[MGNLSSO-75] Add new configuration postLogoutRedirectUri for SSO logout Created: 17/Aug/21  Updated: 04/Feb/22  Resolved: 01/Dec/21

Status: Closed
Project: Single Sign On
Component/s: None
Affects Version/s: None
Fix Version/s: 2.0.1

Type: Bug Priority: Neutral
Reporter: Carlos Cantalapiedra Assignee: Nguyen Phung Chi
Resolution: Fixed Votes: 1
Labels: maintenance
Remaining Estimate: Not Specified
Time Spent: 2d
Original Estimate: Not Specified

Issue Links:
Problem/Incident
causes MGNLSSO-95 DOC: Update SSO yaml configuration fo... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Documentation update required:
Yes
Date of First Response:
Sprint: Global Maintenance 2
Story Points: 3

 Description   

Steps to reproduce

  1. Install SSO module
  2. Configure against Microsoft Azure
  3. Login to the system
  4. Logout

Expected results

post_logout_redirect_uri parameter is successfully recognized by Azure as correct reply url

Actual results

post_logout_redirect_uri parameter is wrong (not the one configured as reply url but the request.getRequestURL() value)

Workaround

N/A

Development notes

The value added is based on request.getRequestURL(). This is not correct in many cases.
E.g. we have tomcat running on http and nginx running SSL. tomcat doesn't know about ssl and identifies request.getRequestURL() as http url.
post_logout_redirect_uri value should be based on whatever is configured via "authenticationService.path"



 Comments   
Comment by Antony Hutchison [ 29/Sep/21 ]

We faced this issue too, and applied this workaround in the Azure App Gateway to force HTTPS.
 
Add a rewrite rule in app gateway to rewrite:

 (.*)post_logout_redirect_uri=http%3A(.*)

to:

{http_resp_Location_1}post_logout_redirect_uri=https%3A\{http_resp_Location_2}
Comment by Boris Faniuk [ 04/Feb/22 ]

Hello! 

We've tested this new setting and discovered that postLogoutRedirectUri has to be an absolute url (not relative).
See https://github.com/pac4j/pac4j/blob/pac4j-4.5.2/pac4j-core/src/main/java/org/pac4j/core/engine/DefaultLogoutLogic.java#L119 

Maybe you need to fix this documentation:

In addition, I would propose to think about simplifying the configuration:

  1. introduce baseUrl property (defaults to server.defaultBaseUrl)
  2. derive callbackUrl and postLogoutRedirectUri from baseUrl (defaulting to /.auth and /.magnolia/admincentral as path)
Comment by Alex Mansell [ 04/Feb/22 ]

Cheers bfaniuk – I've opened a follow-up doc ticket to update the yaml config. However, I'll have to let the devs comment on the config simplification.

Generated at Mon Feb 12 10:50:52 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.