By: Praveen Srinivasan user 28 Jan 2018 at 11:30 p.m. CST

12 Responses
Praveen Srinivasan gravatar

User logged in to a OpenId Connect RP (or more) with a registered logout url at the OP.

Calling OpenID Connect end_session logout url with the id_token_hint BEFORE session timeout

If I call the above URL still the gluu is logged in.

I've just tried to view the Gluu server. It is still logging in.

When I go through the Server I can see JSESSIONID is setted in cookies. If I clear the JSESSIONID it is logged out. But when I call the end_session url with it_token_hint and post_logout_redirect_uri, it is still logged in in the new tab.

But I can see the Logout requests sent screen after logged out.

By Yuriy Zabrovarnyy staff 29 Jan 2018 at 3:04 a.m. CST

Yuriy Zabrovarnyy gravatar

OP is tracking session by session_id cookie. Would you be so kind to provide : 1. oxauth.log file (make sure TRACE logging is on, so we can see verbose logging)? 2. Would you please check your Connect RP handles logout_uri and logs itself out on calling it?

Thanks, Yuriy Z

By Praveen Srinivasan user 29 Jan 2018 at 3:10 a.m. CST

Praveen Srinivasan gravatar

When I call end_session it is automatically removed the session_id cookie. But session_state and JSESSIONID is not cleared. And I'm also providing the logout URI when calling the end_session.

The sample URL is looks like this

https://auth_server/oxauth/restv1/end_session?id_token_hint=asdf456asd456fasd456fas456fsd456f456asdf&post_logout_redirect_uri=http%3A%2F%2F192.168.1.1%3A3000

And also I'll the oxauth.log file soon.

By Yuriy Zabrovarnyy staff 29 Jan 2018 at 3:32 a.m. CST

Yuriy Zabrovarnyy gravatar

I assume you stick to front channel logout, is it correct?

If yes, then would you be so kind to check whether your RP logs itself out when frontchannel_logout_uri is hit ?

According to specification

http://openid.net/specs/openid-connect-frontchannel-1_0.html#OPLogout

OP removes only OP session, it's responsibility of RP to drop own session (if it has one). Hopefully oxauth.log file will help to clarify the situation. In addition, please give client LDIF, so we can check data for it.

Thanks, Yuriy

By Praveen Srinivasan user 29 Jan 2018 at 3:50 a.m. CST

Praveen Srinivasan gravatar

I am using oidc-client.js for Open ID Connect.

Here is the configuration file of User Manager.

const userManagerConfig = {
  userStore: new WebStorageStateStore({ store: window.localStorage }),
  client_id: process.env.REACT_APP_OAUTH_CLIENT_ID,
  post_logout_redirect_uri: `${window.location.protocol}//${window.location.hostname}${window.location.port ? `:${window.location.port}` : ''}`,
  client_frontchannel_logout_uris: `${window.location.protocol}//${window.location.hostname}${window.location.port ? `:${window.location.port}` : ''}/renew/silent_renew.html`,
  redirect_uri: `${window.location.protocol}//${window.location.hostname}${window.location.port ? `:${window.location.port}` : ''}/oauth/callback`,
  silent_redirect_uri: `${window.location.protocol}//${window.location.hostname}:${window.location.port}/renew/silent_renew.html`,
  response_type: 'token id_token', //
  scope: process.env.REACT_APP_OAUTH_SCOPE,
  nonce: process.env.REACT_APP_OAUTH_NONCE,
  acr_values: process.env.REACT_APP_OAUTH_ACR,
  authority: process.env.REACT_APP_OAUTH_SERVER,
  automaticSilentRenew: true,
  accessTokenExpiringNotificationTime: process.env.REACT_APP_OAUTH_EXPIRY_CHECK,
  revokeAccessTokenOnSignout: true,
};

I've also checked oxauth.log file. It is only logged INFO for Authentication Success. I don't see any logout log.

By Yuriy Zabrovarnyy staff 29 Jan 2018 at 4:48 a.m. CST

Yuriy Zabrovarnyy gravatar

I'm not familiar with this library.

  1. Would you be so kind to show source code of your frontchannel_logout_uri handler? If I got correctly from configuration you have handler on /renew/silent_renew.html, right?
  2. Please turn TRACE logging and then try again. See documentation https://gluu.org/docs/ce/3.1.2/operation/logs/#log-levels

Thanks, Yuriy

By Praveen Srinivasan user 29 Jan 2018 at 5:04 a.m. CST

Praveen Srinivasan gravatar

I really thank you for your kind reply.

I didn't manage any handler in Oauth server. I've just configured.

In my client side I'm just calling the above URL as I mentioned in my 2nd reply.

When I try to login finaly I got the below log

2018-01-29 11:01:54,059 INFO  [qtp212628335-14] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:342) - Authentication success for User: 'PRAVEEN'

When I call logout I'm only getting the below one.

2018-01-29 11:02:08,214 INFO  [qtp212628335-14] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:205) - Authentication success for Client: 'CLIENT_ID'

Update 2:

renew/silent_renew.html is for silent refresh of the access token.

By Yuriy Zabrovarnyy staff 29 Jan 2018 at 5:20 a.m. CST

Yuriy Zabrovarnyy gravatar
  1. you need logout handler on RP which listens on frontchannel_logout_uri. It is RP code (not oauth server).
  2. it seems you still have logger on INFO level, please follow documentation I sent in previous comment. In logs you should see something like Attempting to end session. And please give me full oxauth.log file so I can see full picture.
  3. Please provide LDIF of your client.

Thanks, Yuriy Z

By William Lowe staff 29 Jan 2018 at 9:11 a.m. CST

William Lowe gravatar

I am using oidc-client.js for Open ID Connect.

This is not one of our supported OpenID Connect clients. Please review the list of supported clients in the integration guide.

Thanks,
Will

By Aliaksandr Samuseu staff 29 Jan 2018 at 8:21 p.m. CST

Aliaksandr Samuseu gravatar

I've done some testing of /oxauth/end_session endpoint, and it seems to work as intended to me. Here is API highlights for its parameters, may be Praveen submitted some of them wrong. oxauth.log also may contain clues on what went wrong.

By Praveen Srinivasan user 30 Jan 2018 at 1:37 a.m. CST

Praveen Srinivasan gravatar

Here is my full log of a particular time... I've done a logout and login request in this time.

And here is my exact end session URI

https://auth_server/oxauth/restv1/end_session?id_token_hint=asdf456asd456fasd456fas456fsd456f456asdf&post_logout_redirect_uri=http%3A%2F%2F192.168.1.1%3A3000

Here is the LOG (from pastebin)

https://pastebin.com/dCpjADLV

By William Lowe staff 30 Jan 2018 at 8:30 a.m. CST

William Lowe gravatar

For future reference, please submit such logs as past bin links, etc. We cannot efficiently understand this type of log dump on our forum.

By Praveen Srinivasan user 31 Jan 2018 at midnight CST

Praveen Srinivasan gravatar

Sorry for the raw text,

Here is the pastbin link of LOGs.

I don't see any Attempting to end session log here.

LOG FILE