end_session endpoint inconsistency

By: Josh Newlin user 22 Jun 2018 at 12:48 p.m. CDT

5 Responses
Josh Newlin gravatar
Hey guys, We've been experiencing some inconsistencies when hitting the end_session endpoint for logging out users. One example is passing a post_logout_redirect_uri, the first GET returns a {"error": "post_logout_uri_not_associated_with_client", "error_description": "The provided post logout uri is not associated with client."}. Now I know this error is because I don't have the url we're inputting in the OpenID Connect Client's post logout redirect uris field. However, when passing the same request again, it returns a successful request. Another example of this inconsistency is getting success messages for tokens that are invalid. Using id_token_hint=undefined, for example, returns 200 success. We've also experienced some inconsistency with the error, similar to the first example, of "post_logout_redirect_uri not included", even though in the documentation it says that it's not required. Then pushing the same exact request again, it succeeds and properly terminates the session. Any ideas of what we could be doing wrong or what could be fixed? Thanks, Josh N.
CentOS 7.5
closed

Answers

By Aliaksandr Samuseu staff 22 Jun 2018 at 1:05 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Josh. At least some of those is a [known issue](https://github.com/GluuFederation/oxAuth/issues/831) and we are looking into it. Thank you for letting us know anyway. We would like to know more about this part, though: >One example is passing a post_logout_redirect_uri, the first GET returns a {"error": "post_logout_uri_not_associated_with_client", "error_description": "The provided post logout uri is not associated with client."}. >However, when passing the same request again, it returns a successful request. Could you please provide more detailed reproduction steps?

By Michael Schwartz Account Admin 22 Jun 2018 at 1:05 p.m. CDT

Copy
Michael Schwartz gravatar
Yuriy, can you take a look at this, and open an issue in Github if you agree it's a bug?

By Yuriy Zabrovarnyy staff 25 Jun 2018 at 7:56 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Hi Josh, What version of CE do you use? This ticket is tagged with CE 3.1.2, so I assume you are using CE 3.1.2. According to 3.1.2 source `post_logout_redirect_uri` is always validated, look in lines [122-124](https://github.com/GluuFederation/oxAuth/blob/1799069749d159f7da1987c9a8ce1863d6df3ea2/Server/src/main/java/org/xdi/oxauth/session/ws/rs/EndSessionRestWebServiceImpl.java#L122). If on request 1 you got `post_logout_uri_not_associated_with_client` then on request 2 you would still get same error `post_logout_uri_not_associated_with_client` or otherwise possible `invalid_grant_and_session`. At least from code it's hard to imagine successful redirect back. How would it pass validation ? Unless you manually fixed `post_logout_redirect_uri` inside the client between request 1 and request 2. Therefore would you be so kind : 1. provide `oxauth.log` (in TRACE log level) 2. confirm you are using 3.1.2 3. record your http request and response, so we can investigate in detail. Thanks, Yuriy Z

By Josh Newlin user 25 Jun 2018 at 8:21 a.m. CDT

Copy
Josh Newlin gravatar
Hey, So I was relaying the information a client was feeding me while they were testing. I don't think the success after the failure when dealing with the error of "post_logout_redirect_uri_not_associated_with_client" is happening, actually. So, this does not seem to be a problem. The problem still persists in the known bug, as you guys have said, with getting the "post_logout_redirect_uri_not_included", etc. Thanks, Josh N.

By Yuriy Zabrovarnyy staff 25 Jun 2018 at 8:35 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
At least now we know that it is consistent. Yes, we have to improve end_session validator and messages which seems to bring confusion (as described in detail in our [well known ticket](https://github.com/GluuFederation/oxAuth/issues/831)). Thanks, Yuriy Z

Post an answer