resolve logout token subject:sessions for the idp backchannel logout#2328
resolve logout token subject:sessions for the idp backchannel logout#2328dragonchaser wants to merge 11 commits intoopencloud-eu:mainfrom
Conversation
dragonchaser
force-pushed
the
fix-backchannel-logout
branch
from
a5ff70e to
8cd6107
Compare
dragonchaser
force-pushed
the
fix-backchannel-logout
branch
from
8cd6107 to
c051e6e
Compare
fschade
force-pushed
the
fix-backchannel-logout
branch
from
c67804e to
6f8c92f
Compare
|
toDo:
|
fschade
force-pushed
the
fix-backchannel-logout
branch
2 times, most recently
from
a10347c to
ae9427a
Compare
fschade
force-pushed
the
fix-backchannel-logout
branch
from
ae9427a to
1e53cc9
Compare
|
A few minor things here and there, but it should be fine for now. logout.mp4 |
fschade
force-pushed
the
fix-backchannel-logout
branch
12 times, most recently
from
455c703 to
da5d1d4
Compare
fschade
changed the title
|
i updated the issue description, hope it makes sense |
rhafer
left a comment
rhafer
left a comment
There was a problem hiding this comment.
I am not quite sure this PR is actually fixing the bug. If we receive a logout with just a sub claim. We still need to invalidate all cached userinfo claims for that user, don't we?
(We might to be able to trigger the Logout Event though)
| case suse.Session != "": | ||
| return LogoutModeSession | ||
| case suse.Subject != "": | ||
| return LogoutModeSubject |
There was a problem hiding this comment.
What is the behavior if the logout token contains both, a session and a subject?
Currently we just seem to account for the sesssion and basically ignore the subject? Maybe that's fine the spec isn't really clear about that.
There was a problem hiding this comment.
if the session is given, we use only the session and ignore the subject... wich results in 1 logout... any better idea?
thanks for your detailed review, you found some good flaws, yes if only a subkect is given, we invalidate all records that belong to that subject. |
Signed-off-by: Christian Richter <c.richter@opencloud.eu> Co-authored-by: Michael Barz <m.barz@opencloud.eu>
Signed-off-by: Christian Richter <c.richter@opencloud.eu>
Signed-off-by: Christian Richter <c.richter@opencloud.eu>
Co-authored-by: Jörn Dreyer <j.dreyer@opencloud.eu> Co-authored-by: Michael Barz <m.barz@opencloud.eu> Signed-off-by: Christian Richter <c.richter@opencloud.eu>
…s or sessionIds that contain a dot
fschade
force-pushed
the
fix-backchannel-logout
branch
from
57a0df9 to
3560f1c
Compare
fschade
force-pushed
the
fix-backchannel-logout
branch
from
3560f1c to
f1bd274
Compare
|
4 participants
Description
the backchannel logout only considers the logout token sessionId, as mentioned by the spec,
the sessionId is optional if the subject exists.
The current implementation ignores the subject and fails if the sessionId is not part of the logoutToken.
A more detailed description of the problem and how to reproduce it can be found here.
Related Issue
Motivation and Context
from the spec:
Known side-effects
keyCloak "Sign out all active sessions" does not send a backchannel logout request,
as the devs mention, this may lead to thousands of backchannel logout requests,
therefore, they recommend a short token lifetime.
OIDC: Backchannel logout not being called when using Sign out all Session in Keycloak keycloak/keycloak#27342 (comment)
keyCloak user self-service portal, "Sign out all devices" may not send a backchannel
logout request for each session, it's not mentionex explicitly,
but maybe the reason for that is the same as for "Sign out all active sessions"
to prevent a flood of backchannel logout requests.
if the keyCloak setting "Backchannel logout session required" is disabled (or the token has no session id),
we resolve the session by the subject which can lead to multiple session records (subject.*),
we then send a logout event (sse) to each connected client and delete our stored cache record (subject.session & claim).
all sessions besides the one that triggered the backchannel logout continue to exist in the identity provider,
so the user will not be fully logged out until all sessions are logged out or expired.
this leads to the situation that web renders the logout view even if the instance is not fully logged out yet.
Things to pay special attention to during the review
services/proxy/pkg/middleware/oidc_auth.go{key: ".sessionId"}=> used for*.sessionId{key: "subject.sessionId"}=> used forsubject.*services/proxy/pkg/staticroutes/internal/backchannellogout/backchannellogout.goservices/proxy/pkg/staticroutes/backchannellogout.goToDos:
by the iss and sub Claims..., we don't do that?Questions
How Has This Been Tested?
Types of changes
Checklist: