You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "gonzalad (JIRA)" <ji...@apache.org> on 2017/10/09 19:39:00 UTC
[jira] [Commented] (FEDIZ-212) Multiple OIDC logout return to login
page
[ https://issues.apache.org/jira/browse/FEDIZ-212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16197587#comment-16197587 ]
gonzalad commented on FEDIZ-212:
--------------------------------
2 problems :
- in OIDC spring security filterchain, we have : <sec:intercept-url pattern="/idp/**" access="isAuthenticated()"/>
hence, accessing logout requires the user to be authenticated. This is not the case when we execute logout a second time in a row.
- when we fix the first issue, LogoutService calls subjectCreator.createUserSubject(mc, params) (with principal == null) and throws a OAuthServiceException("Unsupported Principal")
> Multiple OIDC logout return to login page
> -----------------------------------------
>
> Key: FEDIZ-212
> URL: https://issues.apache.org/jira/browse/FEDIZ-212
> Project: CXF-Fediz
> Issue Type: Bug
> Affects Versions: 1.4.2
> Reporter: gonzalad
>
> I'm using Fediz SSO global logout.
> Scenario :
> * start a clean incognito session
> * user logs to OIDC Client 1
> * user logs to OIDC Client 2 (in another tab, same browser window)
> * user logs out OIDC Client 1
> * now user switched tab to OIDC Client 2
> * user logs out from OIDC Client 2
> On the last logout, the user is automatically rerouted to IDP login UI.
> Looking at network view of Chrome dev toolbar, we see when the user is redirected back from IDP to OIDC (/oidc/login), that the OIDC redirects back to logout : /oidc/idp/logout.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)