Need to obtain id_token after login to call /end_session to logout properly

By: Holmes Chuang user 01 Feb 2019 at 11:09 a.m. CST

8 Responses
Holmes Chuang gravatar
Hi, I have a Java application hosted by tomcat and authenticated by GLUU. The authentication is great and we have no problem getting user Principal object after authentication. The issue is, I like to logout to Gluu correctly from Java app. From the documentation posted in https://testmd32.readthedocs.io/en/latest/api/oic-end-session/ My java app needs to call API /oxauth/end_session. To do so, this API needs “id_token”. But I don’t know how to properly obtain this info properly, from Tomcat nor from Gluu /oxauth/token I'd tried many method and provided all possible needed paramenters such as "grant_type", "username", "password" ... please see following code snippet. Can you guide or give me some example of how Java app can get the ‘id_token’ from Tomcat or Gluu after login succeeds. Thank you very much, Holmes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~` final MediaType contentype = MediaType.parse("application/x-www-form-urlencoded; charset=utf-8"); OkHttpClient client = new OkHttpClient(); Map<String,String> arguments = new HashMap<>(); arguments.put("username", user); arguments.put("password", password); arguments.put("code", "3b18549e-f94a-4aad-a5f6-460375e204f4"); arguments.put("grant_type", "authorization_code"); arguments.put("redirect_uri", "https://tomcat.scrams.project:8443/SCRAMS-testbed-release-1.0.0-SNAPSHOT/j_security_check"); StringJoiner sj = new StringJoiner("&"); for(Map.Entry<String,String> entry : arguments.entrySet()) try { sj.add(URLEncoder.encode(entry.getKey(), "UTF-8") + "=" + URLEncoder.encode(entry.getValue(), "UTF-8")); } catch (UnsupportedEncodingException e) { // TODO Auto-generated catch block e.printStackTrace(); } String bodyjson = sj.toString(); System.out.println("LoginServlet: callTokenEndpoint bodyjson=" + bodyjson); RequestBody body = RequestBody.create(contentype, bodyjson); Request request = new Request.Builder() .url(GlobalVars.GLUU_TOKEN_URL) .post(body) .build(); try { Response response = client.newCall(request).execute(); token = response.body().string(); System.out.println("LoginServlet: callTokenEndpoint received response token=" + token); } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); } We also tried the guideline listed in https://gluu.org/docs/ce/2.4.4/admin-guide/oauth2/ to use oxAuth-Client.jar API as follow: ~~~~~~~~~~~~~~~ TokenClient tokenClient = new TokenClient(GlobalVars.GLUU_TOKEN_URL); TokenResponse response = tokenClient.execResourceOwnerPasswordCredentialsGrant(username, password, "openid", GlobalVars.GLUU_CLIENT_ID, GlobalVars.GLUU_CLIEN_SECRET); // Handle response token = response.getAccessToken(); System.out.println("LoginServlet: getAccessToken token=" + token); System.out.println("LoginServlet: getRefreshToken token=" + response.getRefreshToken()); But got the following error: javax.servlet.ServletException: Servlet execution threw an exception org.apache.jsp.WEB_002dINF.jsps.login_005ftransition_jsp._jspService(login_005ftransition_jsp.java:153) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) javax.servlet.http.HttpServlet.service(HttpServlet.java:742) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:457) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330) javax.servlet.http.HttpServlet.service(HttpServlet.java:742) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) Root Cause java.lang.NoClassDefFoundError: org/xdi/oxauth/model/exception/InvalidJwtException org.xdi.oxauth.client.TokenClient.execResourceOwnerPasswordCredentialsGrant(TokenClient.java:118) controller.LoginServlet.getGluuIdToken(LoginServlet.java:191) controller.LoginServlet.doPost(LoginServlet.java:121) controller.LoginServlet.doGet(LoginServlet.java:74) javax.servlet.http.HttpServlet.service(HttpServlet.java:635) javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
Ubuntu 14.08
closed

Answers

By Aliaksandr Samuseu staff 01 Feb 2019 at 8:33 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Holmes. We can't afford offering support for such compex tasks as writting custom OIDC clients within the scope of community support. You'll have to research it all on your own. A few points, though: 1. `id_token_hint` is not a mandatory parameter for logout flow, and can be omitted; `session_id` is much more important, and must be passed to `/end_session` either in cookies (usual way, as we're talking about frontchannel logout), or in url query string, if cookies are not an option. 2. Try to research [the core spec](https://openid.net/specs/openid-connect-core-1_0.html); most of the flows imply that `id_token` is issued during them, so I'm not sure what kind of difficulties you face; it's either you don't configure your app properly, or don't use correct settings for your client at Gluu, or both, or you're using a flow which don't use `id_token` (afaicr there is only one such flow) 3. Try to record the actual HTTP requests and response Check your client's registration at Gluu Server, make sure they match the intended flow as it's described in the spec; approach will depend on your dev environment, you could add logging lines to your code, or you could enable `mod_dumpio` in Gluu's Apache server and try to retrieve this data from trace it generates 4. [Increase logging verbosity](https://gluu.org/docs/ce/3.1.4/operation/logs/) for oxAuth, try to investigate `oxauth.log` for clues

By Aliaksandr Samuseu staff 01 Feb 2019 at 8:38 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Sorry, just have noted this: >java.lang.NoClassDefFoundError: org/xdi/oxauth/model/exception/InvalidJwtException org.xdi.oxauth.client.TokenClient.execResourceOwnerPasswordCredentialsGrant(TokenClient.java:118) Are you using resource owner's credentials grant flow? No `id_token` for such flow by default, then. You need to set "openidScopeBackwardCompatibility" to "true" on "Configuration -> JSON Configuration -> oxAuth" page for it to be issued in this flow, and as you can see it's deprecated and is still here only to ensure removing it won't disrupt processes for those who adopted its usage in the past. Overall, usage of this flow is strongly discouraged, it's not even a standard OIDC flow.

By Aliaksandr Samuseu staff 04 Feb 2019 at 6:46 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Holmes. Do you need for this ticket to stay open?

By Holmes Chuang user 05 Feb 2019 at 2:04 p.m. CST

Copy
Holmes Chuang gravatar
Thanks for your reply. Can you give me an example of how to use /oxauth/token I like to have those parameters setup correctly so the response can be 200. thanks

By Aliaksandr Samuseu staff 05 Feb 2019 at 7:57 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Holmes. You should refer to [OIDC specs](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint) whenever in doubt, Gluu tries to follow them as close as possible. Some brief api description also can be found [here](https://gluu.org/docs/ce/3.1.4/api-guide/openid-connect-api/). Within community support we only can answer specific questions related to our products, this one is already too broad.

By Aliaksandr Samuseu staff 05 Feb 2019 at 8:05 p.m. CST

Copy
Aliaksandr Samuseu gravatar
An example of a correct request to `/token` during resource owner's credentials grant flow: ``` POST /oxauth/restv1/token HTTP/1.1 Host: idp.host.loc Content-Type: application/x-www-form-urlencoded Authorization: Basic QCFBMjc4LjZFNDkuQjA5Qi41MEZEITAwMDEhNDgzMi5CNDhDITAwMDghQUFDMy5CRDdGLkFGMTQuRDVDMjoxcTJ3M2U0cg== Cache-Control: no-cache Content-Length: 104 grant_type=password&username=admin&password=1q2w3e4r&scope=openid+profile+email+uma_protection+user_name ``` `Authorization` header carries client's credentials (not user's). You also need to add some `redirect_uri` property to this client in web UI (despite it's not used in this flow), and make sure "openidScopeBackwardCompatibility" property at "Configuration -> JSON Configuration -> oxAuth" page is set to "true" - or you won't receive `id_token` in this flow.

By Holmes Chuang user 06 Feb 2019 at 11:14 a.m. CST

Copy
Holmes Chuang gravatar
Thank you for your example. Really helpful. Will post my result later.

By Holmes Chuang user 08 Feb 2019 at 11:41 a.m. CST

Copy
Holmes Chuang gravatar
HI, I was able to get the id_token and send to OP (gluu server). the response is: <!DOCTYPE html><html><head><pre>window.onload=function() {window.location='https://tomcat.test.project:8443/test-testbed-release-1.0.0-SNAPSHOT/logout'}</pre><title>Gluu Generated logout page</title></head><body>Logout requests sent.<br/></body></html> but when I go to the Gluu server, the user session is still on and valid. when try to access the application URL, Gluu grants it right away. so it seems that session never gets terminated or logout completely. Do I need to check som configuration? thanks for your help

Post an answer