Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12626

OIDC endSession endpoint does not call post authentication plugin onLogout functions

    Details

    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 49, AM Sustaining Sprint 50
    • Story Points:
      2
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When the OIDC endSession endpoint is called, the user's session is terminated, but no post authentication plugin (PAP) onLogout processing is invoked.

      How to reproduce the issue

      1. Create a hosted SP and IdP on two OpenAM instances
      2. Created an Auth Chain using the SAML2 Authentication module as explained in the following article https://backstage.forgerock.com/knowledge/kb/article/a88521204
      3. Created an OIDC Provider in the top level realm of the SP.
      4. Created an OAuth2 agent/client, with id myClientID and password secret.  Add scopes of profile and openid.  
      5. Install OpenID sample application, configure common.js to set the server url, top level realm, above client details.
      6. Navigate to openid home page, then select Basic Flow.
      7. Add to OAuth2 client the redirect uri specified on the openid page above.
      8. At the SP, login to OpenAM chain with demo user using the following example.  http://host2.example.com:8080/openam/XUI/#login?service=testChain.  Verify that the user is prompted to login and after doing this successfully, reaches the user profile page on the SP.
      9. Use basic flow of openid application in same browser window.  Verify that the user is prompted for authorization and that the callback page is reached showing the id_token details.
      10. In same browser window, terminate the session using the following url (or similar): http://host2.example.com:8080/openam/oauth2/connect/endSession?id_token_hint=<id_token>&post_logout_redirect_uri=https://www.google.com
      1. Repeat step 8.
      Expected behaviour
      User is prompted to login again at IdP
      Current behaviour
      User's session at IdP is still valid so the user is taken straight to their profile page
      

      Work around

      Call the AM logout endpoint instead.  If it is desired to include a goto parameter, then this workaround will work once once OPENAM-12553 is resolved.

      Code analysis

      EndSession.endSession
      
      This calls openIDConnectEndSession.endSession which destroys the OP user's session, but no PAP processing is called before redirecting to the post_logout_redirect_uri.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                lawrence.yarham Lawrence Yarham
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: