Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13831

RP-Initiated Logout does not handle state parameter


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 6.0.0,,,,
    • Fix Version/s: 5.5.3, 6.0.1, 6.5.3, 7.0.0
    • Component/s: OpenID Connect
    • Labels:
    • Environment:
      Oracle JDK 1.8.0_151-b12
      Apache Tomcat/9.0.8
    • Sprint:
      AM Sustaining Sprint 67, AM Sustaining Sprint 68, AM Sustaining Sprint 69, AM Sustaining Sprint 70, AM Sustaining Sprint 71, AM Sustaining Sprint 72, AM Sustaining Sprint 73, AM Sustaining Sprint 74
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      AM does not comply with https://openid.net/specs/openid-connect-session-1_0.html#RPLogout, as the state parameter is not sent back to the RP.

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. perfrom RP-iniated logout and provide state parameter


      Expected behaviour
      state parameter should be sent back as specified in the draft, e.g.
      Location: http://localhost&state=def
      Current behaviour
      state parameter is not sent back
      Location: http://localhost

      Code analysis

           * Handles GET requests to the OpenId Connect end session endpoint for ending OpenId Connect user sessions.
           * @return The OpenId Connect token of the session that has ended.
           * @throws OAuth2RestletException If an error occurs whilst ending the users session.
          public Representation endSession() throws OAuth2RestletException {
              final OAuth2Request request = requestFactory.create(getRequest());
              final String idToken = request.getParameter(OAuth2Constants.Params.END_SESSION_ID_TOKEN_HINT);
              final String redirectUri = request.getParameter(OAuth2Constants.Params.POST_LOGOUT_REDIRECT_URI);
              try {
                  if (idToken == null || idToken.isEmpty()) {
                      logger.warn("No id_token_hint parameter supplied to the endSession endpoint");
                      throw new BadRequestException("The endSession endpoint requires an id_token_hint parameter");
                  OAuth2Jwt jwt = OAuth2Jwt.create(idToken);
                  if (!clientRegistrationStore.get(jwt).verifyIdTokenSignedByUsWithConfiguredAlg(jwt)) {
                      throw new BadRequestException("Unknown JWT");
                  HttpServletRequest servletRequest = ServletUtils.getRequest(request.<Request>getRequest());
                  // Store the redirect uri as a goto url so that its available for the PAPs to include in their processing
                  if (StringUtils.isNotEmpty(redirectUri)) {
                      servletRequest.setAttribute(ISAuthConstants.GOTO_PARAM, redirectUri);
                  openIDConnectEndSession.endSession(request, jwt);
                  String postLogoutProcessURL = AuthUtils.getPostProcessURL(servletRequest,
                  if (StringUtils.isNotEmpty(postLogoutProcessURL)) {
                      return handleRedirectToPostLogoutProcessURL(request, jwt, postLogoutProcessURL, redirectUri);
                  } else if (StringUtils.isNotEmpty(redirectUri)) {
                      return handleRedirect(request, jwt, redirectUri);
              } catch (OAuth2Exception e) {
                  throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), null);
              return null;


          Issue Links



              • Assignee:
                chee-weng.chea C-Weng C
                bthalmayr Bernhard Thalmayr
              • Votes:
                4 Vote for this issue
                10 Start watching this issue


                • Created: