Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-3056

The agent does not invalidate session before redirecting to logout

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 5.6.0.0, 5.6.1.0, 5.6.1.1, 5.7.0
    • 5.6.2.1, 5.7.0
    • Web Agents
    • 5
    • 2019.15 - Agents
    • 43506

    Description

      Problem Description

      The agent does not logout the user from the session despite giving a message SLO successfully completed

      How to reproduce the issue

      1. Setup two nodes sp and idp and federate them then test the two login and logout jsps
      2. In the SP console node create an agent and dd a policy for it in the AM authorisation setting for get/post all authenticated users
      3. In the SP console node navigate to the Agent config OpenAm Services tab and add in the logout pages OpenAM Logout URL  http://sp.example.com:8080/openam/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=sp&idpEntityID=http%3A%2F%2Fidp.example.net%3A8080%2Fopenam and http://sp.example.com:8080/openam/UI/Logout and in the Agent Logout URL http://agent.example.com:80/logout
      4. Install apache, Agent 5.6.1.1 in the SP node and create an index.html page to test the agent SLO with
      5. In the SP console navigate to the Agent configuration advanced tab Add the following custom properties 
        com.forgerock.agents.accept.ipdp.cookie=2
        com.forgerock.agents.conditional.login.url[0]=|http://sp.example.com:8080/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=http%3A%2F%2Fidp.example.net%3A8080%2Fopenam
        org.forgerock.openam.agents.config.allow.custom.login=2
        org.forgerock.agents.config.logout.session.invalidate=false
      1. In a browser open multiple tabs to Test the SLO by navigating to agent.example.com/index.html  sp.example.com:8080/openam idp.example.com:8080/openam
      2. Go back to the agent.example.com/index.html and replace the url with agent.example.com/logout 
      Expected behaviour
      All tabs should be logged out after a hard refresh (shift-refresh or equivalent)
      
      Current behaviour
      sp.example.com:8080/openam is logged out, but idp.example.net:8080/openam tabs remains logged in and if you refresh the agent.example.com/index.html tab it will direct you back to the index.html without a login challnge

      Work around

      Perform Single LogOut from outside of the agent.

      Code analysis

      SAML SLO relies on the federated parties. It is therefore crucial that rest logouts are not performed in this mode.

      A simplified reproduction (no federation) showed that the

       org.forgerock.agents.config.logout.session.invalidate=false

      doesn't change the behaviour of the agent. The intention of this flag is to end up with a logout url ending up in a redirect.

      2019-11-06 15:22:24 UTC DEBUG [53e2f91c-673e-e68a-c2c4-70c0004dc12b]: (source/request.c:520) setup_request_data(): 195 method: GET 196 original url: [http://agent.localtest.me:8000/logout] 197 proto: http 198 host: agent.localtest.me 199 port: 8000 200 path: /logout 201 query: 202 overridden: [http://agent.localtest.me:8000/logout] 203 pathinfo: 204 noverridden (pathinfo removed): (empty) 205 2019-11-06 15:22:24 UTC DEBUG [53e2f91c-673e-e68a-c2c4-70c0004dc12b]: (source/request.c:573) validate_url(): 206 2019-11-06 15:22:24 UTC DEBUG [53e2f91c-673e-e68a-c2c4-70c0004dc12b]: (source/request.c:590) validate_url(): reques t url validation feature is not enabled 207 2019-11-06 15:22:24 UTC DEBUG [53e2f91c-673e-e68a-c2c4-70c0004dc12b]: (source/request.c:599) validate_fqdn_access() : 208 2019-11-06 15:22:24 UTC DEBUG [53e2f91c-673e-e68a-c2c4-70c0004dc12b]: (source/request.c:602) validate_fqdn_access() : feature is not enabled 209 2019-11-06 15:22:24 UTC DEBUG [53e2f91c-673e-e68a-c2c4-70c0004dc12b]: (source/oidc.c:419) JWT {"sub":"demo","auditT rackingId":"e1c04dc1-84a8-4e31-9bfc-4515c70b7cbb-489655","iss":"http://openam.localtest.me:18080/openam/oauth2","toke nName":"id_token","nonce":"52D1ECDC680C6A41BC9C9D208904A571","aud":"wpa-agent","acr":"0","s_hash":"HwTiJCQSH0NCK_bKHR koNQ","azp":"wpa-agent","auth_time":1573053718,"forgerock":
      
      {"ssotoken":"lEIH1Zbtu6ZwQOgk_FcHTHyniRY.*AAJTSQACMDEAAlNL ABxCSVcxWXRtUEZBakE1R1h1cy8zQTBoK1FKazQ9AAR0eXBlAANDVFMAAlMxAAA.*","suid":"e1c04dc1-84a8-4e31-9bfc-4515c70b7cbb-48956 8"}
      
      ,"realm":"/","exp":1573060918,"tokenType":"JWTToken","iat":1573053718,"agent_realm":"/"} 210 2019-11-06 15:22:24 UTC DEBUG [53e2f91c-673e-e68a-c2c4-70c0004dc12b]: (source/request.c:691) handle_not_enforced(): [http://agent.localtest.me:8000/logout] is an application logout url (not enforced) 211 2019-11-06 15:22:24 UTC DEBUG [53e2f91c-673e-e68a-c2c4-70c0004dc12b]: (source/request.c:1987) handle_exit(): (entry status: success) 212 2019-11-06 15:22:24 UTC DEBUG [53e2f91c-673e-e68a-c2c4-70c0004dc12b]: (source/apache/agent.c:888) amagent_auth_hand ler(): exit status: redirect (1)}}|borderStyle=solid}
       ...
      

      Instead of this, we could see

      2019-11-06 12:16:28 GMT DEBUG   [3250688a-526b-995f-79db-f0bf219d12a7]: (source/config_parser.c:179) parse_config_number() org.forgerock.agents.config.logout.session.invalidate is set to ‘0’
      

      That showed that the setting was picked up correctly. However the following showed that it was being ignored.

      2019-11-06 12:14:22 GMT DEBUG   [be6a4a90-bb0f-85b1-5244-03fc6768968a]: (source/sdk_base.c:180) http request to sp.example.com:8080
      POST /openam/json/realms/root/sessions?_action=logout HTTP/1.1
      Host: sp.example.com:8080
      Cookie: iPlanetDirectoryPro=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJkZW1vIiwiYXVkaXRUcmFja2luZ0lkIjoiMWIxNDNhZmItYTZkMy00ZTlkLWExYjctNzdjMTEwYjIzZWM3LTQyMzE0OCIsImlzcyI6Imh0dHA6Ly9zcC5leGFtcGxlLmNvbTo4MDgwL29wZW5hbS9vYXV0aDIiLCJ0b2tlbk5hbWUiOiJpZF90b2tlbiIsIm5vbmNlIjoiODNENDI0RTgyQUQyQjNCQzYwMjU5NDBGQzE3MjgwREMiLCJhdWQiOiJ3cGEtYWdlbnQiLCJzX2hhc2giOiJRbV9WWGdOdmZ3S3dNd1haZm9PY0t3IiwiYXpwIjoid3BhLWFnZW50IiwiYXV0aF90aW1lIjoxNTczMDQyNDI4LCJmb3JnZXJvY2siOnsic3NvdG9rZW4iOiIyODdqZ3pDRXViX3pFeUd5Wk83c0RaV2tNS0UuKkFBSlRTUUFDTURFQUFsTkxBQnhQZFdsck5qVjJjVTA0WkRaS2RHaHpNRGRDUVd4RFNtVnVRVGc5QUFKVE1RQUEqIiwic3VpZCI6IjFiMTQzYWZiLWE2ZDMtNGU5ZC1hMWI3LTc3YzExMGIyM2VjNy00MjMwMjkifSwicmVhbG0iOiIvIiwiZXhwIjoxNTczMDQ5NjI5LCJ0b2tlblR5cGUiOiJKV1RUb2tlbiIsImlhdCI6MTU3MzA0MjQyOSwiYWdlbnRfcmVhbG0iOiIvIn0.ERExSYtZMvdg5k8k8RyCO_GFCh-rCw4ZBG2-1JqfvZMGGASwsCEQpnCrPzeOHC5IKZN07FErpsqOea5qTrbQrmZjsByoUwEOPItsfbPnFNpZ8I7QvxFujTpDjEzXISnl8lz4Z2QMTjbFQZzyC3E9CO-0vMfiqgsATn8W5uzrhOX3exfp86YPjlNKDGqaZ_bc4qMT11643afHDeCTqMpx7x7gNqM5c0w8QK9E5hnxPVlCdqJ-WsnqNFa_tmGaPS1bmeCkjD8bbs68ocKdnin_yI-InFO0u9ZO83IPRq2EIodu5IcG-0w48wNYK5gLUq6hQMo56O5NiHDGLJjJFwamBQ
      User-Agent: OpenAM Web Agent/5.6.1.1
      Accept: application/json
      Connection: Close
      Content-Type: application/json; charset=UTF-8
      Accept-API-Version: resource=2.0, protocol=1.0
      X-ForgeRock-TransactionId: be6a4a90-bb0f-85b1-5244-03fc6768968a/4
      Content-length: 0
      

      Note that this call would also be seen in the access logs coming from the agent (if we don't want to turn on agent debug to diagnose

      In terms of analysis, we see the attribute fetch being done, and then the default being applied. We need to flip the order eg this needs to be moved before the fetch

      {..
      config_set_remote_defaults(cnf);
      
      }
      /*
       * set remote defaults that are not 0
       *
       */
      void config_set_remote_defaults(am_config_t *cnf)
      {
          cnf->logout_session_invalidate = 1;
      }
      
      

      Attachments

        Issue Links

          Activity

            People

              alex.levin@forgerock.com Alex Levin
              jamal.yafai Jamal Yafai
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: