Issue #8216 - OpenID Connect RP-Initiated Logout #8286
Conversation
Signed-off-by: Johannes Keller <[email protected]>
….0.x-8216-openid-logout
…endpoint redirect Signed-off-by: Lachlan Roberts <[email protected]>
Signed-off-by: Lachlan Roberts <[email protected]>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdProvider.java
Show resolved
Hide resolved
| if (logoutRedirectPath == null) | ||
| { | ||
| LOG.warn("redirect path must not be null, defaulting to /"); | ||
| logoutRedirectPath = "/"; | ||
| } |
There was a problem hiding this comment.
I'd prefer to allow null to be set here and have that mean "do not redirect on logout"
There was a problem hiding this comment.
This redirect path is actually for the OpenId provider redirecting back to the webapp, not for the webapp to redirect to the OpenID Provider on logout.
post_logout_redirect_uri
OPTIONAL. URI to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed. This URI SHOULD use the https scheme and MAY contain port, path, and query parameter components; however, it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0 [RFC6749], and provided the OP allows the use of http RP URIs. The URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application. The value MUST have been previously registered with the OP, either using the post_logout_redirect_uris Registration parameter or via another mechanism. An id_token_hint is also RECOMMENDED when this parameter is included.
So the "do not redirect on logout" setting is actually defined in OpenIdConfiguration as the endSessionEndpoint. But since this is optional we could not include this parameter if it is not explicitly set. Either way I think this does need some javadoc/documentation to explain this.
There was a problem hiding this comment.
I understand it is the redirect after the logout redirect. If there is no endSessionEndpoint, you just redirect to the logout redirect, which you are currently insisting is non null.
But you could allow null and define that to mean no redirecting at all on logout, thus giving the old behaviour.
There was a problem hiding this comment.
Ok I have changed to logic to not redirect back to application if LOGOUT_REDIRECT_PATH is null.
And updated the javadoc of attemptLogoutRedirect to explain how it works.
jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java
Show resolved
Hide resolved
jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdAuthenticator.java
Show resolved
Hide resolved
jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Lachlan Roberts <[email protected]>
Signed-off-by: Lachlan Roberts <[email protected]>
Issue #8216
see https://openid.net/specs/openid-connect-rpinitiated-1_0.html
HttpServletRequest.logout()is called.end_session_endpointin theOpenIdConfiguration.