTime: 20161017140150.182Z oxAuthPostLogoutRedirectURI: https://<RP-fqdn>/destroy_devise_session oxAuthAppType: web oxAuthClientIdIssuedAt: 20161017135244.843Z oxAuthClientSecretExpiresAt: 20161018135200.000Z oxLastAccessTime: 20161017140150.182Z oxAuthRedirectURI: https://<RP-fqdn>:3000/providers/3/open_id?locale=en oxAuthRedirectURI: https://<RP-fqdn>:3000/providers/3/open_id oxAuthResponseType: code oxAuthTokenEndpointAuthMethod: client_secret_basic displayName: Registration RP oxAuthRequireAuthTime: false oxAuthClientSecret: CbxBNMg.....4wBitNGQ== oxAuthLogoutSessionRequired: false oxPersistClientAuthorizations: false inum: @!A81A.15E8.A8C3.124A!0001!AC8B.4DEB!0008!F56D.A8EF oxAuthTrustedClient: false oxAuthIdTokenSignedResponseAlg: RS256 oxAuthSubjectType: public ```

By Ernst Arnold user 18 Oct 2016 at 2:35 p.m. CDT

Copy
Ernst Arnold gravatar
I am not sure where I go wrong and appreciate any help. in https://www.gluu.org/docs/api/oic-end-session/ the parameter is named session_id , I tried naming it session_state instead which did not help. Also I am not sure how to verify that the value of the session_id I provide is correct. Thank you Ernst

By Aliaksandr Samuseu staff 18 Oct 2016 at 7:41 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Ernst. Please refer to the [original spec](http://openid.net/specs/openid-connect-session-1_0.html) on session management in OIDC. You are right, previously Gluu used `session_id` instead of `session_state`, what is corrected now.

By Ernst Arnold user 19 Oct 2016 at 9:50 p.m. CDT

Copy
Ernst Arnold gravatar
Hi Aliaksandr, Thanks for the reference. In the authorisation request the RP now adds ``` request_session_state => true ``` Then the RP gets in the callback I get the session_state from the OP which it stores. Then in the end_session request the RP can send it back to the OP and the OP ends the session without asking the end user again. For me this works, so I close the ticket Thank you Ernst

Post an answer