Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13831

RP-Initiated Logout does not handle state parameter

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4
    • Fix Version/s: 5.5.3, 6.0.1, 6.5.3, 7.0.0
    • Component/s: OpenID Connect
    • Labels:
    • Environment:
      Oracle JDK 1.8.0_151-b12
      Apache Tomcat/9.0.8
      AM 6.0.0.4
    • Sprint:
      AM Sustaining Sprint 67, AM Sustaining Sprint 68, AM Sustaining Sprint 69, AM Sustaining Sprint 70, AM Sustaining Sprint 71, AM Sustaining Sprint 72, AM Sustaining Sprint 73, AM Sustaining Sprint 74
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      AM does not comply with https://openid.net/specs/openid-connect-session-1_0.html#RPLogout, as the state parameter is not sent back to the RP.

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. perfrom RP-iniated logout and provide state parameter
      http://am6004.test.xyz:8080/am/oauth2/realms/root/realms/sub1/connect/endSession?id_token_hint=SOME_TOKEN&post_logout_redirect_uri=http://localhost&state=def
      

       

      Expected behaviour
      state parameter should be sent back as specified in the draft, e.g.
      
      Location: http://localhost&state=def
      
      
      Current behaviour
      state parameter is not sent back
      
      Location: http://localhost
      

      Code analysis

      org.forgerock.openidconnect.restlet.EndSession.java
      ...
          /**
           * Handles GET requests to the OpenId Connect end session endpoint for ending OpenId Connect user sessions.
           *
           * @return The OpenId Connect token of the session that has ended.
           * @throws OAuth2RestletException If an error occurs whilst ending the users session.
           */
          @Get
          public Representation endSession() throws OAuth2RestletException {
      
              final OAuth2Request request = requestFactory.create(getRequest());
              final String idToken = request.getParameter(OAuth2Constants.Params.END_SESSION_ID_TOKEN_HINT);
              final String redirectUri = request.getParameter(OAuth2Constants.Params.POST_LOGOUT_REDIRECT_URI);
              try {
                  if (idToken == null || idToken.isEmpty()) {
                      logger.warn("No id_token_hint parameter supplied to the endSession endpoint");
                      throw new BadRequestException("The endSession endpoint requires an id_token_hint parameter");
                  }
                  OAuth2Jwt jwt = OAuth2Jwt.create(idToken);
                  if (!clientRegistrationStore.get(jwt).verifyIdTokenSignedByUsWithConfiguredAlg(jwt)) {
                      throw new BadRequestException("Unknown JWT");
                  }
      
                  HttpServletRequest servletRequest = ServletUtils.getRequest(request.<Request>getRequest());
                  // Store the redirect uri as a goto url so that its available for the PAPs to include in their processing
                  if (StringUtils.isNotEmpty(redirectUri)) {
                      servletRequest.setAttribute(ISAuthConstants.GOTO_PARAM, redirectUri);
                  }
                  openIDConnectEndSession.endSession(request, jwt);
                  String postLogoutProcessURL = AuthUtils.getPostProcessURL(servletRequest,
                          AMPostAuthProcessInterface.POST_PROCESS_LOGOUT_URL);
                  if (StringUtils.isNotEmpty(postLogoutProcessURL)) {
                      return handleRedirectToPostLogoutProcessURL(request, jwt, postLogoutProcessURL, redirectUri);
                  } else if (StringUtils.isNotEmpty(redirectUri)) {
                      return handleRedirect(request, jwt, redirectUri);
                  }
              } catch (OAuth2Exception e) {
                  throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), null);
              }
              return null;
          }
      ...
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                chee-weng.chea C-Weng C
                Reporter:
                bthalmayr Bernhard Thalmayr
              • Votes:
                4 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: