search

openid-certification / oidctest

THE CERTIFICATION TEST SUITE HAS BEEN MIGRATED TO A NEW SERVICE https://www.certificatinon.openid.net
Other
49 stars 15 forks source link

rp-backchannel-rpinitlogout: unknown sid provided in backchannel logout request #204

Closed zandbelt closed 4 years ago

zandbelt commented 4 years ago

When executing rp-backchannel-rpinitlogout it appears that there's no sid in the id_token but there's a sid in the logout_token. I'm believe that if the sid is present in the logout token, it should have also been present in the id_token, otherwise it should be omitted from both and the code should just rely on sub.

id_token:

{
  "iss": "https://rp-test:8080/mod_auth_openidc-code/rp-backchannel-rpinitlogout",
  "sub": "1b2fc9341a16ae4e30082965d537ae47c21a0f27fd43eab78330ed81751ae6db",
  "aud": [
    "OHcWjr2rF2hN"
  ],
  "exp": 1574934298,
  "acr": "PASSWORD",
  "iat": 1574847898,
  "auth_time": 1574847898,
  "nonce": "DNniun7UHTNMnBnoXJzK86g_OEY01kFCT0KStJLT9as"
}

logout_token:

{
  "iss": "https://rp-test:8080/mod_auth_openidc-code/rp-backchannel-rpinitlogout",
  "iat": 1574847898,
  "exp": 1574934298,
  "kid": "z8BkNGwIO6KSR11MJ0Ug_XObM1eiRyB_4QXvTg8fSB4",
  "aud": [
    "OHcWjr2rF2hN"
  ],
  "sub": "1b2fc9341a16ae4e30082965d537ae47c21a0f27fd43eab78330ed81751ae6db",
  "sid": "d344f9e419624435f98cce990456feb43b33d3997ad1760c16425722",
  "events": {
    "http://schemas.openid.net/event/backchannel-logout": {}
  },
  "jti": "384dd91439dd43f4b3df319cbe9b4004"
}
rohe commented 4 years ago

I'll look at this when I'm back from town and has delta with #203 .

rohe commented 4 years ago

Do you set backchannel_logout_session_required=True while doing dynamic client registration?

rohe commented 4 years ago

OK, it seems it's something we should fix in pyOIDC but I can deal with it in oidctest for the time being. One way is just having the OP say backchannel_logout_session_supported=False :-/ But granted we want to allow backchannel_logout_session_supported=True then I can probably deal with this in the oidctest code.

rohe commented 4 years ago

Pushed a oidctest version that should fix this issue as well as #203. Bumped the version a notch to keep it apart from earlier version.

As I stated earlier to fix the general issue properly we will need to modify pyOIDC. I have applied a hack to oidctest that will fix your particular problem.

zandbelt commented 4 years ago

https://github.com/openid-certification/oidctest/commit/1fd72b3bcd5ca39bfb0f037a614a6e7c93453738 seems to fix it