By: Praveen Srinivasan user 28 Jan 2018 at 11:30 p.m. CST

12 Responses
Praveen Srinivasan gravatar
User logged in to a OpenId Connect RP (or more) with a registered logout url at the OP. Calling OpenID Connect end_session logout url with the id_token_hint BEFORE session timeout If I call the above URL still the gluu is logged in. I've just tried to view the Gluu server. It is still logging in. When I go through the Server I can see **JSESSIONID** is setted in cookies. If I clear the **JSESSIONID** it is logged out. But when I call the end_session url with it_token_hint and post_logout_redirect_uri, it is still logged in in the new tab. But I can see the **Logout requests sent** screen after logged out.

By Yuriy Zabrovarnyy staff 29 Jan 2018 at 3:04 a.m. CST

Yuriy Zabrovarnyy gravatar
OP is tracking session by `session_id` cookie. Would you be so kind to provide : 1. `oxauth.log` file (make sure TRACE logging is on, so we can see verbose logging)? 2. Would you please check your Connect RP handles `logout_uri` and logs itself out on calling it? Thanks, Yuriy Z

By Praveen Srinivasan user 29 Jan 2018 at 3:10 a.m. CST

Praveen Srinivasan gravatar
When I call end_session it is automatically removed the **session_id** cookie. But **session_state** and **JSESSIONID** is not cleared. And I'm also providing the logout URI when calling the end_session. The sample URL is looks like this https://auth_server/oxauth/restv1/end_session?**id_token_hint**=asdf456asd456fasd456fas456fsd456f456asdf&**post_logout_redirect_uri**=http%3A%2F%2F192.168.1.1%3A3000 And also I'll the oxauth.log file soon.

By Yuriy Zabrovarnyy staff 29 Jan 2018 at 3:32 a.m. CST

Yuriy Zabrovarnyy gravatar
I assume you stick to front channel logout, is it correct? If yes, then would you be so kind to check whether your RP logs itself out when `frontchannel_logout_uri` is hit ? According to specification ``` http://openid.net/specs/openid-connect-frontchannel-1_0.html#OPLogout ``` OP removes only OP session, it's responsibility of RP to drop own session (if it has one). Hopefully oxauth.log file will help to clarify the situation. In addition, please give client LDIF, so we can check data for it. Thanks, Yuriy

By Praveen Srinivasan user 29 Jan 2018 at 3:50 a.m. CST

Praveen Srinivasan gravatar
I am using oidc-client.js for Open ID Connect. Here is the configuration file of User Manager. ``` const userManagerConfig = { userStore: new WebStorageStateStore({ store: window.localStorage }), client_id: process.env.REACT_APP_OAUTH_CLIENT_ID, post_logout_redirect_uri: `${window.location.protocol}//${window.location.hostname}${window.location.port ? `:${window.location.port}` : ''}`, client_frontchannel_logout_uris: `${window.location.protocol}//${window.location.hostname}${window.location.port ? `:${window.location.port}` : ''}/renew/silent_renew.html`, redirect_uri: `${window.location.protocol}//${window.location.hostname}${window.location.port ? `:${window.location.port}` : ''}/oauth/callback`, silent_redirect_uri: `${window.location.protocol}//${window.location.hostname}:${window.location.port}/renew/silent_renew.html`, response_type: 'token id_token', // scope: process.env.REACT_APP_OAUTH_SCOPE, nonce: process.env.REACT_APP_OAUTH_NONCE, acr_values: process.env.REACT_APP_OAUTH_ACR, authority: process.env.REACT_APP_OAUTH_SERVER, automaticSilentRenew: true, accessTokenExpiringNotificationTime: process.env.REACT_APP_OAUTH_EXPIRY_CHECK, revokeAccessTokenOnSignout: true, }; ``` I've also checked oxauth.log file. It is only logged INFO for Authentication Success. I don't see any logout log.

By Yuriy Zabrovarnyy staff 29 Jan 2018 at 4:48 a.m. CST

Yuriy Zabrovarnyy gravatar
I'm not familiar with this library. 1. Would you be so kind to show source code of your `frontchannel_logout_uri` handler? If I got correctly from configuration you have handler on `/renew/silent_renew.html`, right? 2. Please turn TRACE logging and then try again. See documentation `https://gluu.org/docs/ce/3.1.2/operation/logs/#log-levels` Thanks, Yuriy

By Praveen Srinivasan user 29 Jan 2018 at 5:04 a.m. CST

Praveen Srinivasan gravatar
**I really thank you for your kind reply.** I didn't manage any handler in Oauth server. I've just configured. In my client side I'm just calling the above URL as I mentioned in my 2nd reply. When I try to login finaly I got the below log ``` 2018-01-29 11:01:54,059 INFO [qtp212628335-14] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:342) - Authentication success for User: 'PRAVEEN' ``` When I call logout I'm only getting the below one. ``` 2018-01-29 11:02:08,214 INFO [qtp212628335-14] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:205) - Authentication success for Client: 'CLIENT_ID' ``` Update 2: ``` renew/silent_renew.html ``` is for silent refresh of the access token.

By Yuriy Zabrovarnyy staff 29 Jan 2018 at 5:20 a.m. CST

Yuriy Zabrovarnyy gravatar
1. you need logout handler on RP which listens on `frontchannel_logout_uri`. It is RP code (not oauth server). 2. it seems you still have logger on INFO level, please follow documentation I sent in previous comment. In logs you should see something like `Attempting to end session`. And please give me full `oxauth.log` file so I can see full picture. 3. Please provide LDIF of your client. Thanks, Yuriy Z

By William Lowe user 29 Jan 2018 at 9:11 a.m. CST

William Lowe gravatar
> I am using oidc-client.js for Open ID Connect. This is not one of our supported OpenID Connect clients. Please review the list of supported clients in the [integration guide](https://gluu.org/docs/ce/integration/). Thanks, Will

By Aliaksandr Samuseu staff 29 Jan 2018 at 8:21 p.m. CST

Aliaksandr Samuseu gravatar
I've done some testing of `/oxauth/end_session` endpoint, and it seems to work as intended to me. Here is [API highlights](https://gluu.org/docs/ce/3.1.2/api-guide/openid-connect-api/#requestendsession) for its parameters, may be Praveen submitted some of them wrong. `oxauth.log` also may contain clues on what went wrong.

By Praveen Srinivasan user 30 Jan 2018 at 1:37 a.m. CST

Praveen Srinivasan gravatar
Here is my full log of a particular time... I've done a logout and login request in this time. And here is my exact end session URI ``` https://auth_server/oxauth/restv1/end_session?id_token_hint=asdf456asd456fasd456fas456fsd456f456asdf&post_logout_redirect_uri=http%3A%2F%2F192.168.1.1%3A3000 ``` Here is the LOG (from pastebin) ``` https://pastebin.com/dCpjADLV ```

By William Lowe user 30 Jan 2018 at 8:30 a.m. CST

William Lowe gravatar
For future reference, please submit such logs as past bin links, etc. We cannot efficiently understand this type of log dump on our forum.

By Praveen Srinivasan user 31 Jan 2018 at midnight CST

Praveen Srinivasan gravatar
Sorry for the raw text, Here is the pastbin link of LOGs. I don't see any Attempting to end session log here. [LOG FILE](https://pastebin.com/dCpjADLV)