httpservletrequest.logout ineffective when used in openidconnect or saml clients

[brutif]

Describe the bug OpenIdConnect server feature contains some ui endpoints such as https://localhost:19443/oidc/endpoint/OP/clientManagement The logout button on these seems to have no effect, refreshing browser allows access without authentication. Steps to Reproduce install servers "loginbug" and "oidcdemo_provider" and access above url, press logout, refresh browser

Expected behavior user should receive authentication challenge after logout

Diagnostic information: tested against 3/17 integration branch build + https://github.com/OpenLiberty/open-liberty/pull/11217 Additional context zipped up server.xml and logs and trace attached. search trace for "click logout button" and "click refresh" to see areas of interest. logout_bug.zip

[brutif]

When saml is used to protect the openidConnect endpoints, a similar but not identical thing happens. Local logout works, but the postLogout method of the SAML tai is never called, so on subsequent access the user gets redirected to the idp and is still logged in there, so gets back in without authentication.

[ayoho]

Once Aruna's fixes for session affinity in SAML get delivered, we can revisit and re-test this.

[brutif]

We think disabling session creation might be a workaround, can try that too.

[ayoho]

@arunavemulapalli Any update on whether this has been resolved?

[brutif]

This relates to app-password functionality that was delivered in 19.009. I think the gist of the issue was that when the client managment endpoint, https://localhost:19443/oidc/endpoint/OP/clientManagement is secured by OIDC or SAML, and the logout button on that page is pressed, it doesn't work. When the page is protected by basic registry, it does work. To recreate and see if this is still the case, server "loginbug" would have to have oidcserver, and app security installed, and be delegating authentication to a -different- oidc server or saml provider, oidcdemo-provider. I'll attach the last copy I had of oidcdemo-provider, which might not be exactly right.

This function was documented in a blog ( https://openliberty.io/blog/2019/09/13/microprofile-reactive-messaging-19009.html#oidc ) but has yet to be discussed in the openliberty.io docs ( https://github.com/OpenLiberty/docs/issues/330 ). It might not be widely used.

[brutif]

oidcdemo_provider.zip

[arunavemulapalli]

thanks @brutif . I will see if I can repro this with the provided config files.
Since we removed the dependency on the session affinity in saml sso, I can disable it and test these servers (using saml IdP for authentication) as a workaround.

[arunavemulapalli]

I haven't tried this with the latest config yet.