[ELY-2534] OIDC logout support

Author: rsearls

http/oidc/src/main/java/org/wildfly/security/http/oidc/AuthenticatedActionsHandler.java

@@ -1,6 +1,6 @@
 /*
  * JBoss, Home of Professional Open Source.
- * Copyright 2024 Red Hat, Inc., and individual contributors
+ * Copyright 2021 Red Hat, Inc., and individual contributors
  * as indicated by the @author tags.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");

http/oidc/src/main/java/org/wildfly/security/http/oidc/ElytronMessages.java

@@ -211,8 +211,8 @@ interface ElytronMessages extends BasicLogger {
     @Message(id = 23049, value = "Invalid 'auth-server-url' or 'provider-url': '%s'")
     void invalidAuthServerUrlOrProviderUrl(String url);
 
-    @Message(id = 23050, value = "Invalid bearer token claims")
-    OidcException invalidBearerTokenClaims();
+    @Message(id = 23050, value = "Invalid token claims")
+    OidcException invalidTokenClaims();
 
     @Message(id = 23051, value = "Invalid bearer token")
     OidcException invalidBearerToken(@Cause Throwable cause);
@@ -288,11 +288,16 @@ interface ElytronMessages extends BasicLogger {
     @Message(id = 23073, value = "Nonce cookie does not exist")
     String nonceCookieDoesNotExist();
 
-    @Message(id = 23071, value = "%s is not a valid value for %s")
-    RuntimeException invalidLogoutPath(String pathValue, String pathName);
+    @Message(id = 23074, value = "Invalid logout path: %s is not a valid value for %s")
+    IllegalArgumentException invalidLogoutPath(String pathValue, String pathName);
 
-    @Message(id = 23072, value = "The end substring of %s: %s can not be identical to %s: %s")
-    RuntimeException invalidLogoutCallbackPath(String callbackPathTitle, String callbacPathkValue,
-                                               String logoutPathTitle, String logoutPathValue);
+    @Message(id = 23075, value = "Invalid %s: %s the logout callback path value must be an absolute URI")
+    IllegalArgumentException invalidLogoutCallbackPath(String callbackPathTitle, String callbackPathValue);
+
+    @Message(id = 23076, value = "Unable to create end session endpoint request: %s . [%s]")
+    RuntimeException unableToCreateEndSessionEndpointRequest(String url, String msg);
+
+    @Message(id = 23077, value = "Back-channel logout request received but can not infer sid from logout token to mark it for invalidation")
+    String sidCanNotBeInferFromLogoutToken();
 }
 

http/oidc/src/main/java/org/wildfly/security/http/oidc/IDToken.java

@@ -53,11 +53,7 @@ public class IDToken extends JsonWebToken {
     public static final String CLAIMS_LOCALES = "claims_locales";
     public static final String ACR = "acr";
     public static final String S_HASH = "s_hash";
-<<<<<<< HEAD
     public static final String NONCE = "nonce";
-=======
-    public static final String SID = "sid";
->>>>>>> 4698b602c6 (OpenID Connect Logout support)
 
     /**
      * Construct a new instance.

http/oidc/src/main/java/org/wildfly/security/http/oidc/LogoutHandler.java

@@ -21,7 +21,9 @@
 import static java.util.Collections.synchronizedMap;
 import static org.wildfly.security.http.oidc.ElytronMessages.log;
 
+import java.net.MalformedURLException;
 import java.net.URISyntaxException;
+import java.net.URL;
 import java.util.LinkedHashMap;
 import java.util.Map;
 
@@ -38,32 +40,32 @@
  */
 final class LogoutHandler {
 
-    public static final String POST_LOGOUT_REDIRECT_URI_PARAM = "post_logout_redirect_uri";
-    public static final String ID_TOKEN_HINT_PARAM = "id_token_hint";
+    private static final String POST_LOGOUT_REDIRECT_URI_PARAM = "post_logout_redirect_uri";
+    private static final String ID_TOKEN_HINT_PARAM = "id_token_hint";
     private static final String LOGOUT_TOKEN_PARAM = "logout_token";
-    private static final String LOGOUT_TOKEN_TYPE = "Logout";
+    private static final String LOGOUT_JWT_TOKEN_TYPE = "logout+jwt";
+    private static final String KEYCLOCK_LOGOUT_TOKEN_TYPE = "Logout";
     private static final String CLIENT_ID_SID_SEPARATOR = "-";
-    public static final String SID = "sid";
-    public static final String ISS = "iss";
+    private static final String SID = "sid";
+    private static final String ISS = "iss";
 
     /**
      * A bounded map to store sessions marked for invalidation after receiving logout requests through the back-channel
      */
     private Map<String, OidcClientConfiguration> sessionsMarkedForInvalidation = synchronizedMap(new LinkedHashMap<String, OidcClientConfiguration>(16, 0.75f, true) {
         @Override
         protected boolean removeEldestEntry(Map.Entry<String, OidcClientConfiguration> eldest) {
-            boolean remove = sessionsMarkedForInvalidation.size() > eldest.getValue().getLogoutSessionWaitingLimit();
+            boolean remove = sessionsMarkedForInvalidation.size() > eldest.getValue().getBackChannelLogoutSessionInvalidationLimit();
 
             if (remove) {
-                log.debugf("Limit [%s] reached for sessions waiting [%s] for logout", eldest.getValue().getLogoutSessionWaitingLimit(), sessionsMarkedForInvalidation.size());
+                log.debugf("Limit [%s] reached for sessions waiting [%s] for logout", eldest.getValue().getBackChannelLogoutSessionInvalidationLimit(), sessionsMarkedForInvalidation.size());
             }
 
             return remove;
         }
     });
 
     boolean tryLogout(OidcHttpFacade facade) {
-        log.trace("tryLogout entered");
         RefreshableOidcSecurityContext securityContext = getSecurityContext(facade);
         if (securityContext == null) {
             // no active session
@@ -95,6 +97,7 @@ boolean tryLogout(OidcHttpFacade facade) {
     boolean isSessionMarkedForInvalidation(OidcHttpFacade facade) {
         HttpScope session = facade.getScope(Scope.SESSION);
         if (session == null || ! session.exists()) return false;
+
         RefreshableOidcSecurityContext securityContext = (RefreshableOidcSecurityContext) session.getAttachment(OidcSecurityContext.class.getName());
         if (securityContext == null) {
             return false;
@@ -104,7 +107,7 @@ boolean isSessionMarkedForInvalidation(OidcHttpFacade facade) {
         if (idToken == null) {
             return false;
         }
-        return sessionsMarkedForInvalidation.remove(getSessionKey(facade, idToken.getSid())) != null;
+        return sessionsMarkedForInvalidation.remove(idToken.getNonce()) != null;
     }
 
     private void redirectEndSessionEndpoint(OidcHttpFacade facade) {
@@ -116,16 +119,17 @@ private void redirectEndSessionEndpoint(OidcHttpFacade facade) {
         try {
             URIBuilder redirectUriBuilder = new URIBuilder(clientConfiguration.getEndSessionEndpointUrl())
                     .addParameter(ID_TOKEN_HINT_PARAM, securityContext.getIDTokenString());
-            String postLogoutPath = clientConfiguration.getPostLogoutPath();
-            if (postLogoutPath != null) {
-                redirectUriBuilder.addParameter(POST_LOGOUT_REDIRECT_URI_PARAM,
-                        getRedirectUri(facade) + postLogoutPath);
+            String postLogoutRedirectUri = clientConfiguration.getPostLogoutRedirectUri();
+            if (postLogoutRedirectUri != null) {
+                log.trace("post_logout_redirect_uri: " + postLogoutRedirectUri);
+                redirectUriBuilder.addParameter(POST_LOGOUT_REDIRECT_URI_PARAM, postLogoutRedirectUri);
             }
 
             logoutUri = redirectUriBuilder.build().toString();
-            log.trace("redirectEndSessionEndpoint path: " + redirectUriBuilder.toString());
+            log.trace("redirectEndSessionEndpoint path: " + logoutUri);
         } catch (URISyntaxException e) {
-            throw new RuntimeException(e);
+            throw log.unableToCreateEndSessionEndpointRequest(
+                    clientConfiguration.getEndSessionEndpointUrl(), e.getMessage());
         }
 
         log.debugf("Sending redirect to the end_session_endpoint: %s", logoutUri);
@@ -134,7 +138,6 @@ private void redirectEndSessionEndpoint(OidcHttpFacade facade) {
     }
 
     boolean tryBackChannelLogout(OidcHttpFacade facade) {
-        log.trace("tryBackChannelLogout entered");
         if (isLogoutCallbackPath(facade)) {
             log.trace("isLogoutCallbackPath");
             if (isBackChannel(facade)) {
@@ -147,24 +150,48 @@ boolean tryBackChannelLogout(OidcHttpFacade facade) {
     }
 
     private void handleBackChannelLogoutRequest(OidcHttpFacade facade) {
+
+        OidcClientConfiguration clientConfiguration = facade.getOidcClientConfiguration();
         String logoutToken = facade.getRequest().getFirstParam(LOGOUT_TOKEN_PARAM);
-        TokenValidator tokenValidator = TokenValidator.builder(facade.getOidcClientConfiguration())
-                .setSkipExpirationValidator()
-                .setTokenType(LOGOUT_TOKEN_TYPE)
+        TokenValidator.Builder tokenBuilder = TokenValidator.builder(clientConfiguration)
+                .setSkipExpirationValidator();
+        // Keycloak uses claim type "Logout".  Other OP's may be using "logout+jwt"
+        // or a typ unique to it.
+        String providerLogoutTokenType = (facade.getOidcClientConfiguration().getProviderJwtClaimsTyp() == null) ?
+                KEYCLOCK_LOGOUT_TOKEN_TYPE : clientConfiguration.getProviderJwtClaimsTyp();
+        TokenValidator tokenValidator = tokenBuilder.setTokenType(providerLogoutTokenType)
                 .build();
-        JwtClaims claims;
 
+        JwtClaims claims = null;
+        Exception cause = null;
         try {
+            // check keycloak 'typ'
             claims = tokenValidator.verify(logoutToken);
-        } catch (Exception cause) {
-            log.debug("Unexpected error when verifying logout token", cause);
-            facade.getResponse().setStatus(HttpStatus.SC_BAD_REQUEST);
-            facade.authenticationFailed();
-            return;
+        } catch (Exception expKeyclockClaims) {
+            cause = expKeyclockClaims;
+            if (expKeyclockClaims.getCause().getMessage().contains("ELY23054: Unexpected value for typ claim")) {
+                log.warn("OpenID Provider claims typ " + providerLogoutTokenType
+                        + " was not valid.  Trying typ "+ LOGOUT_JWT_TOKEN_TYPE);
+
+                // check other OP's 'typ'
+                tokenValidator = tokenBuilder.setTokenType(LOGOUT_JWT_TOKEN_TYPE)
+                                .build();
+                try {
+                    claims = tokenValidator.verify(logoutToken);
+                } catch (Exception expOtherProviderCliams) {
+                    cause = expOtherProviderCliams;
+                }
+            }
+            if (claims == null) {
+                log.debugf("Unexpected error when verifying logout token", cause);
+                facade.getResponse().setStatus(HttpStatus.SC_BAD_REQUEST);
+                facade.authenticationFailed();
+                return;
+            }
         }
 
-        if (!isSessionRequiredOnLogout(facade)) {
-            log.warn("Back-channel logout request received but can not infer sid from logout token to mark it for invalidation");
+        if (!isLogoutSessionRequired(facade)) {
+            log.warn(log.sidCanNotBeInferFromLogoutToken());
             facade.getResponse().setStatus(HttpStatus.SC_BAD_REQUEST);
             facade.authenticationFailed();
             return;
@@ -178,7 +205,7 @@ private void handleBackChannelLogoutRequest(OidcHttpFacade facade) {
             return;
         }
 
-        log.debug("Marking session for invalidation during back-channel logout");
+        log.debugf("Marking session for invalidation during back-channel logout");
         sessionsMarkedForInvalidation.put(getSessionKey(facade, sessionId), facade.getOidcClientConfiguration());
     }
 
@@ -187,7 +214,7 @@ private String getSessionKey(OidcHttpFacade facade, String sessionId) {
     }
 
     private void handleFrontChannelLogoutRequest(OidcHttpFacade facade) {
-        if (isSessionRequiredOnLogout(facade)) {
+        if (isLogoutSessionRequired(facade)) {
             Request request = facade.getRequest();
             String sessionId = request.getQueryParamValue(SID);
 
@@ -201,14 +228,14 @@ private void handleFrontChannelLogoutRequest(OidcHttpFacade facade) {
             IDToken idToken = context.getIDToken();
             String issuer = request.getQueryParamValue(ISS);
 
-            if (idToken == null || !sessionId.equals(idToken.getSid()) || !idToken.getIssuer().equals(issuer)) {
+            if (idToken == null || !sessionId.equals(idToken.getNonce()) || !idToken.getIssuer().equals(issuer)) {
                 facade.getResponse().setStatus(HttpStatus.SC_BAD_REQUEST);
                 facade.authenticationFailed();
                 return;
             }
         }
 
-        log.debug("Invalidating session during front-channel logout");
+        log.debugf("Invalidating session during front-channel logout");
         facade.getTokenStore().logout(false);
     }
 
@@ -228,17 +255,33 @@ private String getRedirectUri(OidcHttpFacade facade) {
     }
 
     private boolean isLogoutCallbackPath(OidcHttpFacade facade) {
-        String path = facade.getRequest().getRelativePath();
-        return path.endsWith(getLogoutCallbackPath(facade));
+        String uriStr = facade.getRequest().getURI();
+        // logoutCallbackPath can be either an URL path component or an absolute path.
+        // Only the path components are to be compared.
+        String tmpLogoutCallbackPath = getLogoutCallbackPath(facade);
+        try {
+            URL url = new URL(tmpLogoutCallbackPath);
+            if (uriStr.equals(url.toString())
+                || uriStr.endsWith(tmpLogoutCallbackPath)) {
+                return true;
+            }
+        } catch (MalformedURLException e) {
+            // no-op
+        }
+        return false;
     }
 
     private boolean isRpInitiatedLogoutPath(OidcHttpFacade facade) {
         String path = facade.getRequest().getRelativePath();
-        return path.endsWith(getLogoutPath(facade));
+        String logoutPath = getLogoutPath(facade);
+        if (logoutPath == null) {
+            return false;
+        }
+        return path.endsWith(logoutPath);
     }
 
-    private boolean isSessionRequiredOnLogout(OidcHttpFacade facade) {
-        return facade.getOidcClientConfiguration().isSessionRequiredOnLogout();
+    private boolean isLogoutSessionRequired(OidcHttpFacade facade) {
+        return facade.getOidcClientConfiguration().isLogoutSessionRequired();
     }
 
     private RefreshableOidcSecurityContext getSecurityContext(OidcHttpFacade facade) {

http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java

@@ -185,9 +185,13 @@ public class Oidc {
     public static final String PROVIDER_URL = "provider-url";
     public static final String LOGOUT_PATH = "logout-path";
     public static final String LOGOUT_CALLBACK_PATH = "logout-callback-path";
-    public static final String POST_LOGOUT_PATH = "post-logout-path";
+    public static final String POST_LOGOUT_REDIRECT_URI= "post-logout-redirect-uri";
     public static final String LOGOUT_SESSION_REQUIRED = "logout-session-required";
-
+    static final String DEFAULT_LOGOUT_PATH = "/logout";
+    static final String DEFAULT_LOGOUT_CALLBACK_PATH = "/logout/callback";
+    static final int DEFAULT_BACK_CHANNEL_LOGOUT_SESSION_INVALIDATION_LIMIT = 16;
+    static final String BACK_CHANNEL_LOGOUT_SESSION_INVALIDATION_LIMIT = "back-channel-logout-session-invalidation-limit";
+    static final String PROVIDER_JWT_CLAIMS_TYP = "provider-jwt-claims-typ";
     /**
      * Bearer token pattern.
      * The Bearer token authorization header is of the form "Bearer", followed by optional whitespace, followed by

http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcAuthenticationMechanism.java

@@ -60,7 +60,7 @@ public String getMechanismName() {
 
     @Override
     public void evaluateRequest(HttpServerRequest request) throws HttpAuthenticationException {
-        log.debug("evaluateRequest uri: " + request.getRequestURI().toString());
+        log.debugf("evaluateRequest uri: " + request.getRequestURI().toString());
         OidcClientContext oidcClientContext = getOidcClientContext(request);
         if (oidcClientContext == null) {
             log.debugf("Ignoring request for path [%s] from mechanism [%s]. No client configuration context found.", request.getRequestURI(), getMechanismName());

http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfiguration.java

@@ -145,13 +145,12 @@ public enum RelativeUrlsUsed {
     protected JWKEncPublicKeyLocator encryptionPublicKeyLocator;
     private boolean logoutSessionRequired = true;
 
-    private String postLogoutPath;
-    private boolean sessionRequiredOnLogout = true;
-    private String logoutPath = "/logout";
-    private String logoutCallbackPath = "/logout/callback";
-
-    private int logoutSessionWaitingLimit = 100;
+    private String postLogoutRedirectUri;
+    private String logoutPath;
+    private String logoutCallbackPath;
+    private String providerJwtClaimsTyp;
 
+    private int backChannelLogoutSessionInvalidationLimit = Oidc.DEFAULT_BACK_CHANNEL_LOGOUT_SESSION_INVALIDATION_LIMIT;
     public OidcClientConfiguration() {
     }
 
@@ -277,7 +276,7 @@ protected void resolveUrls(OidcClientUriBuilder authUrlBuilder) {
         issuerUrl = authUrlBuilder.clone().path(ServiceUrlConstants.REALM_INFO_PATH).build(getRealm()).toString();
 
         tokenUrl = authUrlBuilder.clone().path(ServiceUrlConstants.TOKEN_PATH).build(getRealm()).toString();
-        logoutUrl = OidcClientUriBuilder.fromUri(authUrlBuilder.clone().path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH).build(getRealm()).toString()).buildAsString();
+        endSessionEndpointUrl = OidcClientUriBuilder.fromUri(authUrlBuilder.clone().path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH).build(getRealm()).toString()).buildAsString();
         accountUrl = authUrlBuilder.clone().path(ServiceUrlConstants.ACCOUNT_SERVICE_PATH).build(getRealm()).toString();
         registerNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_REGISTER_NODE_PATH).build(getRealm()).toString();
         unregisterNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH).build(getRealm()).toString();
@@ -719,20 +718,12 @@ public String getTokenSignatureAlgorithm() {
         return tokenSignatureAlgorithm;
     }
 
-    public boolean isSessionRequiredOnLogout() {
-        return sessionRequiredOnLogout;
-    }
-
-    public void setSessionRequiredOnLogout(boolean sessionRequiredOnLogout) {
-        this.sessionRequiredOnLogout = sessionRequiredOnLogout;
-    }
-
-    public int getLogoutSessionWaitingLimit() {
-        return logoutSessionWaitingLimit;
+    public int getBackChannelLogoutSessionInvalidationLimit() {
+        return backChannelLogoutSessionInvalidationLimit;
     }
 
-    public void setLogoutSessionWaitingLimit(int logoutSessionWaitingLimit) {
-        this.logoutSessionWaitingLimit = logoutSessionWaitingLimit;
+    public void setBackChannelLogoutSessionInvalidationLimit(int backChannelLogoutSessionInvalidationLimit) {
+        this.backChannelLogoutSessionInvalidationLimit = backChannelLogoutSessionInvalidationLimit;
     }
 
     public String getAuthenticationRequestFormat() {
@@ -823,12 +814,12 @@ public JWKEncPublicKeyLocator getEncryptionPublicKeyLocator() {
         return this.encryptionPublicKeyLocator;
     }
 
-    public void setPostLogoutPath(String postLogoutPath) {
-        this.postLogoutPath = postLogoutPath;
+    public void setPostLogoutRedirectUri(String postLogoutRedirectUri) {
+        this.postLogoutRedirectUri = postLogoutRedirectUri;
     }
 
-    public String getPostLogoutPath() {
-        return postLogoutPath;
+    public String getPostLogoutRedirectUri() {
+        return postLogoutRedirectUri;
     }
 
     public boolean isLogoutSessionRequired() {
@@ -850,4 +841,11 @@ public String getLogoutCallbackPath() {
     public void setLogoutCallbackPath(String logoutCallbackPath) {
         this.logoutCallbackPath = logoutCallbackPath;
     }
+
+    public String getProviderJwtClaimsTyp() {
+        return this.providerJwtClaimsTyp;
+    }
+    public void setProviderJwtClaimsTyp(String providerJwtClaimsTyp) {
+        this.providerJwtClaimsTyp = providerJwtClaimsTyp;
+    }
 }