[ELY-2534] Use the client ID and sid from the ID token in the key for the sessionsMarkedForInvalidation map

fjuma · rsearls · commit d6804de03d63 · 2025-12-02T15:25:24.000-05:00
diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/LogoutHandler.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/LogoutHandler.java
@@ -42,6 +42,7 @@ final class LogoutHandler {
     public static final String ID_TOKEN_HINT_PARAM = "id_token_hint";
     private static final String LOGOUT_TOKEN_PARAM = "logout_token";
     private static final String LOGOUT_TOKEN_TYPE = "Logout";
+    private static final String CLIENT_ID_SID_SEPARATOR = "-";
     public static final String SID = "sid";
     public static final String ISS = "iss";
 
@@ -99,7 +100,7 @@ boolean isSessionMarkedForInvalidation(OidcHttpFacade facade) {
         if (idToken == null) {
             return false;
         }
-        return sessionsMarkedForInvalidation.containsKey(idToken.getSid());
+        return sessionsMarkedForInvalidation.remove(getSessionKey(facade, idToken.getSid())) != null;
     }
 
     private void redirectEndSessionEndpoint(OidcHttpFacade facade) {
@@ -170,7 +171,11 @@ private void handleBackChannelLogoutRequest(OidcHttpFacade facade) {
         }
 
         log.debug("Marking session for invalidation during back-channel logout");
-        sessionsMarkedForInvalidation.put(sessionId, facade.getOidcClientConfiguration());
+        sessionsMarkedForInvalidation.put(getSessionKey(facade, sessionId), facade.getOidcClientConfiguration());
+    }
+
+    private String getSessionKey(OidcHttpFacade facade, String sessionId) {
+        return facade.getOidcClientConfiguration().getClientId() + CLIENT_ID_SID_SEPARATOR + sessionId;
     }
 
     private void handleFrontChannelLogoutRequest(OidcHttpFacade facade) {

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ final class LogoutHandler {`
`42`	`42`	`public static final String ID_TOKEN_HINT_PARAM = "id_token_hint";`
`43`	`43`	`private static final String LOGOUT_TOKEN_PARAM = "logout_token";`
`44`	`44`	`private static final String LOGOUT_TOKEN_TYPE = "Logout";`
	`45`	`+ private static final String CLIENT_ID_SID_SEPARATOR = "-";`
`45`	`46`	`public static final String SID = "sid";`
`46`	`47`	`public static final String ISS = "iss";`
`47`	`48`
`@@ -99,7 +100,7 @@ boolean isSessionMarkedForInvalidation(OidcHttpFacade facade) {`
`99`	`100`	`if (idToken == null) {`
`100`	`101`	`return false;`
`101`	`102`	`}`
`102`		`- return sessionsMarkedForInvalidation.containsKey(idToken.getSid());`
	`103`	`+ return sessionsMarkedForInvalidation.remove(getSessionKey(facade, idToken.getSid())) != null;`
`103`	`104`	`}`
`104`	`105`
`105`	`106`	`private void redirectEndSessionEndpoint(OidcHttpFacade facade) {`
`@@ -170,7 +171,11 @@ private void handleBackChannelLogoutRequest(OidcHttpFacade facade) {`
`170`	`171`	`}`
`171`	`172`
`172`	`173`	`log.debug("Marking session for invalidation during back-channel logout");`
`173`		`- sessionsMarkedForInvalidation.put(sessionId, facade.getOidcClientConfiguration());`
	`174`	`+ sessionsMarkedForInvalidation.put(getSessionKey(facade, sessionId), facade.getOidcClientConfiguration());`
	`175`	`+ }`
	`176`	`+`
	`177`	`+ private String getSessionKey(OidcHttpFacade facade, String sessionId) {`
	`178`	`+ return facade.getOidcClientConfiguration().getClientId() + CLIENT_ID_SID_SEPARATOR + sessionId;`
`174`	`179`	`}`
`175`	`180`
`176`	`181`	`private void handleFrontChannelLogoutRequest(OidcHttpFacade facade) {`