Description
Description
There's a potential resource management issue in how we're handling back-channel logout requests. The back channel requests are submitted to a thread pool [1] and executed asynchronously. This is a fixed-size thread pool of 2 and does not have a configured maximum task count or timeout [2].
If two back-channel logout requests submitted to the pool hang for a long time or indefinitely (conceptually), subsequent tasks will not be processed until the two active requests are completed (conceptually could wait indefinitely).
Additionally, the HTTP client used to send the logout requests is not properly closed after consuming the request [3]. This could lead to potential resource exhaustion, which in turn could result in thread starvation.
[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/8685c4bf11c75274c43ada28fc25ab20d666468c/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/backchannellogout/LogoutRequestSender.java#L122
[2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/8685c4bf11c75274c43ada28fc25ab20d666468c/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/backchannellogout/LogoutRequestSender.java#L55
[3] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/8685c4bf11c75274c43ada28fc25ab20d666468c/components/org.wso2.carbon.identity.oidc.session/src/main/java/org/wso2/carbon/identity/oidc/session/backchannellogout/LogoutRequestSender.java#L181
Steps to Reproduce
N/A
Version
7.1.0
Environment Details (with versions)
No response
Metadata
Metadata
Assignees
Type
Projects
Status