Uploaded image for project: 'Single Sign On'
  1. Single Sign On
  2. MGNLSSO-12

Logout does not invalidate SSO Session (Keycloak Logout Redirect not working)

    XMLWordPrintable

Details

    • Bug
    • Resolution: Outdated
    • Neutral
    • None
    • 2.2 Incubator
    • None
    • None
    • Magnolia CMS 6.1.2 DX Core / Tomcat 9.0.22 / OpenJdk 11 / Ubuntu 19.10

    Description

      The Logout Filter does not logout the OpenID SSO User Session. 

      Configuration of OpenID / Keycloak was made correct by adding "endSessionEndpoint" and set "openIdLogoutEnabled" to true. 

      I also added the property "authenticationServiceName" in Logout Filter Configuration and point the class to Magnolias SSOLogoutFilter. 

      At the end of the doFilter Method of the SSOLogoutFilter, the overridden method from "classic" LogoutFilter is called (super.doFilter(request, response, chain)).

      In the "classic" LogoutFilter class, the user gets logged out and the session gets invalidated.  In case of SSO, the response is modified to use the SSO logout endpoint. But then, the filter chain starts again. In an SSO context this will result in a re-login / refresh of the still existing SSO Session – so that the SSO User remains logged in. 

      Solution: 

      Instead of:

      ...
        response.sendRedirect(resolveLogoutRedirectLink(request));
      }
        chain.doFilter(request, response);
      }

      it schoud be: 

      ...
        response.sendRedirect(resolveLogoutRedirectLink(request));
      } else {
        chain.doFilter(request, response);
      }
      }

      In an son-SSO-Environment, this will invalidate the session without the restart of the filter chain. Anyhow, the user session is already invalidated, so the user will be redirected to the same page without a session and the filter chain will be pass trough again. 

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              lfischer Lars Fischer
              mschmid Martin Schmid
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Checklists

                  Bug DoR
                  Task DoD

                  Time Tracking

                    Estimated:
                    Original Estimate - 1h
                    1h
                    Remaining:
                    Remaining Estimate - 1h
                    1h
                    Logged:
                    Time Spent - Not Specified
                    Not Specified