search

simevo / spid-wordpress

SPID (Sistema Pubblico di Identità Digitale) WordPress plugin
GNU Affero General Public License v3.0
4 stars 1 forks source link

SPID logout round trip, fixes #12 #62

Closed simevo closed 6 years ago

simevo commented 6 years ago

test as follows:

  1. install & enable the plugin on a fresh install

  2. login with WP user, perform manual logout; expected: normal WP logout process ends at http://localhost:8099/wp-login.php?loggedout=true

  3. login again with WP user, visit http://localhost:8099/wp-login.php?sso=spid&slo ; expected: same as 1

  4. login with SPID user, perform manual logout; expected; SPID logout over http://localhost:8088/slo?SAMLRequest=...&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=... and ends at at http://localhost:8099/wp-login.php?loggedout=true: image

  5. login again with SPID user ... on hold waiting for #13 to be fixed

  6. login again with WP user, visit http://localhost:8099/wp-login.php?sso=spid&slo ; expected: same as 1

ATM somethig fails at 5, it goes over http://localhost:8088/slo?SAMLRequest=... !

giuliogatto commented 6 years ago

I am reviewing this, if I do the following:

Then the button, after choosing the IDP, is not going back to the IDP login form, but redirecting me to the WP login form. This possibly means that no real logout() from the IDP is performed when logging out from WP. This might actually be the desired behaviour in some cases if the SP wants to keep the Global session alive and delete only the Individual session.. but I am not sure this is what we are aiming for here.

The same thing happens when I hit the manual SPID logout url (http://localhost:8099/wp-login.php?sso=spid&slo): whenever I try to login again with the SPID button I get redirected to the wp-login page and not the IDP

giuliogatto commented 6 years ago

It appears that the hook action wp_logout is not executed when using this url: http://localhost:8099/wp-login.php?loggedout=true But only with this url http://localhost:8099/wp-login.php?action=logout

giuliogatto commented 6 years ago

spid logout framework

I propose this logic for the Logout process, I have committed https://github.com/simevo/spid-wordpress/pull/62/commits/e97842c095f348265e28871848340341fdb2ca8b in this branch a possible solution

giuliogatto commented 6 years ago

spid logout framework

simevo commented 6 years ago

we believe this is now ready for merge

to test, use this test script (on a clean WP with spid-wordpress plugin just activated):

  1. login with WP user, perform manual logout; the normal WP logout process should end at http://localhost:8099/wp-login.php?loggedout=true and displays "You are now logged out." message
  2. login again with WP user, visit http://localhost:8099/wp-login.php?sso=spid&slo ; same as 1
  3. login again with WP user, visit http://localhost:8099/wp-login.php?action=logout then confirm; same as 1
  4. first login with SPID user, perform manual logout; SPID logout over http://localhost:8088/slo?SAMLRequest=...&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=... then same as 1
  5. login again with the same SPID user, perform manual logout: same as 4
  6. login again with the same SPID user, visit http://localhost:8099/wp-login.php?sso=spid&slo ; same as 4
  7. login again with the same SPID user, visit http://localhost:8099/wp-login.php?action=logout then confirm; same as 4
  8. login again with WP user, perform manual logout: same as 1 (this could become an integration test) (edited)