Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10782

endSession with an id_token generated from a refresh_token request does not destroy the session

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0.0, 13.5.0, 14.0.0, 14.1.0
    • Fix Version/s: 13.5.2, 14.1.1, 14.5.0
    • Component/s: OpenID Connect
    • Labels:
    • Sprint:
      AM Sustaining Sprint 37, AM Sustaining Sprint 38, AM Sustaining Sprint 39
    • Story Points:
      3
    • Support Ticket IDs:

      Description

      1 Authenticate at OpenAM using the oauth2/authorize endpoint to get an authorization code

      2 Use the authorization_code grant at oauth2/access_token to gain access/refresh/id_tokens

      3 Now use the refresh_token grant type, using the token from step 2, and get fresh access/id_tokens

      4 Try to terminate the session using the second id_token from step 3 (endSession?id_token_hint=<id_token_2>)

      5 The session still exists on the server. Going back to step 1 automatically authenticates.

      Only one entry in logs

      "b6874c54-c0cd-4cc9-8bdd-c7b6208e57d3-355","2017-02-28T23:56:52.490Z","AM-SESSION-CREATED","b6874c54-c0cd-4cc9-8bdd-c7b6208e57d3-351","id=demo,ou=user,dc=openam,dc=forgerock,dc=org","[""33d5099649ed922f01""]","id=dsameuser,ou=user,dc=openam,dc=forgerock,dc=org","33d5099649ed922f01","CREATE",,,,,"Session",”/"
      

      EXPECTED:

      The session is destroyed. When going back to step 1, AM asks to re-authenticate.

      "b6874c54-c0cd-4cc9-8bdd-c7b6208e57d3-518","2017-02-28T23:58:58.363Z","AM-SESSION-CREATED","b6874c54-c0cd-4cc9-8bdd-c7b6208e57d3-514","id=demo,ou=user,dc=openam,dc=forgerock,dc=org","[""5ee682571978a2501""]","id=dsameuser,ou=user,dc=openam,dc=forgerock,dc=org","5ee682571978a2501","CREATE",,,,,"Session","/"
      "b6874c54-c0cd-4cc9-8bdd-c7b6208e57d3-604","2017-03-01T00:00:20.157Z","AM-SESSION-DESTROYED","b6874c54-c0cd-4cc9-8bdd-c7b6208e57d3-602","id=demo,ou=user,dc=openam,dc=forgerock,dc=org","[""5ee682571978a2501""]","id=dsameuser,ou=user,dc=openam,dc=forgerock,dc=org","5ee682571978a2501","DELETE",,,,,"Session","/"
      

      Using only the first id_token (and skipping the refresh_token grant step), the session is destroyed correctly

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                quentin.castel Quentin CASTEL [X] (Inactive)
                Reporter:
                joe.starling Joe Starling
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: