Closed zandbelt closed 4 years ago
So, to properly fix this I should do it in pyOIDC. Which has to wait until I get my PRs accepted.
Should be resolved now.
I currently cannot verify this because it is blocked on the "cookie issue", which then apparently was introduced after later changes.
It was hidden behind :-/
now it is a bit too friendly, I guess, because even when the backchannel call fails, the code continues and declares the user logged out:
2019-11-11 09:02:36,814 oic.oic.provider:INFO logging out from 4VaeQniRQB9U at https://localhost.zmartzone.eu:444/protected/?logout=backchannel 2019-11-11 09:02:36,815 urllib3.connectionpool:DEBUG Starting new HTTPS connection (1): localhost.zmartzone.eu:444 2019-11-11 09:02:36,817 oic.oauth2.base:ERROR http_request failed: HTTPSConnectionPool(host='localhost.zmartzone.eu', port=444): Max retries exceeded with url: /protected/?logout=backchannel (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fc9401956a0>: Failed to establish a new connection: [Errno 111] Connection refused',)), url: https://localhost.zmartzone.eu:444/protected/?logout=backchannel, htargs: {'allow_redirects': False, 'cert': None, 'verify': False, 'timeout': 5, 'data': 'logout_token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImFyVDJiVDgwY1N5SDhCZzQ5cHFzeFVfWktkaTE5d3BfUjA5bEF0V1JqeVkifQ.eyJpc3MiOiAiaHR0cHM6Ly9ycC10ZXN0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWJhY2tjaGFubmVsLXJwaW5pdGxvZ291dCIsICJpYXQiOiAxNTczNDYyOTU2LCAiZXhwIjogMTU3MzU0OTM1NiwgImtpZCI6ICJhclQyYlQ4MGNTeUg4Qmc0OXBxc3hVX1pLZGkxOXdwX1IwOWxBdFdSanlZIiwgImF1ZCI6IFsiNFZhZVFuaVJRQjlVIl0sICJzdWIiOiAiMWIyZmM5MzQxYTE2YWU0ZTMwMDgyOTY1ZDUzN2FlNDdjMjFhMGYyN2ZkNDNlYWI3ODMzMGVkODE3NTFhZTZkYiIsICJzaWQiOiAiMDkxMjZmMDZhZTAzOGExY2Q0MDEyOTg1MDdlNmI4YmViOWQxZmZhYTc0ZDRkMzdhMjYzYmMwMTAiLCAiZXZlbnRzIjogeyJodHRwOi8vc2NoZW1hcy5vcGVuaWQubmV0L2V2ZW50L2JhY2tjaGFubmVsLWxvZ291dCI6IHt9fSwgImp0aSI6ICJjNWNjNjA5YjZjM2Y0MGQ0ODNjNzE1ZDkxYzY2MGU3NyJ9.pt-87djk4KarMLUrneDPbEE2YR7RNsaHAkY2W9aQKq3INZtszUvJCJcojDxFkzwfVJkgv9sAFrdN5F2RHHo6RNO7hRlJlAGWLN66GYCugw_hi6VcQ_mIgu5nq-1Rm-TPUao3OfApgT4RytIv7OsRzuIzJ8Ll052wyJhQM9PyFbj66svCTazowuTNOJLHbIesPjAVHT9Wl-P6UWMPBh8eAgOiB9rHLypBRGlOwnzDlGRotx6rtuv3-1YfqAb4Wc3o4UGF2WNYVn6egtw7N3bZADeuyqXq4M5TLWRr8zEMXil0L7ecC3dbuKjDnRNCZbu2d10CDrZ7D-kHEYdACiqeyQ'}, method: POST 2019-11-11 09:02:36,817 oic.oic.provider:ERROR failed to logout from 4VaeQniRQB9U 2019-11-11 09:02:36,817 cherrypy.access.140502637085976:INFO 192.168.16.1 - - [11/Nov/2019:09:02:36] "GET /mod_auth_openidc-code/rp-backchannel-rpinitlogout/logout?sjwt=eyJhbGciOiJSUzI1NiIsImtpZCI6ImFyVDJiVDgwY1N5SDhCZzQ5cHFzeFVfWktkaTE5d3BfUjA5bEF0V1JqeVkifQ.eyJpc3MiOiAiaHR0cHM6Ly9ycC10ZXN0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWJhY2tjaGFubmVsLXJwaW5pdGxvZ291dCIsICJpYXQiOiAxNTczNDYyOTU2LCAiZXhwIjogMTU3MzU0OTM1NiwgImtpZCI6ICJhclQyYlQ4MGNTeUg4Qmc0OXBxc3hVX1pLZGkxOXdwX1IwOWxBdFdSanlZIiwgImF1ZCI6IFsiaHR0cHM6Ly9ycC10ZXN0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWJhY2tjaGFubmVsLXJwaW5pdGxvZ291dCJdLCAidWlkIjogImRpYW5hIiwgImNsaWVudF9pZCI6ICI0VmFlUW5pUlFCOVUiLCAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8vbG9jYWxob3N0LnptYXJ0em9uZS5ldS9sb2dnZWRvdXQuaHRtbCIsICJzaWQiOiAiMDkxMjZmMDZhZTAzOGExY2Q0MDEyOTg1MDdlNmI4YmViOWQxZmZhYTc0ZDRkMzdhMjYzYmMwMTAiLCAianRpIjogIjA2NWUxZDA5NWYzYjQzNWU5MDBmNjkzOTAxYzdmMGM5In0.dGSt7C34AdmwGvI9gl95zIn6NmK_TE-qaWm3uKjTRhC_x4a3i8UzMmL9NMUO_Dc1uuEar3hnu78lq4Du4vSxoLbHk-GnPuARSZh6HKuI3wdQdfN1yGGjXPZqjt350-ea8Zexds8cyJBJ6WKPwxoMoWo28W46lgOM-JleQ8O2MN9rg1osXdcGyOApRh1Y5WGAOVlsnURhZEa8auyDT_mZQhLnCa4hc4QlGR4dMbmZky90PChlzwK6Xa5Wn5nGl87XGky6yumKLIoo0SGqDJGSyg1MHJnIxyTZCYe76lL_ovyBRfEteZgHsDDEVQbz4zkKBUpAKwWAXurXaMvjsSLU5g HTTP/1.1" 200 826 "" "curl/7.66.0"
Hmm, that was not optimal.
Checked in a remedy.
it is better now as it displays:
500 Internal Server Error
Backchannel logout failed. No Frontchannel logout defined
A logout attempt that fails because the URL is not accessible on the backchannel, results in the browser displaying:
and a server side stacktrace as below at [1]; to avoid repeated helpdesk overload I believe it is imperative that this type of error is handled more gracefully and clearly explains to the tester about the unaccessible endpoint.
[1]