Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(jans-auth-server): add client_id parameter support to /end_session #5942

Closed
yuriyz opened this issue Sep 1, 2023 · 3 comments · Fixed by #6032 or #6104
Closed

feat(jans-auth-server): add client_id parameter support to /end_session #5942

yuriyz opened this issue Sep 1, 2023 · 3 comments · Fixed by #6032 or #6104
Assignees
@yuriyz
Labels
comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request
Milestone
1.0.17

Comments

@yuriyz
Copy link
Contributor

yuriyz commented Sep 1, 2023

Describe the issue

Add client_id parameter support to /end_session

Support: 11416
oxauth ticket GluuFederation/oxAuth#1862

Motivation

Corner case is when session is expired and grant object is expired (or revoked) and AS is not able to identify client.

Obviously if AS can't identify client (due to missed session and id_token_hint) it falls back to global validation via clientWhiteList and allowPostLogoutRedirectWithoutValidation=true.

If we want to avoid global clientWhiteList question is still the same, how AS should figure out client if session and id_token_hint is not there ?

One possible solution is to pass client_id explicitly, so AS will do following:

  1. get client from session
  2. if no session -> get client from id_token_hint
  3. if grant object for id_token_hint is not there -> take client by client_id.
  4. client_id parameter is just an idea, it's not supported however it can be implemented.
@yuriyz yuriyz added comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request labels Sep 1, 2023
@yuriyz yuriyz added this to the 1.0.17 milestone Sep 1, 2023
@yuriyz yuriyz self-assigned this Sep 1, 2023
@nynymike
Copy link
Contributor

nynymike commented Sep 1, 2023

Without the client_id, the problem is that we don't know where to redirect the browser after end_session?

@yuriyz
Copy link
Contributor Author

yuriyz commented Sep 1, 2023

@nynymike we know where to redirect because usually post_logout_redirect_uri parameter is send in request. But we can't redirect without validation (otherwise it's open redirector). We have clientWhiteList global configuration parameter which can be always used for validation. Complain is that it's not on client level. And we can't identify client if session and id_token_hint are expired. With explicit client_id we will be able to do it.

@nynymike
Copy link
Contributor

nynymike commented Sep 1, 2023

Ok, let's go ahead with it. Although the client_id is not a secret, we're still enforcing re-registered redirect_uris.

yuriyz added a commit that referenced this issue Sep 14, 2023
@yuriyz
feat(jans-auth-server): add client_id parameter support to /end_session
23f9320 
#5942

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
@yuriyz yuriyz mentioned this issue Sep 14, 2023
Merged
3 tasks
yuriyz added a commit that referenced this issue Sep 14, 2023
@yuriyz
feat(jans-auth-server): add client_id parameter support to /end_session
09ee345 
#5942 (#6032)

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
This was referenced Sep 17, 2023
Merged
Merged
@yuriyz yuriyz reopened this Sep 22, 2023
yuriyz added a commit that referenced this issue Sep 22, 2023
@yuriyz
fix(jans-auth-server): redirect when session does not exist but clien…
131d133 
…t_id parameter is present

#5942
Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
@yuriyz yuriyz mentioned this issue Sep 22, 2023
Merged
2 tasks
yuriyz added a commit that referenced this issue Sep 22, 2023
@yuriyz
fix(jans-auth-server): redirect when session does not exist but clien…
f8f9591 
…t_id parameter is present (#6104)

#5942

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
devrimyatar pushed a commit that referenced this issue Dec 30, 2023
@yuriyz @devrimyatar
feat(jans-auth-server): add client_id parameter support to /end_session
45e6e84 
#5942 (#6032)

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
Signed-off-by: Mustafa Baser <mbaser@mail.com>
devrimyatar pushed a commit that referenced this issue Dec 30, 2023
@yuriyz @devrimyatar
fix(jans-auth-server): redirect when session does not exist but clien…
d7a4a29 
…t_id parameter is present (#6104)

#5942

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
Signed-off-by: Mustafa Baser <mbaser@mail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yuriyz yuriyz

Labels
comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
1.0.17
2 participants
@yuriyz @nynymike