Details
-
Bug
-
Resolution: Fixed
-
Critical
-
2.17.4
-
None
-
OS: Linux
XWiki version: 14.10.2
Provider: Entra ID
Browser: MS Edge
-
Unknown
-
Description
When attempting to logout, the user is disconnected from the XWiki instance, but is not redirected to the provider logout page. When a user attempts to login again to the same provider, he is signed in without being asked for credentials.
When looking at the logs, I've noticed that there is the following error:
ERROR o.x.c.o.a.i.OIDCUserManager - Failed to perform OIDC RP-initiated log-out.
java.lang.IllegalStateException: Invalid for read: id=node016bscthnwkm1pnlmgkyvtlhpr5 created=1748848569966 accessed=1748848583788 lastaccessed=1748848582345 maxInactiveMs=1800000 expiry=1748850383788
at org.eclipse.jetty.server.session.Session.checkValidForRead(Session.java:638)
at org.eclipse.jetty.server.session.Session.getAttribute(Session.java:652)
at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.getOIDCSession(OIDCClientConfiguration.java:436)
at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.setSessionAttribute(OIDCClientConfiguration.java:479)
at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.getOIDCProviderName(OIDCClientConfiguration.java:1421)
at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.getWikiClientConfiguration(OIDCClientConfiguration.java:1432)
at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.getProperty(OIDCClientConfiguration.java:580)
at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.getLogoutRedirectURL(OIDCClientConfiguration.java:1202)
at org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.logoutProvider(OIDCUserManager.java:924)
at org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.logout(OIDCUserManager.java:911)
at org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl.checkAuthOIDC(OIDCAuthServiceImpl.java:123)
at org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl.checkAuth(OIDCAuthServiceImpl.java:92)
The cause seems to be that the session logout is done before attempting the provider logout which invalidates the session: https://github.com/xwiki-contrib/oidc/blob/master/oidc-authenticator/src/main/java/org/xwiki/contrib/oidc/auth/internal/OIDCUserManager.java#L906-L911