Single Logout Out

[drnic]

When a user logs out of UAA, or the user is deleted, we'd like that user to be logged out of all consumer applications (if they support an SLO API).

Has anyone thought about this feature and have preferences for the APIs?

[tekul]

Single sign-out is a notoriously tricky issue. First it's probably worth summarising what the UAA does to authenticate a user to an oauth "client" application. When the user accesses the application, the UAA issues the application with an access token which allows it to read the user's details from the /userinfo endpoint. When we refer to a user to be "logged in" to the app, we are usually referring to the stateful session that exists between the browser and the application. This isn't something that the UAA currently has any record of, since it's limited to the browser-app connection and the details depend on the client application. It could be server-side state, encrypted cookie state or whatever.

So there no way currently for the UAA to maintain a record of applications which a user is "logged in" to and notify them that they should end any sessions the user has. If we are mainly concerned about a few core apps, then it would be easy enough to return a page from the UAA which invoked the logout URLs for those apps, but that's not something that would scale. And of course using the browser won't work if you delete a user and want to kill any sessions they have with applications, as you have no way of accessing the session information.

Some references:

The (still rather bare) OpenID connect session mgmt spec:

http://openid.net/specs/openid-connect-session-1_0.html

Discussion on Single Sign-Out on CAS mailing list:

http://jasig.275507.n4.nabble.com/the-misnamed-single-sign-off-or-if-you-prefer-single-log-off-SLO-td3713224.html

Single Sign-Out via the browser:

http://blogs.msdn.com/b/eugeniop/archive/2011/02/16/single-sign-out-websso.aspx

[demon-xxi]

It is strange that UAA documentation states as there is Single Sign Out here :

Logout: GET /logout.do The UAA can act as a Single Sign On server for the Cloud Foundry platform (and possibly user apps as well), so if a user logs out he logs out of all the apps.

But we're seeing opposite behavior. Once user logs out of UAA, the token issues to application remains active and endpoints like /userinfo still return information when using token in Authorization header.

Theoretically /check_token endpoint should validate token and tell if user already logged out I think, but that endpoint did not work last time I tried. Returned 400 html page, not as per spec tough.

[dsyer]

I don't find that strange at all, since the /logout.do endpoint is what you would use if you wanted to implement some well-known patterns for single sign off (as per Luke's comment and links).

One thing /logout.do does not do (and should not, since access tokens are orthogonal to sessions, also per Luke's comment) is invalidate any access tokens.

[johnpfield]

I agree with Dave here. I don't think that /check_token should care whether the user has already logged out. Whether the user is still logged in or not is really orthogonal.

Another alternative might be to provide additional claims at /userinfo. Perhaps an app (with a suitable scope) could get some user preference info like whether the user wants SLO support. This could be a hint to the App presenting a local log out page. Using the hint it could implement a preferred pattern like just log out locally, or log out locally and then redirect to UAA logout, etc., etc. You get the idea.

But I would be careful going down this path since single log out in a distributed environment is fraught with edge cases.

[ryantang]

@rmorgan - would you mind commenting on the current thinking around this issue?

/cc @dsyer @joeldsa

@jfoley / @ryantang

[jfoley]

Closing this issue since its stale

CF Community Pair (@chou & @jfoley)