Uploaded image for project: 'OpenId Connect'
  1. OpenId Connect
  2. OIDC-235

Logout not redirecting to the provider

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 2.18.0
    • 2.17.4
    • Authenticator
    • None
    • OS: Linux
      XWiki version: 14.10.2
      Provider: Entra ID
      Browser: MS Edge
    • Unknown

    Description

      When attempting to logout, the user is disconnected from the XWiki instance, but is not redirected to the provider logout page. When a user attempts to login again to the same provider, he is signed in without being asked for credentials.

      When looking at the logs, I've noticed that there is the following error:

      ERROR o.x.c.o.a.i.OIDCUserManager    - Failed to perform OIDC RP-initiated log-out. 
java.lang.IllegalStateException: Invalid for read: id=node016bscthnwkm1pnlmgkyvtlhpr5 created=1748848569966 accessed=1748848583788 lastaccessed=1748848582345 maxInactiveMs=1800000 expiry=1748850383788
    at org.eclipse.jetty.server.session.Session.checkValidForRead(Session.java:638)
    at org.eclipse.jetty.server.session.Session.getAttribute(Session.java:652)
    at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.getOIDCSession(OIDCClientConfiguration.java:436)
    at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.setSessionAttribute(OIDCClientConfiguration.java:479)
    at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.getOIDCProviderName(OIDCClientConfiguration.java:1421)
    at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.getWikiClientConfiguration(OIDCClientConfiguration.java:1432)
    at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.getProperty(OIDCClientConfiguration.java:580)
    at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.getLogoutRedirectURL(OIDCClientConfiguration.java:1202)
    at org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.logoutProvider(OIDCUserManager.java:924)
    at org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.logout(OIDCUserManager.java:911)
    at org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl.checkAuthOIDC(OIDCAuthServiceImpl.java:123)
    at org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl.checkAuth(OIDCAuthServiceImpl.java:92)

      The cause seems to be that the session logout is done before attempting the provider logout which invalidates the session: https://github.com/xwiki-contrib/oidc/blob/master/oidc-authenticator/src/main/java/org/xwiki/contrib/oidc/auth/internal/OIDCUserManager.java#L906-L911

      Attachments

        Activity

          People

            Sorin Sorin Chiuchiu
            Sorin Sorin Chiuchiu
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: