Closed zandbelt closed 4 years ago
This is changed in the new pyOIDC version. Soon to be approved.
Should be resolved now
verified against the latest logout code and pyoidc 1.1.1
well, it seems to be back now:
rp-test_1 | 192.168.16.1 - - [11/Nov/2019:08:51:08] "GET /mod_auth_openidc-code/rp-backchannel-rpinitlogout/end_session?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6ImFyVDJiVDgwY1N5SDhCZzQ5cHFzeFVfWktkaTE5d3BfUjA5bEF0V1JqeVkifQ.eyJpc3MiOiAiaHR0cHM6Ly9ycC10ZXN0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWJhY2tjaGFubmVsLXJwaW5pdGxvZ291dCIsICJzdWIiOiAiMWIyZmM5MzQxYTE2YWU0ZTMwMDgyOTY1ZDUzN2FlNDdjMjFhMGYyN2ZkNDNlYWI3ODMzMGVkODE3NTFhZTZkYiIsICJhdWQiOiBbImxnMVRjeHlIRW1zTCJdLCAiZXhwIjogMTU3MzU0ODY2OCwgImFjciI6ICJQQVNTV09SRCIsICJpYXQiOiAxNTczNDYyMjY4LCAiYXV0aF90aW1lIjogMTU3MzQ2MjI2OCwgIm5vbmNlIjogIjZpNG5hNDI5TG1MeWJfQVYxZnQ1aUtSVC1ZSnR1WVQ3ZUphdVh1aGlKbmMifQ.gpL2gCl7s-qCwl0hwMqBgEG-QO5ei7OweIkpqQzkM8fLxaquxJnXzCLagr3KMXBnpxCk96jz34uoslm-Y-EQ6NqSLoxL-w803fIJ_BEVa5zZvXOH5uo0Fls1uQnQXYXlBp18vGxZKLtwXIin0g5tx2K5OWL8YcGtF9cxhwCAWk9ud6cMC_BjYJAHN9bamUkB_3NinkJcQiHXodJge4dtNVKYWXFilvuXuYOAB5ucjUVE4VRZOloQ6_l2hflx434ZkVoM1q86yJf4F2c0cmSzu8v4yHETTJYRkzL3G94XLEQC4TmIT18w76Y0YidKYD7ITmPpgqimBShwBpZLxykOCg HTTP/1.1" 400 794 "" "curl/7.66.0"
results in:
Content-Type: text/html;charset=utf-8
Server: CherryPy/8.9.1
Date: Mon, 11 Nov 2019 08:51:08 GMT
Allow: GET, OPTIONS, HEAD
Content-Length: 794
Set-Cookie: session_id=64544e3acaa4180cf220b07583d6bdad58397250; expires=Mon, 11 Nov 2019 09:51:08 GMT; Path=/
<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
<title>400 Bad Request</title>
<style type="text/css">
#powered_by {
margin-top: 20px;
border-top: 2px solid black;
font-style: italic;
}
#traceback {
color: red;
}
</style>
</head>
<body>
<h2>400 Bad Request</h2>
<p>{"error": "invalid_request", "error_description": "Missing post_logout_redirect_uri"}</p>
<pre id="traceback"></pre>
<div id="powered_by">
<span>
Powered by <a href="http://www.cherrypy.org">CherryPy 8.9.1</a>
</span>
</div>
</body>
</html>
You're sure you're running the latest pyoidc version ?
just doublechecked (after removing some old versions first as well) :
hzandbelt@new-rp:/usr/local/oidf/oidc_cp_rplib$ pip freeze | grep oic
oic==1.1.1
``
OK, you where running this test on your own test suite installation. Right ? Can't find anything like this on new_rp. I'd like to see more of the logs.
just ran on new-rp as below
2019-11-12 07:39:01,394 oidctest.cp.op:INFO ent:212.84.155.17, vpath: ['mod_auth_openidc-code', 'rp-backchannel-rpinitlogout', 'end_session']
2019-11-12 07:39:01,394 oidctest.cp.op:DEBUG EndSessionRequest: {'id_token_hint': 'eyJhbGciOiJSUzI1NiIsImtpZCI6Im1Fa2MxbFF5Z29VMTBqMk5sVUUtWVlCdjJ1b2FKMXhHLUZua0dxZlRsRzAifQ.eyJpc3MiOiAiaHR0cHM6Ly9uZXctcnAuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWJhY2tjaGFubmVsLXJwaW5pdGxvZ291dCIsICJzdWIiOiAiMWIyZmM5MzQxYTE2YWU0ZTMwMDgyOTY1ZDUzN2FlNDdjMjFhMGYyN2ZkNDNlYWI3ODMzMGVkODE3NTFhZTZkYiIsICJhdWQiOiBbImczOThLaXFZNDJvcCJdLCAiZXhwIjogMTU3MzYzMDc0MCwgImFjciI6ICJQQVNTV09SRCIsICJpYXQiOiAxNTczNTQ0MzQwLCAiYXV0aF90aW1lIjogMTU3MzU0NDMzOSwgIm5vbmNlIjogImdPVi1MX2VaU2szd25nUmdqb2NMYUZ6elRONUZORXFiUDhkMFQ5MzItSkkifQ.vgOfMGDfNZrpHxdECNJOnZd1fjcon2cYaGI8nqlUrAXukr_1gDnQp8JyWHSpNQ8KMRtS0vEkSUK6m0pc4O6TcyiDpFCGw8fuvd5BbGWcRz_jQtNESSBFrngqYf9UMmOiesA2y7Rw8WCWRINPLDDBnEfx8htJt57wCxgf9IPTZqBzK3F9hq3DTXgRhgaIKAdNnuSD9hj0JzN23wUTfsovVMFeIazE1rtI259CbadQXWGVKPHkyQ7E2xXpvT-WVeeCvJ3zrbZodwe3OCOdDsDQ3aQGWi3lazjz-54UFAV3Ejv-GsGZ4vHBF3ENGiK3YTkPIYfouYW0ra2s6UziGKy0fw'}
2019-11-12 07:39:01,394 oidctest.cp.op:DEBUG Request cookie at end_session_endpoint: Set-Cookie: pyoidc_sso="1573544339|wgDyLrQDbGC+HbBzlgtYgw==|P4yyP+IloBGITDHTJxsDFkelBWqx/3BIDLWRY6pcQwOJZUSi|C8SjBS+Z/mJUkkiaz0Jfyg=="
Set-Cookie: session_id=e39cb123a2388f7b5b6660608aa23770302445e9
2019-11-12 07:39:01,395 oic.oic.provider:DEBUG End session request: {'id_token_hint': 'eyJhbGciOiJSUzI1NiIsImtpZCI6Im1Fa2MxbFF5Z29VMTBqMk5sVUUtWVlCdjJ1b2FKMXhHLUZua0dxZlRsRzAifQ.eyJpc3MiOiAiaHR0cHM6Ly9uZXctcnAuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWJhY2tjaGFubmVsLXJwaW5pdGxvZ291dCIsICJzdWIiOiAiMWIyZmM5MzQxYTE2YWU0ZTMwMDgyOTY1ZDUzN2FlNDdjMjFhMGYyN2ZkNDNlYWI3ODMzMGVkODE3NTFhZTZkYiIsICJhdWQiOiBbImczOThLaXFZNDJvcCJdLCAiZXhwIjogMTU3MzYzMDc0MCwgImFjciI6ICJQQVNTV09SRCIsICJpYXQiOiAxNTczNTQ0MzQwLCAiYXV0aF90aW1lIjogMTU3MzU0NDMzOSwgIm5vbmNlIjogImdPVi1MX2VaU2szd25nUmdqb2NMYUZ6elRONUZORXFiUDhkMFQ5MzItSkkifQ.vgOfMGDfNZrpHxdECNJOnZd1fjcon2cYaGI8nqlUrAXukr_1gDnQp8JyWHSpNQ8KMRtS0vEkSUK6m0pc4O6TcyiDpFCGw8fuvd5BbGWcRz_jQtNESSBFrngqYf9UMmOiesA2y7Rw8WCWRINPLDDBnEfx8htJt57wCxgf9IPTZqBzK3F9hq3DTXgRhgaIKAdNnuSD9hj0JzN23wUTfsovVMFeIazE1rtI259CbadQXWGVKPHkyQ7E2xXpvT-WVeeCvJ3zrbZodwe3OCOdDsDQ3aQGWi3lazjz-54UFAV3Ejv-GsGZ4vHBF3ENGiK3YTkPIYfouYW0ra2s6UziGKy0fw'}
2019-11-12 07:39:01,396 oic.oauth2.message:DEBUG Raw JSON: {'iss': 'https://new-rp.certification.openid.net:8080/mod_auth_openidc-code/rp-backchannel-rpinitlogout', 'sub': '1b2fc9341a16ae4e30082965d537ae47c21a0f27fd43eab78330ed81751ae6db', 'aud': ['g398KiqY42op'], 'exp': 1573630740, 'acr': 'PASSWORD', 'iat': 1573544340, 'auth_time': 1573544339, 'nonce': 'gOV-L_eZSk3wngRgjocLaFzzTN5FNEqbP8d0T932-JI'}
2019-11-12 07:39:01,396 oic.oauth2.message:DEBUG JWS header: {'alg': 'RS256', 'kid': 'mEkc1lQygoU10j2NlUE-YYBv2uoaJ1xG-FnkGqfTlG0'}
2019-11-12 07:39:01,396 oic.oauth2.message:DEBUG Found signing key.
2019-11-12 07:39:01,396 jwkest.jws:DEBUG Picking key by key type=RSA
2019-11-12 07:39:01,396 jwkest.jws:DEBUG Picking key based on alg=RS256, kid=mEkc1lQygoU10j2NlUE-YYBv2uoaJ1xG-FnkGqfTlG0 and use=
2019-11-12 07:39:01,396 jwkest.jws:DEBUG Picked: kid:mEkc1lQygoU10j2NlUE-YYBv2uoaJ1xG-FnkGqfTlG0, use:sig, kty:RSA
2019-11-12 07:39:01,396 jwkest.jws:DEBUG Picked: kid:mEkc1lQygoU10j2NlUE-YYBv2uoaJ1xG-FnkGqfTlG0, use:sig, kty:RSA
2019-11-12 07:39:01,397 jwkest.jws:DEBUG Verified message using key with kid=mEkc1lQygoU10j2NlUE-YYBv2uoaJ1xG-FnkGqfTlG0
2019-11-12 07:39:01,397 oic.oauth2:ERROR invalid_request
2019-11-12 07:39:01,397 oidctest.cp.op:DEBUG Error - Status:400, message:{"error": "invalid_request", "error_description": "Missing post_logout_redirect_uri"}
2019-11-12 07:39:01,398 cherrypy.access.140534150054464:INFO 212.84.155.17 - - [12/Nov/2019:07:39:01] "GET /mod_auth_openidc-code/rp-backchannel-rpinitlogout/end_session?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6Im1Fa2MxbFF5Z29VMTBqMk5sVUUtWVlCdjJ1b2FKMXhHLUZua0dxZlRsRzAifQ.eyJpc3MiOiAiaHR0cHM6Ly9uZXctcnAuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWJhY2tjaGFubmVsLXJwaW5pdGxvZ291dCIsICJzdWIiOiAiMWIyZmM5MzQxYTE2YWU0ZTMwMDgyOTY1ZDUzN2FlNDdjMjFhMGYyN2ZkNDNlYWI3ODMzMGVkODE3NTFhZTZkYiIsICJhdWQiOiBbImczOThLaXFZNDJvcCJdLCAiZXhwIjogMTU3MzYzMDc0MCwgImFjciI6ICJQQVNTV09SRCIsICJpYXQiOiAxNTczNTQ0MzQwLCAiYXV0aF90aW1lIjogMTU3MzU0NDMzOSwgIm5vbmNlIjogImdPVi1MX2VaU2szd25nUmdqb2NMYUZ6elRONUZORXFiUDhkMFQ5MzItSkkifQ.vgOfMGDfNZrpHxdECNJOnZd1fjcon2cYaGI8nqlUrAXukr_1gDnQp8JyWHSpNQ8KMRtS0vEkSUK6m0pc4O6TcyiDpFCGw8fuvd5BbGWcRz_jQtNESSBFrngqYf9UMmOiesA2y7Rw8WCWRINPLDDBnEfx8htJt57wCxgf9IPTZqBzK3F9hq3DTXgRhgaIKAdNnuSD9hj0JzN23wUTfsovVMFeIazE1rtI259CbadQXWGVKPHkyQ7E2xXpvT-WVeeCvJ3zrbZodwe3OCOdDsDQ3aQGWi3lazjz-54UFAV3Ejv-GsGZ4vHBF3ENGiK3YTkPIYfouYW0ra2s6UziGKy0fw HTTP/1.1" 400 794 "" "curl/7.66.0"
OK, know what it is. Needs a modification of pyOIDC. :-(
Pushed a PR to that effect.
The PR has been accepted and merged into the pyOIDC master.
in the latest release now https://github.com/openid-certification/oidctest/releases/tag/v1.2.3
When executing
rp-backchannel-rpinitlogout
and not providing apost_logout_redirect_uri
parameter, the following error results in the browser:According to https://openid.net/specs/openid-connect-session-1_0.html#RPLogout the
post_logout_redirect_uri
is optional so a request that does not have one should be accepted.