rp-frontchannel-rpinitlogout: error when no post logout redirect URI is registered

[zandbelt]

When not providing a post_logout_uri at registration time, logout (without a post_redirect_uri parameter) fails with:

     <h2>400 Bad Request</h2>
        <p>{"error": "server_error", "error_description": "Have no post logout page configured"}</p>

I believe the OP should just present a logged out page instead of forcing the RP to provide a post redirect URI.

[panva]

I believe the OP should just present a logged out page instead of forcing the RP to provide a post redirect URI.

Correct.

[rohe]

That sounds like a configuration error. I'll have a look and will get back.

[rohe]

Was a bit more. Luckily there is nothing we need to change in pyOIDC. I'll fix this when I'm back from town around 3pm.

[zandbelt]

there seems to be a commit that is supposed to fix this issue https://github.com/openid-certification/oidctest/commit/635a5659f9b6d8db3df70733f6325c5a752892e9 but it does not seem to actually trigger the required behaviour; it still renders:

400 Bad Request
{"error": "invalid_request", "error_description": "Post logout redirect URI verification failed!"}

[rohe]

That's a new error. Not the same as before.

[rohe]

Have you run that test locally ? If so may I see the log ? That error should only be visible if you supplied a post_logout_redirect_uri which you said you didn't. So I'm a bit confused.

[zandbelt]

I see, I mixed old error messages: the new one is actually a 404 on the post logout page:

2019-12-04 08:33:07,522 cherrypy.access.140207846977096:INFO 192.168.240.1 - - [04/Dec/2019:08:33:07] "GET /mod_auth_openidc-code/rp-frontchannel-rpinitlogout/post_logout_page HTTP/1.1" 404 734 "" "curl/7.66.0"

full log below

2019-12-04 08:33:06,978 oidctest.cp.op:INFO ent:192.168.240.1, vpath: ['mod_auth_openidc-code', 'rp-frontchannel-rpinitlogout', '.well-known', 'openid-configuration']
2019-12-04 08:33:07,057 oic.oauth2.provider:INFO @providerinfo_endpoint
2019-12-04 08:33:07,059 oic.oauth2.provider:INFO provider_info_response: {'version': '3.0', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'client_secret_basic', 'client_secret_jwt', 'private_key_jwt'], 'claims_parameter_supported': True, 'request_parameter_supported': True, 'request_uri_parameter_supported': True, 'require_request_uri_registration': False, 'grant_types_supported': ['authorization_code', 'implicit', 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'refresh_token'], 'frontchannel_logout_supported': True, 'frontchannel_logout_session_supported': True, 'backchannel_logout_supported': False, 'backchannel_logout_session_supported': False, 'response_types_supported': ['code', 'id_token token', 'code id_token', 'code token', 'code id_token token'], 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['public', 'pairwise'], 'claim_types_supported': ['normal', 'aggregated', 'distributed'], 'scopes_supported': ['phone', 'offline_access', 'email', 'address', 'openid', 'profile'], 'token_endpoint_auth_signing_alg_values_supported': ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512'], 'revocation_endpoint_auth_signing_alg_values_supported': ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512'], 'revocation_endpoint_auth_methods_supported': ['client_secret_post', 'client_secret_basic', 'client_secret_jwt', 'private_key_jwt'], 'introspection_endpoint_auth_signing_alg_values_supported': ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512'], 'introspection_endpoint_auth_methods_supported': ['client_secret_post', 'client_secret_basic', 'client_secret_jwt', 'private_key_jwt'], 'claims_supported': ['phone_number', 'given_name', 'phone_number_verified', 'sub', 'zoneinfo', 'locale', 'gender', 'middle_name', 'birthdate', 'updated_at', 'email', 'preferred_username', 'nickname', 'email_verified', 'family_name', 'address', 'picture', 'website', 'name', 'profile'], 'userinfo_signing_alg_values_supported': ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512', 'none'], 'id_token_signing_alg_values_supported': ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512', 'none'], 'request_object_signing_alg_values_supported': ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512', 'none'], 'userinfo_encryption_alg_values_supported': ['RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256', 'A128KW', 'A192KW', 'A256KW', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'], 'id_token_encryption_alg_values_supported': ['RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256', 'A128KW', 'A192KW', 'A256KW', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'], 'request_object_encryption_alg_values_supported': ['RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256', 'A128KW', 'A192KW', 'A256KW', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'], 'userinfo_encryption_enc_values_supported': ['A128CBC-HS256', 'A192CBC-HS384', 'A256CBC-HS512', 'A128GCM', 'A192GCM', 'A256GCM'], 'id_token_encryption_enc_values_supported': ['A128CBC-HS256', 'A192CBC-HS384', 'A256CBC-HS512', 'A128GCM', 'A192GCM', 'A256GCM'], 'request_object_encryption_enc_values_supported': ['A128CBC-HS256', 'A192CBC-HS384', 'A256CBC-HS512', 'A128GCM', 'A192GCM', 'A256GCM'], 'acr_values_supported': ['PASSWORD'], 'issuer': 'https://rp-test:8080/mod_auth_openidc-code/rp-frontchannel-rpinitlogout', 'jwks_uri': 'https://rp-test:8080/static/jwks_1J7WDIe2FgvTBc5W.json', 'authorization_endpoint': 'https://rp-test:8080/mod_auth_openidc-code/rp-frontchannel-rpinitlogout/authorization', 'token_endpoint': 'https://rp-test:8080/mod_auth_openidc-code/rp-frontchannel-rpinitlogout/token', 'userinfo_endpoint': 'https://rp-test:8080/mod_auth_openidc-code/rp-frontchannel-rpinitlogout/userinfo', 'registration_endpoint': 'https://rp-test:8080/mod_auth_openidc-code/rp-frontchannel-rpinitlogout/registration', 'end_session_endpoint': 'https://rp-test:8080/mod_auth_openidc-code/rp-frontchannel-rpinitlogout/end_session'}
2019-12-04 08:33:07,059 cherrypy.access.140207846977096:INFO 192.168.240.1 - - [04/Dec/2019:08:33:07] "GET /mod_auth_openidc-code/rp-frontchannel-rpinitlogout/.well-known/openid-configuration HTTP/1.1" 200 4193 "" "mod_auth_openidc"
2019-12-04 08:33:07,080 oidctest.cp.op:INFO ent:192.168.240.1, vpath: ['mod_auth_openidc-code', 'rp-frontchannel-rpinitlogout', 'registration']
2019-12-04 08:33:07,080 oidctest.cp.op:DEBUG request_body: b'{"client_name":"OpenID Connect Apache Module (mod_auth_openidc)","redirect_uris":["https://localhost.zmartzone.eu/protected/"],"response_types":["code","id_token","id_token token","code id_token","code token","code id_token token"],"token_endpoint_auth_method":"client_secret_basic","contacts":["hans.zandbelt@zmartzone.eu"],"jwks_uri":"https://www.zmartzone.eu/jwks","initiate_login_uri":"https://localhost.zmartzone.eu/protected/","frontchannel_logout_uri":"https://localhost.zmartzone.eu/protected/?logout=get","backchannel_logout_uri":"https://localhost.zmartzone.eu/protected/?logout=backchannel","id_token_token_binding_cnf":"tbh"}'
2019-12-04 08:33:07,080 oic.oic.provider:DEBUG @registration_endpoint: <<{"client_name":"OpenID Connect Apache Module (mod_auth_openidc)","redirect_uris":["https://localhost.zmartzone.eu/protected/"],"response_types":["code","<REDACTED>","id_token token","code id_token","code token","code id_token token"],"token_endpoint_auth_method":"client_secret_basic","contacts":["hans.zandbelt@zmartzone.eu"],"jwks_uri":"https://www.zmartzone.eu/jwks","initiate_login_uri":"https://localhost.zmartzone.eu/protected/","frontchannel_logout_uri":"https://localhost.zmartzone.eu/protected/?logout=get","backchannel_logout_uri":"https://localhost.zmartzone.eu/protected/?logout=backchannel","id_token_token_binding_cnf":"tbh"}>>
2019-12-04 08:33:07,081 oic.oic.provider:INFO registration_request:{'application_type': 'web', 'response_types': ['code', 'id_token', 'id_token token', 'code id_token', 'code token', 'code id_token token'], 'client_name': 'OpenID Connect Apache Module (mod_auth_openidc)', 'redirect_uris': ['https://localhost.zmartzone.eu/protected/'], 'token_endpoint_auth_method': 'client_secret_basic', 'contacts': ['hans.zandbelt@zmartzone.eu'], 'jwks_uri': 'https://www.zmartzone.eu/jwks', 'initiate_login_uri': 'https://localhost.zmartzone.eu/protected/', 'frontchannel_logout_uri': 'https://localhost.zmartzone.eu/protected/?logout=get', 'backchannel_logout_uri': 'https://localhost.zmartzone.eu/protected/?logout=backchannel', 'id_token_token_binding_cnf': 'tbh'}
2019-12-04 08:33:07,081 oic.oic.provider:DEBUG _cinfo: {'client_id': 'vfvJx3nqeFX1', 'client_secret': '<REDACTED>', 'registration_access_token': 'bLc2cXjC1tm0TKivek4jih9UfN92nwnu', 'registration_client_uri': 'https://rp-test:8080/mod_auth_openidc-code/registration?client_id=vfvJx3nqeFX1', 'client_secret_expires_at': 1575534787, 'client_id_issued_at': 1575448387, 'client_salt': 'QWEmmcE6'}
2019-12-04 08:33:07,081 oic.utils.keyio:DEBUG loading keys for issuer: vfvJx3nqeFX1
2019-12-04 08:33:07,081 oic.utils.keyio:DEBUG pcr: {'application_type': 'web', 'response_types': ['code', 'id_token', 'id_token token', 'code id_token', 'code token', 'code id_token token'], 'client_name': 'OpenID Connect Apache Module (mod_auth_openidc)', 'redirect_uris': ['https://localhost.zmartzone.eu/protected/'], 'token_endpoint_auth_method': 'client_secret_basic', 'contacts': ['hans.zandbelt@zmartzone.eu'], 'jwks_uri': 'https://www.zmartzone.eu/jwks', 'initiate_login_uri': 'https://localhost.zmartzone.eu/protected/', 'frontchannel_logout_uri': 'https://localhost.zmartzone.eu/protected/?logout=get', 'backchannel_logout_uri': 'https://localhost.zmartzone.eu/protected/?logout=backchannel', 'id_token_token_binding_cnf': 'tbh'}
2019-12-04 08:33:07,081 oic.oic.provider:DEBUG found 1 keys for client_id=vfvJx3nqeFX1
2019-12-04 08:33:07,081 oic.oic.provider:INFO registration_response: {'client_id': 'vfvJx3nqeFX1', 'client_secret': '<REDACTED>', 'registration_access_token': 'bLc2cXjC1tm0TKivek4jih9UfN92nwnu', 'registration_client_uri': 'https://rp-test:8080/mod_auth_openidc-code/registration?client_id=vfvJx3nqeFX1', 'client_secret_expires_at': 1575534787, 'client_id_issued_at': 1575448387, 'application_type': 'web', 'response_types': ['code', 'id_token', 'id_token token', 'code id_token', 'code token', 'code id_token token'], 'client_name': 'OpenID Connect Apache Module (mod_auth_openidc)', 'token_endpoint_auth_method': 'client_secret_basic', 'contacts': ['hans.zandbelt@zmartzone.eu'], 'jwks_uri': 'https://www.zmartzone.eu/jwks', 'initiate_login_uri': 'https://localhost.zmartzone.eu/protected/', 'frontchannel_logout_uri': 'https://localhost.zmartzone.eu/protected/?logout=get', 'backchannel_logout_uri': 'https://localhost.zmartzone.eu/protected/?logout=backchannel', 'redirect_uris': ['https://localhost.zmartzone.eu/protected/']}
2019-12-04 08:33:07,082 cherrypy.access.140207846977096:INFO 192.168.240.1 - - [04/Dec/2019:08:33:07] "POST /mod_auth_openidc-code/rp-frontchannel-rpinitlogout/registration HTTP/1.1" 201 1006 "" "mod_auth_openidc"
2019-12-04 08:33:07,125 oidctest.cp.op:INFO ent:192.168.240.1, vpath: ['mod_auth_openidc-code', 'rp-frontchannel-rpinitlogout', 'authorization']
2019-12-04 08:33:07,125 oidctest.cp.op:DEBUG AuthorizationRequest: {'response_type': 'code', 'scope': 'openid', 'client_id': 'vfvJx3nqeFX1', 'state': 'ESCeywdc_QlHKtUiUSwKC6kDHE0', 'redirect_uri': 'https://localhost.zmartzone.eu/protected/', 'nonce': 'm1ZUK0UtCH_QyZgZop8c6NEAkVBqDoBL3ImLnh59s5Q'}
2019-12-04 08:33:07,125 oic.oauth2.provider:DEBUG Request: 'response_type=code&scope=openid&client_id=vfvJx3nqeFX1&state=ESCeywdc_QlHKtUiUSwKC6kDHE0&redirect_uri=https%3A%2F%2Flocalhost.zmartzone.eu%2Fprotected%2F&nonce=m1ZUK0UtCH_QyZgZop8c6NEAkVBqDoBL3ImLnh59s5Q'
2019-12-04 08:33:07,126 root:DEBUG KeyBundle fetch keys from: https://www.zmartzone.eu/jwks
2019-12-04 08:33:07,126 urllib3.connectionpool:DEBUG Starting new HTTPS connection (1): www.zmartzone.eu:443
2019-12-04 08:33:07,138 urllib3.connectionpool:DEBUG https://www.zmartzone.eu:443 "GET /jwks HTTP/1.1" 200 752
2019-12-04 08:33:07,139 oic.utils.keyio:DEBUG Loaded JWKS: { "keys" : [ {"kty":"RSA","kid":"Aenckeykid","e":"AQAB","n":"2sDzGBWiOyc4r7Q3mRWas28PGY9FzD4LIiyO4jkz1rgvJos_U1zOY6XW-BF_OHDQs13NzHhv1oYwCFOO4e97SDeNHMnkP9gn0pi_RVSfEngOTp5wjVBIFfFpk3beuwDDIR8y-QWMfY20CY8jZfpQqqaS8BLGATlUqHwGsvBP228QPc6PcypgUQbR0MouSWMa0icg2l4eUwpaNzoCfJb4JAih5TMBxp4kSE1Ib0XqYaTU2mU0V9HgrKjDRYwmvmWEZVx6zHGL7LJ-mITYSFq6455wkFJ-9XEkNPORCzPh5UJ4940BJy0zOzifkri9gsDw1nuBd0jcb16G--75HIv3JKNoUnKZPkQzbe8b7LIR2DQXeHPA_4o4r-Aio3osQuSgZOaffaplY_DC661gfAMxn6BbcCyW0W5zm_mz6S_tOQnrgLai7FevbX1f5EV5gPno_2ouzpAIYTFcElKp_hrEAMW04Mg7apY8j1OEOuikNupqFDBCp3xmaMuf35g5HcmUgFwvKD41Vu0mc69gXcjshwrtbHPOQLCHtyQiyxjsU3OOHcMAEx9lRCvmvGfRVgliJvVflZBl8scSM1NN_I3ATy2hfBwKxC3X9qbBp-LFXUtAikoSHTxvBZGi1Kl7eEPc8udH2iW8hP7Q7vhTb3kG7XMaMmtcOK6hh0J4LutqYhc"}  ] }
 from https://www.zmartzone.eu/jwks
2019-12-04 08:33:07,139 oic.utils.keyio:DEBUG Loaded JWKS: { "keys" : [ {"kty":"RSA","kid":"Aenckeykid","e":"AQAB","n":"2sDzGBWiOyc4r7Q3mRWas28PGY9FzD4LIiyO4jkz1rgvJos_U1zOY6XW-BF_OHDQs13NzHhv1oYwCFOO4e97SDeNHMnkP9gn0pi_RVSfEngOTp5wjVBIFfFpk3beuwDDIR8y-QWMfY20CY8jZfpQqqaS8BLGATlUqHwGsvBP228QPc6PcypgUQbR0MouSWMa0icg2l4eUwpaNzoCfJb4JAih5TMBxp4kSE1Ib0XqYaTU2mU0V9HgrKjDRYwmvmWEZVx6zHGL7LJ-mITYSFq6455wkFJ-9XEkNPORCzPh5UJ4940BJy0zOzifkri9gsDw1nuBd0jcb16G--75HIv3JKNoUnKZPkQzbe8b7LIR2DQXeHPA_4o4r-Aio3osQuSgZOaffaplY_DC661gfAMxn6BbcCyW0W5zm_mz6S_tOQnrgLai7FevbX1f5EV5gPno_2ouzpAIYTFcElKp_hrEAMW04Mg7apY8j1OEOuikNupqFDBCp3xmaMuf35g5HcmUgFwvKD41Vu0mc69gXcjshwrtbHPOQLCHtyQiyxjsU3OOHcMAEx9lRCvmvGfRVgliJvVflZBl8scSM1NN_I3ATy2hfBwKxC3X9qbBp-LFXUtAikoSHTxvBZGi1Kl7eEPc8udH2iW8hP7Q7vhTb3kG7XMaMmtcOK6hh0J4LutqYhc"}  ] }
 from https://www.zmartzone.eu/jwks
2019-12-04 08:33:07,139 oic.oic:DEBUG Found 4 verify keys
2019-12-04 08:33:07,139 oic.oauth2.provider:DEBUG AuthzRequest: {'response_type': 'code', 'scope': 'openid', 'client_id': 'vfvJx3nqeFX1', 'state': 'ESCeywdc_QlHKtUiUSwKC6kDHE0', 'redirect_uri': 'https://localhost.zmartzone.eu/protected/', 'nonce': 'm1ZUK0UtCH_QyZgZop8c6NEAkVBqDoBL3ImLnh59s5Q'}
2019-12-04 08:33:07,140 oic.oic.provider:INFO authorization_request: {'response_type': 'code', 'scope': 'openid', 'client_id': 'vfvJx3nqeFX1', 'state': 'ESCeywdc_QlHKtUiUSwKC6kDHE0', 'redirect_uri': 'https://localhost.zmartzone.eu/protected/', 'nonce': 'm1ZUK0UtCH_QyZgZop8c6NEAkVBqDoBL3ImLnh59s5Q'}
2019-12-04 08:33:07,140 oic.oauth2.provider:INFO No active authentication
2019-12-04 08:33:07,140 oic.oic.provider:DEBUG - authenticated -
2019-12-04 08:33:07,140 oic.oic.provider:DEBUG AREQ keys: ['response_type', 'scope', 'client_id', 'state', 'redirect_uri', 'nonce']
2019-12-04 08:33:07,140 oic.oauth2.provider:DEBUG - in authenticated() -
2019-12-04 08:33:07,140 oic.oauth2.provider:DEBUG response type: ['code']
2019-12-04 08:33:07,141 oic.oic.provider:INFO authorization response: {'state': 'ESCeywdc_QlHKtUiUSwKC6kDHE0', 'scope': 'openid', 'code': '<REDACTED>', 'iss': 'https://rp-test:8080/mod_auth_openidc-code/rp-frontchannel-rpinitlogout', 'client_id': 'vfvJx3nqeFX1'}
2019-12-04 08:33:07,141 oic.oic.provider:DEBUG Redirected to: 'https://localhost.zmartzone.eu/protected/?state=ESCeywdc_QlHKtUiUSwKC6kDHE0&scope=openid&code=<REDACTED>&iss=https%3A%2F%2Frp-test%3A8080%2Fmod_auth_openidc-code%2Frp-frontchannel-rpinitlogout&client_id=vfvJx3nqeFX1' :: <class 'str'>
2019-12-04 08:33:07,141 oidctest.cp.op:DEBUG Response cookie: pyoidc_sso="1575448387|hogzZcdNSuNVfoHTDRvC1g==|4rhihb8ji0mtQ6u2G5Wc9w2zgt67XJyusMDF6c/PTSaJOYbZ|Y8loqUKH8APdE8+J9CqDBw=="; expires=Wed, 04-Dec-2019 10:33:07 GMT; HttpOnly; Path=/; Secure
2019-12-04 08:33:07,142 cherrypy.access.140207846977096:INFO 192.168.240.1 - - [04/Dec/2019:08:33:07] "GET /mod_auth_openidc-code/rp-frontchannel-rpinitlogout/authorization?response_type=code&scope=openid&client_id=vfvJx3nqeFX1&state=ESCeywdc_QlHKtUiUSwKC6kDHE0&redirect_uri=https%3A%2F%2Flocalhost.zmartzone.eu%2Fprotected%2F&nonce=m1ZUK0UtCH_QyZgZop8c6NEAkVBqDoBL3ImLnh59s5Q HTTP/1.1" 302 1147 "" "curl/7.66.0"
2019-12-04 08:33:07,203 oidctest.cp.op:INFO ent:192.168.240.1, vpath: ['mod_auth_openidc-code', 'rp-frontchannel-rpinitlogout', 'token']
2019-12-04 08:33:07,203 oidctest.cp.op:DEBUG Authorization: Basic dmZ2SngzbnFlRlgxOjg4Zjc2N2E0NzMwNWI1OTVkYjQxNDhiNjZhMTUyNzMwNjAyNjA5MDQ2ZTljZTg4YmJkYzIxZmI0
2019-12-04 08:33:07,203 oic.utils.authn.client:DEBUG REQ: {'grant_type': 'authorization_code', 'code': '<REDACTED>', 'redirect_uri': 'https://localhost.zmartzone.eu/protected/', 'state': 'ESCeywdc_QlHKtUiUSwKC6kDHE0'}
2019-12-04 08:33:07,204 oic.utils.authn.client:DEBUG Basic auth
2019-12-04 08:33:07,204 oic.oauth2.provider:DEBUG - token -
2019-12-04 08:33:07,204 oic.oauth2.provider:DEBUG token_request: {'grant_type': 'authorization_code', 'code': '<REDACTED>', 'redirect_uri': 'https://localhost.zmartzone.eu/protected/', 'state': 'ESCeywdc_QlHKtUiUSwKC6kDHE0'}
2019-12-04 08:33:07,204 oic.utils.authn.client:DEBUG REQ: {'grant_type': 'authorization_code', 'code': '<REDACTED>', 'redirect_uri': 'https://localhost.zmartzone.eu/protected/', 'state': 'ESCeywdc_QlHKtUiUSwKC6kDHE0'}
2019-12-04 08:33:07,204 oic.utils.authn.client:DEBUG Basic auth
2019-12-04 08:33:07,204 oic.oauth2.provider:DEBUG AccessTokenRequest: {'grant_type': 'authorization_code', 'code': '<REDACTED>', 'redirect_uri': 'https://localhost.zmartzone.eu/protected/', 'state': 'ESCeywdc_QlHKtUiUSwKC6kDHE0'}
2019-12-04 08:33:07,205 oic.oic.provider:DEBUG All checks OK
2019-12-04 08:33:07,205 oic.oic:DEBUG authzreq: {'response_type': 'code', 'scope': 'openid', 'client_id': 'vfvJx3nqeFX1', 'state': 'ESCeywdc_QlHKtUiUSwKC6kDHE0', 'redirect_uri': 'https://localhost.zmartzone.eu/protected/', 'nonce': 'm1ZUK0UtCH_QyZgZop8c6NEAkVBqDoBL3ImLnh59s5Q'}
2019-12-04 08:33:07,205 oic.oic.provider:DEBUG Signing alg: RS256 [RSA]
2019-12-04 08:33:07,205 oic.oic:DEBUG authzreq: {'response_type': 'code', 'scope': 'openid', 'client_id': 'vfvJx3nqeFX1', 'state': 'ESCeywdc_QlHKtUiUSwKC6kDHE0', 'redirect_uri': 'https://localhost.zmartzone.eu/protected/', 'nonce': 'm1ZUK0UtCH_QyZgZop8c6NEAkVBqDoBL3ImLnh59s5Q'}
2019-12-04 08:33:07,205 oic.oic.provider:DEBUG id_token: {'iss': 'https://rp-test:8080/mod_auth_openidc-code/rp-frontchannel-rpinitlogout', 'sub': '1b2fc9341a16ae4e30082965d537ae47c21a0f27fd43eab78330ed81751ae6db', 'aud': ['vfvJx3nqeFX1'], 'exp': 1575534787, 'acr': 'PASSWORD', 'iat': 1575448387, 'sid': '0bb62ee48f5a20b62ef6c5fb97bf365db1e37ebf3f5cd6f4fe4a6190', 'auth_time': 1575448387, 'nonce': 'm1ZUK0UtCH_QyZgZop8c6NEAkVBqDoBL3ImLnh59s5Q'}
2019-12-04 08:33:07,206 jwkest.jws:DEBUG Picking key by key type=RSA
2019-12-04 08:33:07,206 jwkest.jws:DEBUG Picking key based on alg=RS256, kid=None and use=sig
2019-12-04 08:33:07,206 jwkest.jws:DEBUG Picked: kid:s8Qjet09w83st0ikWPTW0SzBrdLpnwGhZVJdNpNWkBE, use:sig, kty:RSA
2019-12-04 08:33:07,206 root:DEBUG JWT header: {'alg': 'RS256', 'kid': 's8Qjet09w83st0ikWPTW0SzBrdLpnwGhZVJdNpNWkBE'}
2019-12-04 08:33:07,207 jwkest.jws:DEBUG Signed message using key with kid=s8Qjet09w83st0ikWPTW0SzBrdLpnwGhZVJdNpNWkBE
2019-12-04 08:33:07,208 oic.oic.provider:DEBUG _tinfo: {'oauth_state': 'token', 'code': '<REDACTED>', 'code_used': True, 'authzreq': '{"response_type": "code", "scope": "openid", "client_id": "vfvJx3nqeFX1", "state": "ESCeywdc_QlHKtUiUSwKC6kDHE0", "redirect_uri": "https://localhost.zmartzone.eu/protected/", "nonce": "m1ZUK0UtCH_QyZgZop8c6NEAkVBqDoBL3ImLnh59s5Q"}', 'client_id': 'vfvJx3nqeFX1', 'response_type': ['code'], 'revoked': False, 'authn_event': '{"uid": "diana", "salt": "", "authn_time": 1575448387, "valid_until": 1575451987, "authn_info": "PASSWORD"}', 'nonce': 'm1ZUK0UtCH_QyZgZop8c6NEAkVBqDoBL3ImLnh59s5Q', 'redirect_uri': 'https://localhost.zmartzone.eu/protected/', 'state': 'ESCeywdc_QlHKtUiUSwKC6kDHE0', 'scope': ['openid'], 'sub': '1b2fc9341a16ae4e30082965d537ae47c21a0f27fd43eab78330ed81751ae6db', 'permission': '', 'access_token': '<REDACTED>', 'access_token_scope': '?', 'token_type': 'Bearer', 'sid': '0bb62ee48f5a20b62ef6c5fb97bf365db1e37ebf3f5cd6f4fe4a6190', 'id_token': 'eyJhbGciOiJSUzI1NiIsImtpZCI6InM4UWpldDA5dzgzc3QwaWtXUFRXMFN6QnJkTHBud0doWlZKZE5wTldrQkUifQ.eyJpc3MiOiAiaHR0cHM6Ly9ycC10ZXN0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWZyb250Y2hhbm5lbC1ycGluaXRsb2dvdXQiLCAic3ViIjogIjFiMmZjOTM0MWExNmFlNGUzMDA4Mjk2NWQ1MzdhZTQ3YzIxYTBmMjdmZDQzZWFiNzgzMzBlZDgxNzUxYWU2ZGIiLCAiYXVkIjogWyJ2ZnZKeDNucWVGWDEiXSwgImV4cCI6IDE1NzU1MzQ3ODcsICJhY3IiOiAiUEFTU1dPUkQiLCAiaWF0IjogMTU3NTQ0ODM4NywgInNpZCI6ICIwYmI2MmVlNDhmNWEyMGI2MmVmNmM1ZmI5N2JmMzY1ZGIxZTM3ZWJmM2Y1Y2Q2ZjRmZTRhNjE5MCIsICJhdXRoX3RpbWUiOiAxNTc1NDQ4Mzg3LCAibm9uY2UiOiAibTFaVUswVXRDSF9ReVpnWm9wOGM2TkVBa1ZCcURvQkwzSW1Mbmg1OXM1USJ9.NOxB6JsFVPGrUKexuUgZ1gKV9S9Q5SaP4HUhxPj4-aW3GhUrAVW5nwNiZpf0xLCbX0hGfawX0YRqqS4f8j4bmKaBfxMZgplwVA1RSkQrzMSDL5zdhMWkEF1zzCdH1kjCR6GPT_TfkX6_h-RcQV3F4iUUS_gKKtQTdjzQo3Ecw7PS-l4BFsYpdyunrQryfivbyXYImTIYBFlhAnyM0XzGwn9dMj_JH0byFksVeMsZT7ZIBH3_DWJbe3gnncBK5bMcRvXsuEWviCBTiqURqOcC-uVR6KBvr7Ie3CBH14nf3jqdVhq30JFtRLL2nE5iafnQPyhXQ4xaUf6KSQ-SYEFGBA'}
2019-12-04 08:33:07,208 oic.oic.provider:INFO access_token_response: {'state': 'ESCeywdc_QlHKtUiUSwKC6kDHE0', 'scope': 'openid', 'access_token': '<REDACTED>', 'token_type': 'Bearer', 'id_token': 'eyJhbGciOiJSUzI1NiIsImtpZCI6InM4UWpldDA5dzgzc3QwaWtXUFRXMFN6QnJkTHBud0doWlZKZE5wTldrQkUifQ.eyJpc3MiOiAiaHR0cHM6Ly9ycC10ZXN0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWZyb250Y2hhbm5lbC1ycGluaXRsb2dvdXQiLCAic3ViIjogIjFiMmZjOTM0MWExNmFlNGUzMDA4Mjk2NWQ1MzdhZTQ3YzIxYTBmMjdmZDQzZWFiNzgzMzBlZDgxNzUxYWU2ZGIiLCAiYXVkIjogWyJ2ZnZKeDNucWVGWDEiXSwgImV4cCI6IDE1NzU1MzQ3ODcsICJhY3IiOiAiUEFTU1dPUkQiLCAiaWF0IjogMTU3NTQ0ODM4NywgInNpZCI6ICIwYmI2MmVlNDhmNWEyMGI2MmVmNmM1ZmI5N2JmMzY1ZGIxZTM3ZWJmM2Y1Y2Q2ZjRmZTRhNjE5MCIsICJhdXRoX3RpbWUiOiAxNTc1NDQ4Mzg3LCAibm9uY2UiOiAibTFaVUswVXRDSF9ReVpnWm9wOGM2TkVBa1ZCcURvQkwzSW1Mbmg1OXM1USJ9.NOxB6JsFVPGrUKexuUgZ1gKV9S9Q5SaP4HUhxPj4-aW3GhUrAVW5nwNiZpf0xLCbX0hGfawX0YRqqS4f8j4bmKaBfxMZgplwVA1RSkQrzMSDL5zdhMWkEF1zzCdH1kjCR6GPT_TfkX6_h-RcQV3F4iUUS_gKKtQTdjzQo3Ecw7PS-l4BFsYpdyunrQryfivbyXYImTIYBFlhAnyM0XzGwn9dMj_JH0byFksVeMsZT7ZIBH3_DWJbe3gnncBK5bMcRvXsuEWviCBTiqURqOcC-uVR6KBvr7Ie3CBH14nf3jqdVhq30JFtRLL2nE5iafnQPyhXQ4xaUf6KSQ-SYEFGBA'}
2019-12-04 08:33:07,208 cherrypy.access.140207846977096:INFO 192.168.240.1 - - [04/Dec/2019:08:33:07] "POST /mod_auth_openidc-code/rp-frontchannel-rpinitlogout/token HTTP/1.1" 200 1401 "" "mod_auth_openidc"
2019-12-04 08:33:07,229 oidctest.cp.op:INFO ent:192.168.240.1, vpath: ['static', 'jwks_1J7WDIe2FgvTBc5W.json']
2019-12-04 08:33:07,230 cherrypy.error.140207846977096:INFO [04/Dec/2019:08:33:07] TOOLS.STATICDIR Checking file '/usr/local/src/oidf/oidc_cp_rplib/static/jwks_1J7WDIe2FgvTBc5W.json' to fulfill '/static/jwks_1J7WDIe2FgvTBc5W.json'
2019-12-04 08:33:07,230 cherrypy.access.140207846977096:INFO 192.168.240.1 - - [04/Dec/2019:08:33:07] "GET /static/jwks_1J7WDIe2FgvTBc5W.json HTTP/1.1" 200 1312 "" "mod_auth_openidc"
2019-12-04 08:33:07,249 oidctest.cp.op:INFO ent:192.168.240.1, vpath: ['mod_auth_openidc-code', 'rp-frontchannel-rpinitlogout', 'userinfo']
2019-12-04 08:33:07,250 oic.oic.provider:DEBUG userinfo_endpoint: request={}, kwargs={'authn': 'Bearer Z0FBQUFBQmQ1MjlESGhhb09ianY1RVBqVldITzUybEU4a3BMVFQyZEl0QUgwdm50clhVMzZoQ2tMNkJOdE5TU2U3Z3pXeUpwRkRjQ2RVS3I0TmctbnhRUHQ2dFU5czJvSG43NDIyUnJRcndBVFhBNjg4c0pHTDJTRWJaZFNCbWJtazEtc0Z5QlZXeGxEVHNrNDNyaDFfYnM3azhIVnQzeE9NOEdERHRDZ0NURllMNGZ5VUZSMkMzcWJSZzVucUdlNFJtZUc1UnJ1dkFuYzF4eXhuTW1IdmZaeVp5LTh6UDB3V0RWNTR1dDFvMzB3X1VvRVJjcUpKND0='}
2019-12-04 08:33:07,250 oic.oic.provider:DEBUG Bearer token 332 chars
2019-12-04 08:33:07,250 oic.oic.provider:DEBUG access_token type: 'T'
2019-12-04 08:33:07,250 oic.oic:DEBUG authzreq: {'response_type': 'code', 'scope': 'openid', 'client_id': 'vfvJx3nqeFX1', 'state': 'ESCeywdc_QlHKtUiUSwKC6kDHE0', 'redirect_uri': 'https://localhost.zmartzone.eu/protected/', 'nonce': 'm1ZUK0UtCH_QyZgZop8c6NEAkVBqDoBL3ImLnh59s5Q'}
2019-12-04 08:33:07,251 oic.oic.provider:DEBUG userinfo_claim: {'sub': None}
2019-12-04 08:33:07,251 oic.oic.provider:DEBUG Session info: {'oauth_state': 'token', 'code': '<REDACTED>', 'code_used': True, 'authzreq': '{"response_type": "code", "scope": "openid", "client_id": "vfvJx3nqeFX1", "state": "ESCeywdc_QlHKtUiUSwKC6kDHE0", "redirect_uri": "https://localhost.zmartzone.eu/protected/", "nonce": "m1ZUK0UtCH_QyZgZop8c6NEAkVBqDoBL3ImLnh59s5Q"}', 'client_id': 'vfvJx3nqeFX1', 'response_type': ['code'], 'revoked': False, 'authn_event': '{"uid": "diana", "salt": "", "authn_time": 1575448387, "valid_until": 1575451987, "authn_info": "PASSWORD"}', 'nonce': 'm1ZUK0UtCH_QyZgZop8c6NEAkVBqDoBL3ImLnh59s5Q', 'redirect_uri': 'https://localhost.zmartzone.eu/protected/', 'state': 'ESCeywdc_QlHKtUiUSwKC6kDHE0', 'scope': ['openid'], 'sub': '1b2fc9341a16ae4e30082965d537ae47c21a0f27fd43eab78330ed81751ae6db', 'permission': '', 'access_token': '<REDACTED>', 'access_token_scope': '?', 'token_type': 'Bearer', 'sid': '0bb62ee48f5a20b62ef6c5fb97bf365db1e37ebf3f5cd6f4fe4a6190', 'id_token': 'eyJhbGciOiJSUzI1NiIsImtpZCI6InM4UWpldDA5dzgzc3QwaWtXUFRXMFN6QnJkTHBud0doWlZKZE5wTldrQkUifQ.eyJpc3MiOiAiaHR0cHM6Ly9ycC10ZXN0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWZyb250Y2hhbm5lbC1ycGluaXRsb2dvdXQiLCAic3ViIjogIjFiMmZjOTM0MWExNmFlNGUzMDA4Mjk2NWQ1MzdhZTQ3YzIxYTBmMjdmZDQzZWFiNzgzMzBlZDgxNzUxYWU2ZGIiLCAiYXVkIjogWyJ2ZnZKeDNucWVGWDEiXSwgImV4cCI6IDE1NzU1MzQ3ODcsICJhY3IiOiAiUEFTU1dPUkQiLCAiaWF0IjogMTU3NTQ0ODM4NywgInNpZCI6ICIwYmI2MmVlNDhmNWEyMGI2MmVmNmM1ZmI5N2JmMzY1ZGIxZTM3ZWJmM2Y1Y2Q2ZjRmZTRhNjE5MCIsICJhdXRoX3RpbWUiOiAxNTc1NDQ4Mzg3LCAibm9uY2UiOiAibTFaVUswVXRDSF9ReVpnWm9wOGM2TkVBa1ZCcURvQkwzSW1Mbmg1OXM1USJ9.NOxB6JsFVPGrUKexuUgZ1gKV9S9Q5SaP4HUhxPj4-aW3GhUrAVW5nwNiZpf0xLCbX0hGfawX0YRqqS4f8j4bmKaBfxMZgplwVA1RSkQrzMSDL5zdhMWkEF1zzCdH1kjCR6GPT_TfkX6_h-RcQV3F4iUUS_gKKtQTdjzQo3Ecw7PS-l4BFsYpdyunrQryfivbyXYImTIYBFlhAnyM0XzGwn9dMj_JH0byFksVeMsZT7ZIBH3_DWJbe3gnncBK5bMcRvXsuEWviCBTiqURqOcC-uVR6KBvr7Ie3CBH14nf3jqdVhq30JFtRLL2nE5iafnQPyhXQ4xaUf6KSQ-SYEFGBA'}
2019-12-04 08:33:07,251 oic.oic.provider:DEBUG user_info_response: {'sub': '1b2fc9341a16ae4e30082965d537ae47c21a0f27fd43eab78330ed81751ae6db'}
2019-12-04 08:33:07,251 cherrypy.access.140207846977096:INFO 192.168.240.1 - - [04/Dec/2019:08:33:07] "GET /mod_auth_openidc-code/rp-frontchannel-rpinitlogout/userinfo HTTP/1.1" 200 75 "" "mod_auth_openidc"
2019-12-04 08:33:07,382 oidctest.cp.op:INFO ent:192.168.240.1, vpath: ['mod_auth_openidc-code', 'rp-frontchannel-rpinitlogout', 'end_session']
2019-12-04 08:33:07,382 oidctest.cp.op:DEBUG EndSessionRequest: {'id_token_hint': 'eyJhbGciOiJSUzI1NiIsImtpZCI6InM4UWpldDA5dzgzc3QwaWtXUFRXMFN6QnJkTHBud0doWlZKZE5wTldrQkUifQ.eyJpc3MiOiAiaHR0cHM6Ly9ycC10ZXN0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWZyb250Y2hhbm5lbC1ycGluaXRsb2dvdXQiLCAic3ViIjogIjFiMmZjOTM0MWExNmFlNGUzMDA4Mjk2NWQ1MzdhZTQ3YzIxYTBmMjdmZDQzZWFiNzgzMzBlZDgxNzUxYWU2ZGIiLCAiYXVkIjogWyJ2ZnZKeDNucWVGWDEiXSwgImV4cCI6IDE1NzU1MzQ3ODcsICJhY3IiOiAiUEFTU1dPUkQiLCAiaWF0IjogMTU3NTQ0ODM4NywgInNpZCI6ICIwYmI2MmVlNDhmNWEyMGI2MmVmNmM1ZmI5N2JmMzY1ZGIxZTM3ZWJmM2Y1Y2Q2ZjRmZTRhNjE5MCIsICJhdXRoX3RpbWUiOiAxNTc1NDQ4Mzg3LCAibm9uY2UiOiAibTFaVUswVXRDSF9ReVpnWm9wOGM2TkVBa1ZCcURvQkwzSW1Mbmg1OXM1USJ9.NOxB6JsFVPGrUKexuUgZ1gKV9S9Q5SaP4HUhxPj4-aW3GhUrAVW5nwNiZpf0xLCbX0hGfawX0YRqqS4f8j4bmKaBfxMZgplwVA1RSkQrzMSDL5zdhMWkEF1zzCdH1kjCR6GPT_TfkX6_h-RcQV3F4iUUS_gKKtQTdjzQo3Ecw7PS-l4BFsYpdyunrQryfivbyXYImTIYBFlhAnyM0XzGwn9dMj_JH0byFksVeMsZT7ZIBH3_DWJbe3gnncBK5bMcRvXsuEWviCBTiqURqOcC-uVR6KBvr7Ie3CBH14nf3jqdVhq30JFtRLL2nE5iafnQPyhXQ4xaUf6KSQ-SYEFGBA'}
2019-12-04 08:33:07,382 oidctest.cp.op:DEBUG Request cookie at end_session_endpoint: Set-Cookie: pyoidc_sso="1575448387|hogzZcdNSuNVfoHTDRvC1g==|4rhihb8ji0mtQ6u2G5Wc9w2zgt67XJyusMDF6c/PTSaJOYbZ|Y8loqUKH8APdE8+J9CqDBw=="
Set-Cookie: session_id=4bb90a736f2b51ae7cbe10c86509004a94b3d816
2019-12-04 08:33:07,383 oic.oic.provider:DEBUG End session request: {'id_token_hint': 'eyJhbGciOiJSUzI1NiIsImtpZCI6InM4UWpldDA5dzgzc3QwaWtXUFRXMFN6QnJkTHBud0doWlZKZE5wTldrQkUifQ.eyJpc3MiOiAiaHR0cHM6Ly9ycC10ZXN0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWZyb250Y2hhbm5lbC1ycGluaXRsb2dvdXQiLCAic3ViIjogIjFiMmZjOTM0MWExNmFlNGUzMDA4Mjk2NWQ1MzdhZTQ3YzIxYTBmMjdmZDQzZWFiNzgzMzBlZDgxNzUxYWU2ZGIiLCAiYXVkIjogWyJ2ZnZKeDNucWVGWDEiXSwgImV4cCI6IDE1NzU1MzQ3ODcsICJhY3IiOiAiUEFTU1dPUkQiLCAiaWF0IjogMTU3NTQ0ODM4NywgInNpZCI6ICIwYmI2MmVlNDhmNWEyMGI2MmVmNmM1ZmI5N2JmMzY1ZGIxZTM3ZWJmM2Y1Y2Q2ZjRmZTRhNjE5MCIsICJhdXRoX3RpbWUiOiAxNTc1NDQ4Mzg3LCAibm9uY2UiOiAibTFaVUswVXRDSF9ReVpnWm9wOGM2TkVBa1ZCcURvQkwzSW1Mbmg1OXM1USJ9.NOxB6JsFVPGrUKexuUgZ1gKV9S9Q5SaP4HUhxPj4-aW3GhUrAVW5nwNiZpf0xLCbX0hGfawX0YRqqS4f8j4bmKaBfxMZgplwVA1RSkQrzMSDL5zdhMWkEF1zzCdH1kjCR6GPT_TfkX6_h-RcQV3F4iUUS_gKKtQTdjzQo3Ecw7PS-l4BFsYpdyunrQryfivbyXYImTIYBFlhAnyM0XzGwn9dMj_JH0byFksVeMsZT7ZIBH3_DWJbe3gnncBK5bMcRvXsuEWviCBTiqURqOcC-uVR6KBvr7Ie3CBH14nf3jqdVhq30JFtRLL2nE5iafnQPyhXQ4xaUf6KSQ-SYEFGBA'}
2019-12-04 08:33:07,384 oic.oauth2.message:DEBUG Raw JSON: {'iss': 'https://rp-test:8080/mod_auth_openidc-code/rp-frontchannel-rpinitlogout', 'sub': '1b2fc9341a16ae4e30082965d537ae47c21a0f27fd43eab78330ed81751ae6db', 'aud': ['vfvJx3nqeFX1'], 'exp': 1575534787, 'acr': 'PASSWORD', 'iat': 1575448387, 'sid': '0bb62ee48f5a20b62ef6c5fb97bf365db1e37ebf3f5cd6f4fe4a6190', 'auth_time': 1575448387, 'nonce': 'm1ZUK0UtCH_QyZgZop8c6NEAkVBqDoBL3ImLnh59s5Q'}
2019-12-04 08:33:07,384 oic.oauth2.message:DEBUG JWS header: {'alg': 'RS256', 'kid': 's8Qjet09w83st0ikWPTW0SzBrdLpnwGhZVJdNpNWkBE'}
2019-12-04 08:33:07,384 oic.oauth2.message:DEBUG Found signing key.
2019-12-04 08:33:07,384 jwkest.jws:DEBUG Picking key by key type=RSA
2019-12-04 08:33:07,384 jwkest.jws:DEBUG Picking key based on alg=RS256, kid=s8Qjet09w83st0ikWPTW0SzBrdLpnwGhZVJdNpNWkBE and use=
2019-12-04 08:33:07,384 jwkest.jws:DEBUG Picked: kid:s8Qjet09w83st0ikWPTW0SzBrdLpnwGhZVJdNpNWkBE, use:sig, kty:RSA
2019-12-04 08:33:07,384 jwkest.jws:DEBUG Picked: kid:s8Qjet09w83st0ikWPTW0SzBrdLpnwGhZVJdNpNWkBE, use:sig, kty:RSA
2019-12-04 08:33:07,385 jwkest.jws:DEBUG Verified message using key with kid=s8Qjet09w83st0ikWPTW0SzBrdLpnwGhZVJdNpNWkBE
2019-12-04 08:33:07,385 jwkest.jws:DEBUG Picking key by key type=RSA
2019-12-04 08:33:07,385 jwkest.jws:DEBUG Picking key based on alg=RS256, kid=None and use=sig
2019-12-04 08:33:07,385 jwkest.jws:DEBUG Picked: kid:s8Qjet09w83st0ikWPTW0SzBrdLpnwGhZVJdNpNWkBE, use:sig, kty:RSA
2019-12-04 08:33:07,385 root:DEBUG JWT header: {'alg': 'RS256', 'kid': 's8Qjet09w83st0ikWPTW0SzBrdLpnwGhZVJdNpNWkBE'}
2019-12-04 08:33:07,387 jwkest.jws:DEBUG Signed message using key with kid=s8Qjet09w83st0ikWPTW0SzBrdLpnwGhZVJdNpNWkBE
2019-12-04 08:33:07,387 cherrypy.access.140207846977096:INFO 192.168.240.1 - - [04/Dec/2019:08:33:07] "GET /mod_auth_openidc-code/rp-frontchannel-rpinitlogout/end_session?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6InM4UWpldDA5dzgzc3QwaWtXUFRXMFN6QnJkTHBud0doWlZKZE5wTldrQkUifQ.eyJpc3MiOiAiaHR0cHM6Ly9ycC10ZXN0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWZyb250Y2hhbm5lbC1ycGluaXRsb2dvdXQiLCAic3ViIjogIjFiMmZjOTM0MWExNmFlNGUzMDA4Mjk2NWQ1MzdhZTQ3YzIxYTBmMjdmZDQzZWFiNzgzMzBlZDgxNzUxYWU2ZGIiLCAiYXVkIjogWyJ2ZnZKeDNucWVGWDEiXSwgImV4cCI6IDE1NzU1MzQ3ODcsICJhY3IiOiAiUEFTU1dPUkQiLCAiaWF0IjogMTU3NTQ0ODM4NywgInNpZCI6ICIwYmI2MmVlNDhmNWEyMGI2MmVmNmM1ZmI5N2JmMzY1ZGIxZTM3ZWJmM2Y1Y2Q2ZjRmZTRhNjE5MCIsICJhdXRoX3RpbWUiOiAxNTc1NDQ4Mzg3LCAibm9uY2UiOiAibTFaVUswVXRDSF9ReVpnWm9wOGM2TkVBa1ZCcURvQkwzSW1Mbmg1OXM1USJ9.NOxB6JsFVPGrUKexuUgZ1gKV9S9Q5SaP4HUhxPj4-aW3GhUrAVW5nwNiZpf0xLCbX0hGfawX0YRqqS4f8j4bmKaBfxMZgplwVA1RSkQrzMSDL5zdhMWkEF1zzCdH1kjCR6GPT_TfkX6_h-RcQV3F4iUUS_gKKtQTdjzQo3Ecw7PS-l4BFsYpdyunrQryfivbyXYImTIYBFlhAnyM0XzGwn9dMj_JH0byFksVeMsZT7ZIBH3_DWJbe3gnncBK5bMcRvXsuEWviCBTiqURqOcC-uVR6KBvr7Ie3CBH14nf3jqdVhq30JFtRLL2nE5iafnQPyhXQ4xaUf6KSQ-SYEFGBA HTTP/1.1" 302 2479 "" "curl/7.66.0"
2019-12-04 08:33:07,433 oidctest.cp.op:INFO ent:192.168.240.1, vpath: ['mod_auth_openidc-code', 'rp-frontchannel-rpinitlogout', 'logout']
2019-12-04 08:33:07,434 oidctest.cp.op:DEBUG LogoutRequest: {'sjwt': 'eyJhbGciOiJSUzI1NiIsImtpZCI6InM4UWpldDA5dzgzc3QwaWtXUFRXMFN6QnJkTHBud0doWlZKZE5wTldrQkUifQ.eyJpc3MiOiAiaHR0cHM6Ly9ycC10ZXN0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWZyb250Y2hhbm5lbC1ycGluaXRsb2dvdXQiLCAiaWF0IjogMTU3NTQ0ODM4NywgImV4cCI6IDE1NzU1MzQ3ODcsICJraWQiOiAiczhRamV0MDl3ODNzdDBpa1dQVFcwU3pCcmRMcG53R2haVkpkTnBOV2tCRSIsICJhdWQiOiBbImh0dHBzOi8vcnAtdGVzdDo4MDgwL21vZF9hdXRoX29wZW5pZGMtY29kZS9ycC1mcm9udGNoYW5uZWwtcnBpbml0bG9nb3V0Il0sICJ1aWQiOiAiZGlhbmEiLCAiY2xpZW50X2lkIjogInZmdkp4M25xZUZYMSIsICJyZWRpcmVjdF91cmkiOiAiaHR0cHM6Ly9ycC10ZXN0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWZyb250Y2hhbm5lbC1ycGluaXRsb2dvdXQvcG9zdF9sb2dvdXRfcGFnZSIsICJzaWQiOiAiMGJiNjJlZTQ4ZjVhMjBiNjJlZjZjNWZiOTdiZjM2NWRiMWUzN2ViZjNmNWNkNmY0ZmU0YTYxOTAiLCAianRpIjogIjdkNDA1NDNkOWZmYTRmNjRhNzIyNmNhOTgzZGY5Nzc3In0.AhBqONnyZqkYcLshzF08f4Y526RaYshD3UaRsGSmRmz5jqZLihB3-Xowa97ydGTlEmt5tPhVc6sLm1-mz20D-byMADZEi19mz5Rkot0GnmKym6Tn3dMk0TOQp6EoVKsDENs3ME1gUYbRAdlvtJoeh5KCQMNl1ibFQTQLYrKD_R20OrwOrmuoE68OEwvMo4gXsHPzT3ozXkbpERlqH15TUC5qc7HFkS20g1qEVIkfgkkxIiGsW6qyVKyRxjVKYhtV3yyVxaP8q9EtYlhpNu0ZiQDgCicyIINUeGkPGEtlrXinmPnrcPUbNG2xg8RU3hTXzKve388kS9bTyKlY4tVU5Q'}
2019-12-04 08:33:07,434 jwkest.jws:DEBUG Picking key by key type=RSA
2019-12-04 08:33:07,434 jwkest.jws:DEBUG Picking key based on alg=RS256, kid=s8Qjet09w83st0ikWPTW0SzBrdLpnwGhZVJdNpNWkBE and use=
2019-12-04 08:33:07,434 jwkest.jws:DEBUG Picked: kid:s8Qjet09w83st0ikWPTW0SzBrdLpnwGhZVJdNpNWkBE, use:sig, kty:RSA
2019-12-04 08:33:07,435 jwkest.jws:DEBUG Verified message using key with kid=s8Qjet09w83st0ikWPTW0SzBrdLpnwGhZVJdNpNWkBE
2019-12-04 08:33:07,435 oidctest.cp.op:DEBUG SJWT unpacked: {'iss': 'https://rp-test:8080/mod_auth_openidc-code/rp-frontchannel-rpinitlogout', 'iat': 1575448387, 'exp': 1575534787, 'kid': 's8Qjet09w83st0ikWPTW0SzBrdLpnwGhZVJdNpNWkBE', 'aud': ['https://rp-test:8080/mod_auth_openidc-code/rp-frontchannel-rpinitlogout'], 'uid': 'diana', 'client_id': 'vfvJx3nqeFX1', 'redirect_uri': 'https://rp-test:8080/mod_auth_openidc-code/rp-frontchannel-rpinitlogout/post_logout_page', 'sid': '0bb62ee48f5a20b62ef6c5fb97bf365db1e37ebf3f5cd6f4fe4a6190', 'jti': '7d40543d9ffa4f64a7226ca983df9777'}
2019-12-04 08:33:07,436 oic.oic.provider:INFO Adding logout iframe for vfvJx3nqeFX1
2019-12-04 08:33:07,436 oidctest.cp.op:DEBUG Response cookie: pyoic_session=removed|1575448387|2688ab875295ea756c5f57a399200f771fc71454; HttpOnly; Path=/; Secure
2019-12-04 08:33:07,436 oidctest.cp.op:DEBUG Response cookie: pyoidc_sso="1575448387|JNJ2+hC+1H80zfll4Q0xvg==|p+ZsLjvjIJaqVAbHtAEFUMc=|/7176+u8oOUN7ZO/ahh8mA=="; expires=Wed, 04-Dec-2019 08:32:07 GMT; HttpOnly; Path=/; Secure
2019-12-04 08:33:07,436 cherrypy.access.140207846977096:INFO 192.168.240.1 - - [04/Dec/2019:08:33:07] "GET /mod_auth_openidc-code/rp-frontchannel-rpinitlogout/logout?sjwt=eyJhbGciOiJSUzI1NiIsImtpZCI6InM4UWpldDA5dzgzc3QwaWtXUFRXMFN6QnJkTHBud0doWlZKZE5wTldrQkUifQ.eyJpc3MiOiAiaHR0cHM6Ly9ycC10ZXN0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWZyb250Y2hhbm5lbC1ycGluaXRsb2dvdXQiLCAiaWF0IjogMTU3NTQ0ODM4NywgImV4cCI6IDE1NzU1MzQ3ODcsICJraWQiOiAiczhRamV0MDl3ODNzdDBpa1dQVFcwU3pCcmRMcG53R2haVkpkTnBOV2tCRSIsICJhdWQiOiBbImh0dHBzOi8vcnAtdGVzdDo4MDgwL21vZF9hdXRoX29wZW5pZGMtY29kZS9ycC1mcm9udGNoYW5uZWwtcnBpbml0bG9nb3V0Il0sICJ1aWQiOiAiZGlhbmEiLCAiY2xpZW50X2lkIjogInZmdkp4M25xZUZYMSIsICJyZWRpcmVjdF91cmkiOiAiaHR0cHM6Ly9ycC10ZXN0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWZyb250Y2hhbm5lbC1ycGluaXRsb2dvdXQvcG9zdF9sb2dvdXRfcGFnZSIsICJzaWQiOiAiMGJiNjJlZTQ4ZjVhMjBiNjJlZjZjNWZiOTdiZjM2NWRiMWUzN2ViZjNmNWNkNmY0ZmU0YTYxOTAiLCAianRpIjogIjdkNDA1NDNkOWZmYTRmNjRhNzIyNmNhOTgzZGY5Nzc3In0.AhBqONnyZqkYcLshzF08f4Y526RaYshD3UaRsGSmRmz5jqZLihB3-Xowa97ydGTlEmt5tPhVc6sLm1-mz20D-byMADZEi19mz5Rkot0GnmKym6Tn3dMk0TOQp6EoVKsDENs3ME1gUYbRAdlvtJoeh5KCQMNl1ibFQTQLYrKD_R20OrwOrmuoE68OEwvMo4gXsHPzT3ozXkbpERlqH15TUC5qc7HFkS20g1qEVIkfgkkxIiGsW6qyVKyRxjVKYhtV3yyVxaP8q9EtYlhpNu0ZiQDgCicyIINUeGkPGEtlrXinmPnrcPUbNG2xg8RU3hTXzKve388kS9bTyKlY4tVU5Q HTTP/1.1" 200 936 "" "curl/7.66.0"
2019-12-04 08:33:07,521 oidctest.cp.op:INFO ent:192.168.240.1, vpath: ['mod_auth_openidc-code', 'rp-frontchannel-rpinitlogout', 'post_logout_page']
2019-12-04 08:33:07,522 cherrypy.access.140207846977096:INFO 192.168.240.1 - - [04/Dec/2019:08:33:07] "GET /mod_auth_openidc-code/rp-frontchannel-rpinitlogout/post_logout_page HTTP/1.1" 404 734 "" "curl/7.66.0"

[selfissued]

I agree that supplying the post_logout_uris at registration time is optional. If you don't have it, the only consequence should be that you're never redirected back to.

That said, are there RP tests that it's impossible to run without it (other than simply those that test post logout redirection)? If so, we may want to think about this some more.

[zandbelt]

I don't think there are: the redirect back is really the last thing happening, it should not incur other behaviour; the 404 on the OP's post logout page is still an issue here

[rohe]

Flask is dense some times :-( Not very informative error messages.

Anyway, I think I figured it out. Have applied a fix to oidctest.

[rohe]

There are no RP tests that are impossible to run without setting either post_logout_uris or post_logout_uri.

Lots of negatives there :-/ Anyway, registering post_logout_uris and/or including post_logout_uri in the end session request is not demanded by any test.

[zandbelt]

it seems like one of the last commits fixed this