Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Logout from all clients after IdP logout is performed #30322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mposolda merged 1 commit into from
Jun 11, 2024
Merged

Logout from all clients after IdP logout is performed #30322

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -645,16 +645,11 @@ public static Response browserLogout(KeycloakSession session,
final AuthenticationSessionManager asm = new AuthenticationSessionManager(session);
AuthenticationSessionModel logoutAuthSession = createOrJoinLogoutSession(session, realm, asm, userSession, true);

Response response = browserLogoutAllClients(userSession, session, realm, headers, uriInfo, logoutAuthSession);
if (response != null) {
return response;
}

String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER);
String initiatingIdp = logoutAuthSession.getAuthNote(AuthenticationManager.LOGOUT_INITIATING_IDP);
if (brokerId != null && !brokerId.equals(initiatingIdp)) {
IdentityProvider identityProvider = IdentityBrokerService.getIdentityProvider(session, realm, brokerId);
response = identityProvider.keycloakInitiatedBrowserLogout(session, userSession, uriInfo, realm);
Response response = identityProvider.keycloakInitiatedBrowserLogout(session, userSession, uriInfo, realm);
if (response != null) {
return response;
}
Expand Down Expand Up @@ -688,6 +683,11 @@ public static Response finishBrowserLogout(KeycloakSession session, RealmModel r
final AuthenticationSessionManager asm = new AuthenticationSessionManager(session);
AuthenticationSessionModel logoutAuthSession = createOrJoinLogoutSession(session, realm, asm, userSession, true);

Response response = browserLogoutAllClients(userSession, session, realm, headers, uriInfo, logoutAuthSession);
if (response != null) {
return response;
}

checkUserSessionOnlyHasLoggedOutClients(realm, userSession, logoutAuthSession);

// For resolving artifact we don't need any cookie, all details are stored in session storage so we can remove
Expand All @@ -703,7 +703,7 @@ public static Response finishBrowserLogout(KeycloakSession session, RealmModel r
.setEventBuilder(event);


Response response = protocol.finishBrowserLogout(userSession, logoutAuthSession);
response = protocol.finishBrowserLogout(userSession, logoutAuthSession);

// It may be possible that there are some client sessions that are still in LOGGING_OUT state
long numberOfUnconfirmedSessions = userSession.getAuthenticatedClientSessions().values().stream()
Expand Down
2 changes: 1 addition & 1 deletion ...illian/tests/base/src/test/java/org/keycloak/testsuite/broker/AbstractBaseBrokerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -332,7 +332,7 @@ protected void executeLogoutFromRealm(String contextRoot, String realm, String i
.clientId(clientId)
.initiatingIdp(initiatingIdp);

if (clientId != null || idTokenHint != null) {
if (redirectUri != null && (clientId != null || idTokenHint != null)) {
builder.postLogoutRedirectUri(encodeUrl(redirectUri));
}

Expand Down
53 changes: 53 additions & 0 deletions ...illian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerLogoutTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,33 @@
package org.keycloak.testsuite.broker;

import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.OAuth2Constants;
import org.keycloak.TokenVerifier;
import org.keycloak.admin.client.resource.IdentityProviderResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.common.VerificationException;
import org.keycloak.protocol.oidc.OIDCConfigAttributes;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.util.CookieHelper;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
import org.keycloak.testsuite.util.AccountHelper;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.WaitUtils;

import static org.junit.Assert.assertEquals;
import static org.keycloak.testsuite.broker.BrokerTestConstants.REALM_CONS_NAME;
import static org.keycloak.testsuite.broker.BrokerTestConstants.REALM_PROV_NAME;
import static org.keycloak.testsuite.broker.BrokerTestTools.getConsumerRoot;
import static org.keycloak.testsuite.broker.BrokerTestTools.waitForPage;

import java.util.HashMap;
import java.util.Map;

public class KcOidcBrokerLogoutTest extends AbstractKcOidcBrokerLogoutTest {

@Rule
Expand Down Expand Up @@ -140,4 +150,47 @@ public void logoutAfterIdpTokenExpired() throws VerificationException {

waitForPage(driver, "sign in to provider", true);
}

@Test
public void testFrontChannelLogoutRequestsSendingOnlyClientIdWithFrontChannelLogoutApp() throws Exception {
RealmResource realm = adminClient.realm(bc.consumerRealmName());
IdentityProviderResource identityProviderResource = realm.identityProviders().get(bc.getIDPAlias());
IdentityProviderRepresentation representation = identityProviderResource.toRepresentation();
Map<String, String> config = representation.getConfig();
Map<String, String> originalConfig = new HashMap<>(config);

try (ClientAttributeUpdater clientUpdater = ClientAttributeUpdater.forClient(adminClient, bc.consumerRealmName(), "broker-app")
.setFrontchannelLogout(true)
.setAttribute(OIDCConfigAttributes.FRONT_CHANNEL_LOGOUT_URI, getConsumerRoot() + "/auth/realms/" + bc.consumerRealmName() + "/app/logout")
.update()){
config.put("backchannelSupported", Boolean.FALSE.toString());
identityProviderResource.update(representation);
logInAsUserInIDPForFirstTime();
appPage.assertCurrent();
executeLogoutFromRealm(
getConsumerRoot(),
bc.consumerRealmName(),
"something-else",
null,
"broker-app",
null
);
logoutConfirmPage.isCurrent();
// confirm logout at consumer
logoutConfirmPage.confirmLogout();

WaitUtils.waitForPageToLoad();
logoutConfirmPage.isCurrent();
Assert.assertTrue(driver.getPageSource().contains("You are logging out from following apps"));
Assert.assertTrue(driver.getPageSource().contains("broker-app"));

oauth.clientId("account");
oauth.redirectUri(getConsumerRoot() + "/auth/realms/" + REALM_PROV_NAME + "/account");
loginPage.open(REALM_PROV_NAME);
waitForPage(driver, "sign in to provider", true);
} finally {
representation.setConfig(originalConfig);
identityProviderResource.update(representation);
}
}
}