[MGNLSSO-12] Logout does not invalidate SSO Session (Keycloak Logout Redirect not working) Created: 29/Oct/19 Updated: 07/Apr/21 Resolved: 07/Apr/21 |
|
| Status: | Closed |
| Project: | Single Sign On |
| Component/s: | None |
| Affects Version/s: | 2.2 Incubator |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Neutral |
| Reporter: | Martin Schmid | Assignee: | Lars Fischer |
| Resolution: | Outdated | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | 1h | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | 1h | ||
| Environment: |
Magnolia CMS 6.1.2 DX Core / Tomcat 9.0.22 / OpenJdk 11 / Ubuntu 19.10 |
||
| Attachments: |
|
| Template: |
|
| Patch included: |
Yes
|
| Acceptance criteria: |
Empty
|
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
| Date of First Response: |
| Description |
|
The Logout Filter does not logout the OpenID SSO User Session. Configuration of OpenID / Keycloak was made correct by adding "endSessionEndpoint" and set "openIdLogoutEnabled" to true. I also added the property "authenticationServiceName" in Logout Filter Configuration and point the class to Magnolias SSOLogoutFilter. At the end of the doFilter Method of the SSOLogoutFilter, the overridden method from "classic" LogoutFilter is called (super.doFilter(request, response, chain)). In the "classic" LogoutFilter class, the user gets logged out and the session gets invalidated. In case of SSO, the response is modified to use the SSO logout endpoint. But then, the filter chain starts again. In an SSO context this will result in a re-login / refresh of the still existing SSO Session – so that the SSO User remains logged in. Solution: Instead of: ... it schoud be: ... In an son-SSO-Environment, this will invalidate the session without the restart of the filter chain. Anyhow, the user session is already invalidated, so the user will be redirected to the same page without a session and the filter chain will be pass trough again. |
| Comments |
| Comment by Lars Fischer [ 29/Oct/19 ] |
|
Hi mschmid, thanks for the info about the logout process. For me the Keycloak redirect process worked after a short test recently but anyway I am reviewing the logout process and code at the moment so I will surely consider your input! Best regards Lars
|
| Comment by Lars Fischer [ 01/Nov/19 ] |
|
The problem is that this is a change in a Magnolia core class not in the SSO Connector itself. |
| Comment by Martin Schmid [ 04/Nov/19 ] |
|
This is true, but the error is only triggered when using this method by calling super() from SSOLogoutFilter. |
| Comment by Lars Fischer [ 05/Nov/19 ] |
|
I tested the Keycloak logout and it worked seamlessly - I could also see existing and removed sessions in the administration console. I assume there is something wrong with your configuration so that the logout is not really executed. There are also some improvements in the logout code (version 2.5.1). |