[MGNLSSO-12] Logout does not invalidate SSO Session (Keycloak Logout Redirect not working) Created: 29/Oct/19  Updated: 07/Apr/21  Resolved: 07/Apr/21

Status: Closed
Project: Single Sign On
Component/s: None
Affects Version/s: 2.2 Incubator
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Martin Schmid Assignee: Lars Fischer
Resolution: Outdated Votes: 0
Labels: None
Remaining Estimate: 1h
Time Spent: Not Specified
Original Estimate: 1h
Environment:

Magnolia CMS 6.1.2 DX Core / Tomcat 9.0.22 / OpenJdk 11 / Ubuntu 19.10


Attachments: Java Source File LogoutFilter.java    
Template:
Patch included:
Yes
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

The Logout Filter does not logout the OpenID SSO User Session. 

Configuration of OpenID / Keycloak was made correct by adding "endSessionEndpoint" and set "openIdLogoutEnabled" to true. 

I also added the property "authenticationServiceName" in Logout Filter Configuration and point the class to Magnolias SSOLogoutFilter. 

At the end of the doFilter Method of the SSOLogoutFilter, the overridden method from "classic" LogoutFilter is called (super.doFilter(request, response, chain)).

In the "classic" LogoutFilter class, the user gets logged out and the session gets invalidated.  In case of SSO, the response is modified to use the SSO logout endpoint. But then, the filter chain starts again. In an SSO context this will result in a re-login / refresh of the still existing SSO Session – so that the SSO User remains logged in. 

Solution: 

Instead of:

...
  response.sendRedirect(resolveLogoutRedirectLink(request));
}
  chain.doFilter(request, response);
}

it schoud be: 

...
  response.sendRedirect(resolveLogoutRedirectLink(request));
} else {
  chain.doFilter(request, response);
}
}

In an son-SSO-Environment, this will invalidate the session without the restart of the filter chain. Anyhow, the user session is already invalidated, so the user will be redirected to the same page without a session and the filter chain will be pass trough again. 



 Comments   
Comment by Lars Fischer [ 29/Oct/19 ]

Hi mschmid,

thanks for the info about the logout process. For me the Keycloak redirect process worked after a short test recently but anyway I am reviewing the logout process and code at the moment so I will surely consider your input!

Best regards

Lars

 

Comment by Lars Fischer [ 01/Nov/19 ]

The problem is that this is a change in a Magnolia core class not in the SSO Connector itself.

Comment by Martin Schmid [ 04/Nov/19 ]

This is true, but the error is only triggered when using this method by calling super() from SSOLogoutFilter. 
Only in this case the missing bracket prevents the 'external' user from getting logged out. 

Comment by Lars Fischer [ 05/Nov/19 ]

I tested the Keycloak logout and it worked seamlessly - I could also see existing and removed sessions in the administration console. I assume there is something wrong with your configuration so that the logout is not really executed.

There are also some improvements in the logout code (version 2.5.1).

Generated at Mon Feb 12 10:50:16 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.