By: Josh Newlin Account Admin 08 Feb 2019 at 1:49 p.m. CST

12 Responses
Josh Newlin gravatar
Hey guys, I updated a dev environment to 3.1.5 today, and all was going well. Then, it was found out that the end_session endpoint was causing some issues it hadn't until updating. We're using the endpoint the same as we were before updating, but now with the following request, it seems we get this output: https://[BASE_URL_HERE]/oxauth/restv1/end_session?id_token_hint=1137f5ad-ccf2-4715-adf6-c740e5316c8c&session_id=3604efe5-6e77-474f-95ab-82dbeb8e7dd6&post_logout_redirect_uri=[REDIRECT_URL_HERE] ```{"error":"invalid_grant_and_session","error_description":"The provided access token and session state are invalid or were issued to another client.","reason":"id_token_hint is not valid. Logout is rejected. id_token_hint can be skipped or otherwise valid value must be provided."}``` Any ideas how to fix this? I'm sure there's something I missed when updating that changed this behavior. Here's output from oxauth.log: ``` 2019-02-08 19:38:47,243 DEBUG [qtp1971489295-15] [xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl] (EndSessionRestWebServiceImpl.java:93) - Attempting to end session, idTokenHint: 1137f5ad-ccf2-4715-adf6-c740e5316c8c, postLogoutRedirectUri: [REDIRECT_URL_HERE], sessionId: 3604efe5-6e77-474f-95ab-82dbeb8e7dd6, Is Secure = true 2019-02-08 19:38:47,247 ERROR [qtp1971489295-15] [xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl] (EndSessionRestWebServiceImpl.java:148) - id_token_hint is not valid. Logout is rejected. id_token_hint can be skipped or otherwise valid value must be provided. 2019-02-08 19:38:47,247 DEBUG [qtp1971489295-15] [org.xdi.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:70) - Looking for the error with id: invalid_grant_and_session 2019-02-08 19:38:47,247 DEBUG [qtp1971489295-15] [org.xdi.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:75) - Found error, id: invalid_grant_and_session ``` P.S. Removed urls for peace-of-mind. Thanks, Josh N.

By Mohib Zico staff 08 Feb 2019 at 2:18 p.m. CST

Mohib Zico gravatar
Hi Josh, What was the base system? i mean from where you upgraded it? 3.1.2?

By Josh Newlin Account Admin 08 Feb 2019 at 2:20 p.m. CST

Josh Newlin gravatar
Yes, 3.1.2 is correct!

By Mohib Zico staff 08 Feb 2019 at 2:23 p.m. CST

Mohib Zico gravatar
Thanks, please allow me to test this upgrade a bit. I know we have applied some improvements for openID connect + SAML logout but not exactly sure if this end_session endpoint was in that category or not.

By Josh Newlin Account Admin 08 Feb 2019 at 2:24 p.m. CST

Josh Newlin gravatar
Thank you for your efforts. I'll be looking forward to hearing back from you!

By Josh Newlin Account Admin 11 Feb 2019 at 2:14 p.m. CST

Josh Newlin gravatar
Hey Mohib, No rush, but any updates on your testing? Thanks, Josh N.

By Mohib Zico staff 11 Feb 2019 at 2:35 p.m. CST

Mohib Zico gravatar
Hi Josh, Yes.. I got some from Developer himself. Here is his answer: ``` hi Zico we accept it as before it seems invalid token is provided there. we have this in docs id_token_hint and session_id parameters are optional. Therefore OP will end session successfully if these parameters are missed. However from other side if RP included them in request OP validates them and if any of those are invalid OP returns 400 (Bad Request) http code. also message in error very clearly says that id_token_hint is invalid they should skip it or otherwise provide valid token ```

By Josh Newlin Account Admin 11 Feb 2019 at 2:53 p.m. CST

Josh Newlin gravatar
Hey Mohib, I understand that the error says that the id_token_hint invalid. My ticket was because this was working just fine and logging out the user. I'm wondering what we can change to make this work again. I have documented the process with an environment we upgraded to 3.1.5, and one that is still at 3.1.2. The pictures will be me requesting the information, using that information for /userinfo, then attempting to sign out. 3.1.5 pictures in this post (I'm only allowed 5)

By Josh Newlin Account Admin 11 Feb 2019 at 2:57 p.m. CST

Josh Newlin gravatar
3.1.2 shown in this post

By Josh Newlin Account Admin 11 Feb 2019 at 3:02 p.m. CST

Josh Newlin gravatar
Also, I should say, that this request is being sent by middleware, which doesn't have access to the user's session cookies, thus is why we're including id_token_hint, because otherwise it wouldn't know which user we're referring to.

By Josh Newlin Account Admin 11 Feb 2019 at 3:31 p.m. CST

Josh Newlin gravatar
We're currently rolling back our update until this is fixed or it's clear that we need to change something. Please let me know if you find anything!

By Aliaksandr Samuseu staff 12 Feb 2019 at 1:18 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Josh. Comparing to 3.1.2, there were substantial changes to how `/end_session` works. I wonder why it reacts like that, is it because `id_token` is invalid indeed (expired/got truncated or modified), or just because it's already been removed from Gluu Server's storage at the moment when the end session request flies in? If it's the latter, we may need to adjust this behaviour, it doesn't seem right, assuming you also pass a valid `session_id` with it, which is the only one thing oxAuth needs to end a session. What I noted is that you seem to pass `access token` as `id_token_hint`. This legacy behaviour should be supported still (yet definetely is not recommended), but only if you have "endSessionWithAccessToken" parameter on "Configuration -> JSON Configuration -> oxAuth" page set to "true".

By Josh Newlin Account Admin 13 Feb 2019 at 8:58 a.m. CST

Josh Newlin gravatar
Hi Aliaksandr, Yes, I remember the access token being used was antiquated and not recommended. I think it was discussed in a ticket oh so long ago. However, situations led us to allow it for our customers to incorporate a logout flow. `endSessionWithAccessToken` is set to true. In my examples, I can request a token and immediately turn around and plug it into `end_session` and I get the issue. So, this tells me that the token isn't expired, truncated, or modified. I'm unsure of what else to do in this situation, as the functionality changes of `end_session` seemed to have broken our method for logging out. It seems that whatever changes were made will not allow this token to be passed the same as previously. Any idea how we could circumvent this? Josh N.