Baseline for OpenID Connect Logout

[pedroigor]

The scope is:

• RP-Initiated Logout
• Frontchannel Logout
• Backchannel Logout

In terms of testing, we are going to have some minimal level of testing on our side too. Differently from here, we are going to run integration tests (running Wildfly).

I should mark the PR ready to review as soon as our testsuite is ready to test Elytron OIDC.

I should also be running some more tests to make sure what is missing (or failing) from recommended security practices for logout.

[pedroigor]

Regarding RP-Initiated support, the mechanism is going to pass the id_token_hint on every logout request. That means logout endpoints are only accessible if a security context is established.

The following logout parameters are not going to be supported:

• client_id, not needed as we are passing the id_token_hint parameter
• logout_hint, Keycloak does not support it.

In terms of configuration, we might need the following options:

• logout.uri, a relative URI referencing the endpoint that will start a logout (RP-Initiated). Defaults to /logout.
• logout.callback.uri, a relative URI referencing the endpoint that will handle logout requests and tokens from the OP. I don't think we need separate endpoints for front and back channel but decide on one or another based on the HTTP method (e.g.: GET and POST). Defaults to /logout/callback.
• logout.session.required, indicates whether the mechanism should enforce both sid and iss parameters when processing frontchannel logout requests. If set to false, there will be no check and any authenticated request is going to invalidate the local user session. Defaults to true.
• logout.post-logout-uri, a relative URI referencing the endpoint that OPs should redirect users after logging out sessions. Default not set.
• logout.session.invalidation.limit, the limit to set to a bounded map when marking sessions for invalidation during back-channel logout.

[pedroigor]

@fjuma Marking the PR as ready for review. Please, let me know if you want me to update the commit message with the appropriate issue/jira.

[pedroigor]

@fjuma W.r.t. to back-channel logout, the solution is the follows:

• The OP sends a logout request with the logout token
• Elytron verifies if the configuration is set to validate the sid from the logout token. If not set, back-channel logout won't do anything but fail with a 400.
• Otherwise, Elytron marks the sid for invalidation by using a bounded map so that subsequent requests from the corresponding user are going to force the session to be invalidated.

The limit of the bounded map can be set through a configuration option. By default, we can store 100 sessions for invalidation.

[ssingh-cls]

Do we have this fix in any released version, please? @pedroigor @fjuma @Skyllarr
I am looking to use logout functionality here. Thanks!

[fjuma]

@ssingh-cls This hasn't been included in a release yet.

[ssingh-cls]

@ssingh-cls This hasn't been included in a release yet.

Thank you @fjuma for quick reply. Do you have any plan to include this feature in future release? Also, to clarify to logout from OIDC server for now, do we have any workaround via existing wildfly-elytron release or we have to rely on other options provided by OIDC such as using their SDK API e.g.?

[fjuma]

@ssingh-cls Yes, we are planning on including this in a future release, please keep an eye on https://issues.redhat.com/browse/ELY-2534 (or this PR) for more updates.

I don't think there are any workarounds for RP-Initiated logout, front-channel logout, and back-channel logout in the meantime.

[ssingh-cls]

@ssingh-cls Yes, we are planning on including this in a future release, please keep an eye on https://issues.redhat.com/browse/ELY-2534 (or this PR) for more updates.

I don't think there are any workarounds for RP-Initiated logout, front-channel logout, and back-channel logout in the meantime.

Thank you very much @fjuma for providing this update.

[rioy-soptim]

Greetings,
I've wondered when we can expect this feature to be rolled out? Will this be included in Wildfly 31 or 32 (or later)? @fjuma

[fjuma]

Hi @rioy-soptim, apologies for the delay. We'd like to return to getting this reviewed and determining if any corresponding attributes are needed in the elytron-oidc-client subsystem as soon as we can. Please watch https://issues.redhat.com/browse/ELY-2534 for updates.

[fjuma]

In terms of testing, we are going to have some minimal level of testing on our side too. Differently from here, we are going to run integration tests (running Wildfly).

I should mark the PR ready to review as soon as our testsuite is ready to test Elytron OIDC.

I should also be running some more tests to make sure what is missing (or failing) from recommended security practices for logout.

Hi @pedroigor, thanks again for this PR! I'm finally going to be picking this up and will look at the configuration options that we should add.

Just wanted to ask about the comments about testing in the PR description.

Did you end up working on any tests outside of what's in this PR?

[pedroigor]

Hi @fjuma. I've rebased the PR and fixed the tests being introduced here.

Did you end up working on any tests outside of what's in this PR?

Do you mean tests on the Keycloak side?

[fjuma]

Hi @pedroigor, thanks! Note that @rsearls has a branch based off this one and a couple changes I had worked on before having to switch to working on something else:

#1882

Do you mean tests on the Keycloak side?

The tests I was referring to before were integration tests for WildFly but we had discussed this a bit when I started looking into this and those didn't exist yet. That's the part Rebecca is now working through. Thanks very much for your help with the questions!

[pedroigor]

I see. I did not write tests other than the ones in this PR. From a coverage PoV, they should be enough to cover everything we need from Elytron's perspective.

About the changes from @rsearls, do we want to incorporate them in this PR?

[rsearls]

Thanks for the code Pedro. I am reviewing your changes to see how they work differently from Farah's branch.

…

On Tue, Nov 19, 2024 at 9:29 AM Pedro Igor ***@***.***> wrote: I see. I did not write tests other than the ones in this PR. From a coverage PoV, they should be enough to cover everything we need from Elytron's perspective. About the changes from @rsearls <https://github.com/rsearls>, do we want to incorporate them in this PR? — Reply to this email directly, view it on GitHub <#1882 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAD3X4Z47ZQHDAIO4SSTKAL2BNDNXAVCNFSM6AAAAAAV6U4WBKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOBVHA3TCMJWGE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[fjuma]

@rsearls The only difference between my branch and Pedro's branch (other than rebasing related changes) should be these 2 commits:

• [ELY-2534] Update the creation of the test HTTP server request for back-channel logout
  d430574

• [ELY-2534] Update back-channel logout handling so it doesn't rely on an active session
  c16a6cb

The rest of the functionality is the same and the wildfly-elytron tests should be passing.

[fjuma]

About the changes from @rsearls, do we want to incorporate them in this PR?

@rsearls has opened a new PR, that one can likely supersede this one (it includes your commit, my commits, and rebasing related changes):

#2230

[rsearls]

I want to reevaluate my changes in relation to Pedro's code before deciding if any of my changes should be kept.

…

On Tue, Nov 19, 2024 at 1:31 PM Farah Juma ***@***.***> wrote: About the changes from @rsearls <https://github.com/rsearls>, do we want to incorporate them in this PR? @rsearls <https://github.com/rsearls> has opened a new PR, that one can likely supersede this one (it includes your commit, my commits, and rebasing related changes): #2230 <#2230> — Reply to this email directly, view it on GitHub <#1882 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAD3X465U64VRQ6M5GR6P732BN7WPAVCNFSM6AAAAAAV6U4WBKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOBWGQ2TIMRZHE> . You are receiving this because you were mentioned.Message ID: ***@***.***>