Liberty OP configured with another OP via Socal Login , RP logout is treated as Login request

[shubjit]

Describe the bug
We have configured our ELM applications (RP) with Liberty OP which is further delegated to another OIDC Provider using Social Login as OIDC Client https://www.ibm.com/docs/en/was-liberty/core?topic=liberty-configuring-social-login-in#twlp_sec_sociallogin__openid

In this case we have issues with Application logout , where in when we logout of our ELM application (RP), it loops back to the RP and does not logout.

We raised a similar issue when configured with a SAML IDP and it is being worked on by the Security team https://github.com/OpenLiberty/open-liberty/issues/18177

Steps to Reproduce

• Configure LIberty as an OpenID Provider

• Configure the OP to delegate further to another OIDC provider as OIDC Client using the instructions below https://www.ibm.com/docs/en/was-liberty/core?topic=liberty-configuring-social-login-in#twlp_sec_sociallogin__openid

• Configure RP Applications which has a Logout functionality with Liberty OP (Our RP = IBM ELM Solution)

• Sample config

• <oidcLogin id="ELMRP" clientId="TESTCLIENTID" displayName="ELMJAS Login"
                 clientSecret="YzE0ZjNhZjEtYzlkMK0i00"
                 authorizationEndpoint="https://<3rd_Party_OP>/oidc/endpoint/default/authorize"
                 tokenEndpoint="https://3rd_Party_OP/oidc/endpoint/default/token"
                 jwksUri="https://3rd_Party_OP/oidc/endpoint/default/jwks"
                 issuer="https://3rd_Party_OP/oidc/endpoint/default"
                 trustStoreRef="defaultKeyStore"
                 trustAliasName="op_root"
                 scope="openid profile email"
                 userNameAttribute="sub"
                 authFilterRef="MyAuthFilter"
                 mapToUserRegistry="true" >
      </oidcLogin>
  
      <authFilter id="MyAuthFilter">
              <requestUrl id=MyRequestUrl" urlPattern="/authorize|/personalTokenManagement|/end_session" matchType="contains" />
              <userAgent id="MyUserAgent" agent="Mozilla|Opera|app-password-enabled" matchType="contains"/>
      </authFilter>

• Once configured test Logout from the RP application It redirects all the way to OIDC Provider (3rd Party) and behaves as a Login request and is returned back to the RP Application

Expected behavior
Logout should work when initiated from RP

Diagnostic information:

• Liberty Version: 20.0.0.6 (Tested with 21.0.0.6 as well)

Additional context
NA

[teddyjtorres]

Please confirm if your RP is calling the end_session endpoint directly without any cookies or tokens, or if the RP is redirecting the browser to the end_session endpoint.

[shubjit]

@teddyjtorres The flow from our RP is similar to what we raised in https://github.com/OpenLiberty/open-liberty/issues/18177 I have been working with @arunavemulapalli on that and can provide additional traces. I will check internally and update what is being called during the logout.