Merge pull request #13757 from sberyozkin/oidc_post_logout_clear_cookies

Update DefaultTokenStateManager to remove all session cookies when tokens are split

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java

@@ -484,10 +484,15 @@ private void removeCookie(RoutingContext context, TenantConfigContext configCont
             if (SESSION_COOKIE_NAME.equals(cookieName)) {
                 resolver.getTokenStateManager().deleteTokens(context, configContext.oidcConfig, cookie.getValue());
             }
+            removeCookie(cookie, configContext.oidcConfig);
+        }
+    }
 
+    static void removeCookie(ServerCookie cookie, OidcTenantConfig oidcConfig) {
+        if (cookie != null) {
             cookie.setValue("");
             cookie.setMaxAge(0);
-            Authentication auth = configContext.oidcConfig.getAuthentication();
+            Authentication auth = oidcConfig.getAuthentication();
             if (auth.cookiePath.isPresent()) {
                 cookie.setPath(auth.cookiePath.get());
             }

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTokenStateManager.java

@@ -6,6 +6,7 @@
 import io.quarkus.oidc.OidcTenantConfig;
 import io.quarkus.oidc.TokenStateManager;
 import io.vertx.core.http.Cookie;
+import io.vertx.core.http.impl.ServerCookie;
 import io.vertx.ext.web.RoutingContext;
 
 @ApplicationScoped
@@ -55,11 +56,11 @@ public AuthorizationCodeTokens getTokens(RoutingContext routingContext, OidcTena
                 accessToken = tokens[1];
                 refreshToken = tokens[2];
             } else {
-                Cookie atCookie = routingContext.request().getCookie(getAccessTokenCookieName(oidcConfig.getTenantId().get()));
+                Cookie atCookie = getAccessTokenCookie(routingContext, oidcConfig);
                 if (atCookie != null) {
                     accessToken = atCookie.getValue();
                 }
-                Cookie rtCookie = routingContext.request().getCookie(getRefreshTokenCookieName(oidcConfig.getTenantId().get()));
+                Cookie rtCookie = getRefreshTokenCookie(routingContext, oidcConfig);
                 if (rtCookie != null) {
                     refreshToken = rtCookie.getValue();
                 }
@@ -71,6 +72,18 @@ public AuthorizationCodeTokens getTokens(RoutingContext routingContext, OidcTena
 
     @Override
     public void deleteTokens(RoutingContext routingContext, OidcTenantConfig oidcConfig, String tokenState) {
+        if (oidcConfig.tokenStateManager.splitTokens) {
+            CodeAuthenticationMechanism.removeCookie(getAccessTokenCookie(routingContext, oidcConfig), oidcConfig);
+            CodeAuthenticationMechanism.removeCookie(getRefreshTokenCookie(routingContext, oidcConfig), oidcConfig);
+        }
+    }
+
+    private static ServerCookie getAccessTokenCookie(RoutingContext routingContext, OidcTenantConfig oidcConfig) {
+        return (ServerCookie) routingContext.request().getCookie(getAccessTokenCookieName(oidcConfig.getTenantId().get()));
+    }
+
+    private static ServerCookie getRefreshTokenCookie(RoutingContext routingContext, OidcTenantConfig oidcConfig) {
+        return (ServerCookie) routingContext.request().getCookie(getRefreshTokenCookieName(oidcConfig.getTenantId().get()));
     }
 
     private static String getAccessTokenCookieName(String tenantId) {

integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java

@@ -619,6 +619,27 @@ public void testDefaultSessionManagerSplitTokens() throws IOException, Interrupt
             Cookie rtTokenCookie = getSessionRtCookie(page.getWebClient(), "tenant-split-tokens");
             checkSingleTokenCookie(rtTokenCookie, "Refresh");
 
+            // verify all the cookies are cleared after the session timeout
+            webClient.getOptions().setRedirectEnabled(false);
+            webClient.getCache().clear();
+
+            await().atLeast(6, TimeUnit.SECONDS)
+                    .pollDelay(Duration.ofSeconds(6))
+                    .until(new Callable<Boolean>() {
+                        @Override
+                        public Boolean call() throws Exception {
+                            WebResponse webResponse = webClient
+                                    .loadWebResponse(new WebRequest(URI.create("http://localhost:8081/index.html").toURL()));
+                            assertEquals(302, webResponse.getStatusCode());
+                            assertNull(getSessionCookie(webClient, null));
+                            return true;
+                        }
+                    });
+
+            assertNull(getSessionCookie(page.getWebClient(), "tenant-split-tokens"));
+            assertNull(getSessionAtCookie(page.getWebClient(), "tenant-split-tokens"));
+            assertNull(getSessionRtCookie(page.getWebClient(), "tenant-split-tokens"));
+
             webClient.getCookieManager().clearCookies();
         }
     }