Details
-
Enhancement
-
Resolution: Done
-
Minor
-
RH-SSO-7.2.4.GA
Description
One customer has detected that, if the logout HttpServletRequest.logout(), is executed in an un-protected page there can be issues. For example:
- Open a window in the browser.
- Execute the login operation (application 1).
- Open another window in the same browser.
- Go to the products page (application 2).
- Execute the logout operation of the application 2.
=> The SSO session is destroyed and it calls to app1 to destroy the session. So app1 removes any data related to this sessions (no SSO session). - Execute the login operation of the application 2 in the same window.
=> Here the app2 create a new SSO session (so new cookies and everything) but app1 knows nothing about this. - Go back to the previous window (application 1).
- Execute the logout operation (application 1).
=> When you execute the logout app1 this app doesn't know about the new login. And the logout endpoint is unprotected so it goes normally. When the adapter is going to perform the logout it checks for the SSO session information and it founds nothing. So nothing is done. The user remains logged in. Only tested in session store (maybe cookie is different).
He wants this to be clarified. I think that we don't need to explain all the issue (because I think that there can be other situations that trigger a similar issue). I would add just that the ttpServletRequest.logout() has to be executed protected or that it is recommended.
My proposal is this one:
Unable to find source-code formatter for language: diff. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
diff --git a/securing_apps/topics/oidc/java/logout.adoc b/securing_apps/topics/oidc/java/logout.adoc index baa2a20..cef0a9f 100644 --- a/securing_apps/topics/oidc/java/logout.adoc +++ b/securing_apps/topics/oidc/java/logout.adoc @@ -1,6 +1,7 @@ ==== Logout You can log out of a web application in multiple ways. -For Java EE servlet containers, you can call HttpServletRequest.logout(). For other browser applications, you can redirect the browser to +For Java EE servlet containers, you can call `HttpServletRequest.logout()`. For other browser applications, you can redirect the browser to `$$http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri$$`, which logs you out if you have an SSO session with your browser. +When using the `HttpServletRequest.logout()` option the adapter executes a back-channel POST call against the {project_name} server passing the refresh token. If the method is executed from an unprotected page (a page that does not check for a valid token) the refresh token can be unavailable and, in that case, the adapter skips the call. For that reason using a protected page to execute `HttpServletRequest.logout()` is recommended, this way the access token is always taken into account and an interaction with the {project_name} server is performed if needed.
I asked this to the list, the thread is this one and we agree to add something in the doc.
