Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11962

Calling Logout and passing a goto URL parameter with an expired session, goto URL is ignored

    Details

    • Sprint:
      AM Sustaining Sprint 48, AM Sustaining Sprint 49, AM Sustaining Sprint 50, AM Sustaining Sprint 51
    • Story Points:
      3
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Goto parameter is not respected when calling logout with an expired session. This was fixed on https://bugster.forgerock.org/jira/browse/OPENAM-2426 ,tested it with OpenAM 11.0.0 and redirects to the Goto URL. Testing with AM 5.1.1 will ignore the goto URL

      How to reproduce the issue

      Logout with a valid session:

      Trying the logout from XUI : http://openam.example.com:8080/openam/XUI/#logout/&goto=http://bbc.co.uk

      redirects works. HTTP trace:

      POST http://openam.example.com:8080/openam/json/users?_action=validateGoto
      POST http://openam.example.com:8080/openam/json/sessions_action=logout&goto=http%3A%2F%2Fbbc.co.uk
      GET http://bbc.co.uk/ 
      Logout with an invalid session:

      Logging in, and then deleting all cookies, cache from the browser.
      Trying the logout from XUI: 

      http://openam.example.com:8080/openam/XUI/#logout/&goto=http://bbc.co.uk

      redirect is not working (it sends you back to the log in screen). HTTP trace:

      http://openam.example.com:8080/openam/json/users?_action=validateGoto
      HTTP/?.? 401 Unauthorized
      http://openam.example.com:8080/openam/json/sessions?_action=logout
      HTTP/?.? 401 Unauthorized

      (validateGoto requires a valid token)

      Expected behaviour

      redirect to the goto URL

      Current behaviour

      will prompt you to get to the log in screen

      Work around

      None

      Code analysis

      https://stash.forgerock.org/projects/OPENAM/repos/openam/browse/openam-core/src/main/java/com/sun/identity/authentication/service/AuthUtils.java

      class which was fixed on OPENAM-2426

      AuthUtils.java
      public static boolean logout(Session intSession, 
      SSOToken token, 
      HttpServletRequest request, 
      HttpServletResponse response) 
      throws SSOException {
      
      if (token == null) {
      return false;
      }

      probably not related to this fix, but it has to do with the validateGoto REST endpoint?

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                anastasios.kampas Tasos Kampas
                QA Assignee:
                Filip Kubáň [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: