Details
-
Bug
-
Resolution: Outdated
-
Neutral
-
None
-
2.2 Incubator
-
None
-
None
-
Magnolia CMS 6.1.2 DX Core / Tomcat 9.0.22 / OpenJdk 11 / Ubuntu 19.10
Description
The Logout Filter does not logout the OpenID SSO User Session.
Configuration of OpenID / Keycloak was made correct by adding "endSessionEndpoint" and set "openIdLogoutEnabled" to true.
I also added the property "authenticationServiceName" in Logout Filter Configuration and point the class to Magnolias SSOLogoutFilter.
At the end of the doFilter Method of the SSOLogoutFilter, the overridden method from "classic" LogoutFilter is called (super.doFilter(request, response, chain)).
In the "classic" LogoutFilter class, the user gets logged out and the session gets invalidated. In case of SSO, the response is modified to use the SSO logout endpoint. But then, the filter chain starts again. In an SSO context this will result in a re-login / refresh of the still existing SSO Session – so that the SSO User remains logged in.
Solution:
Instead of:
...
response.sendRedirect(resolveLogoutRedirectLink(request));
}
chain.doFilter(request, response);
}
it schoud be:
...
response.sendRedirect(resolveLogoutRedirectLink(request));
} else {
chain.doFilter(request, response);
}
}
In an son-SSO-Environment, this will invalidate the session without the restart of the filter chain. Anyhow, the user session is already invalidated, so the user will be redirected to the same page without a session and the filter chain will be pass trough again.