By: Aman Negi user 07 Feb 2024 at 4:45 a.m. CST

5 Responses
Aman Negi gravatar
This ticket is in behalf of AAAS team, Upon attempting to log out when their session has already been ended, a user receives a JSON error page. ![error image] (https://ibb.co/605JnDG) There are also multiple scenarios that can trigger this issue, such as the user being authenticated to multiple sites and attempting to log out from each one. Would it be possible to skip the error message and redirect the user to the provided logout redirect page instead of displaying the error? We are aware of the front channel logout flow in gluu below is the link: https://gluu.org/docs/gluu-server/4.4/operation/logout/#openid-connect-single-log-out-slo We have not implemented this logout flow, can you let us know if we need to make any changes to application side to implement it? Or just registering the front channel logout url in the openID client will do the trick.

By Aliaksandr Samuseu staff 09 Feb 2024 at 8:39 a.m. CST

Aliaksandr Samuseu gravatar
Hi, Arman. Can we have a full uri that can be seen in your screenshot? I wonder if you are passing id_token hint parameter in it. If the hint is passed, then the id_token must be valid and must still be found in Gluu Server's db - otherwise this error is thrown, according to spec (AFAICR this is how it's supposed to work, as explained to me by the developer in charge). The problem is that if session was created long ago, it could already be timed out by oxAuth, and purged from db, with all the tokens tied to it - then this issue may occur.

By Aman Negi user 12 Feb 2024 at 7:34 a.m. CST

Aman Negi gravatar
Hi Aliaksandr, The issue here is when user logout from one of the integrated application is Gluu. The application is sending a end session request to Gluu. And later if user is trying to logout from another application and as they don't have a session anymore they are getting the error. We just want to know if there is any way we can skip this error page. Thanks, Aman Negi

By Aman Negi user 16 Feb 2024 at 9:40 a.m. CST

Aman Negi gravatar
Hi Aliaksandr, Any update on this, as this is a production issue. We would like to get an update if we have any method to prevent this issue.

By Aliaksandr Samuseu staff 19 Feb 2024 at 3:03 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Aman. Sorry for the delay. Here are two most probable causes of the issue you're facing: 1. Your application passes "id_token_hint" url query parameter to `/end_session` endpoint - but this token cannot be found in Gluu Server's db/cache as session is no longer existing, and thus it can't be validated. According to the spec - found [here](https://openid.net/specs/openid-connect-rpinitiated-1_0.html) - "When an id_token_hint parameter is present, the OP MUST validate that it was the issuer of the ID Token", also "..If any of the validation procedures defined in this specification fail, any operations requiring the information that failed to correctly validate MUST be aborted". Thus, it turns out, in such case oxAuth behaves correctly, what was also confirmed by the dev team in the past on a similar issue. To mitigate against this, you may choose to not send the "id_token_hint" parameter in end session requests. 2. If you've confirmed you don't send the parameter, but include "postlogout_redirect_uri" parameter instead and still see that error, especially in case when you know that the session has already been ended by another app, it's probably due to the fact oxAuth can't find any session context for that request, thus it can't validate the uri as it doesn't have any idea what client's property it needs to check in such case. I can confirm that behavior and it indeed seems that error oxAuth displays is confusing. You can try to enable "allowPostLogoutRedirectWithoutValidation" option at "Configuration" > "JSON Configuration" > "oxAuth" page, and then add all possible "postlogout_redirect_uri" uri-s that may appear in such request to "clientWhiteList" list on the same page. This will make oxAuth to redirect such requests to the whitelisted uris without any extra validation. Hope this helps.

By Aman Negi user 20 Feb 2024 at 9:46 a.m. CST

Aman Negi gravatar
HI Aliaksandr, The reason for the error page is 1 case as you mentioned: As i already informed, user it already logout from one application and /endsession enpoint is called and its working fine. The issue arises when user tries to logout from another application but now as the user doesn't have the session with Gluu we are getting the error page. Is there any way we can bypass the error page or customize it? I guess it would be best to schedule a call to discuss this? Thanks, Aman Negi