0

I am sending https://localhost:9443/oidc/logout?id_token_hint=my_id_token and getting the page with the message Identity Server You have successfully logged out. But when I go back to the login page,it is returning authorization code instead of asking login/password.

Community
  • 1
  • 1
Askar Sanbayev
  • 57
  • 9
  • Can you please mention the IS version that you are using currently? – Shan Chathusanda Jayathilaka Dec 31 '20 at 17:19
  • @ShanChathusandaJayathilaka wso2.is-5.10.0 – Askar Sanbayev Jan 01 '21 at 06:47
  • @askaraskar do you use any federated IDP for authentication? – Anuradha Karunarathna Jan 01 '21 at 15:46
  • @AnuradhaKarunarathna what does federated IDP mean? I dont't think so,cause i just configured Service Provider. Currently my task is to invalidate current user session in WSO, are there ways of doing it by sending tokens to WSO? I find this [link](https://is.docs.wso2.com/en/5.9.0/develop/session-mgt-rest-api/) , but i need password on my backend to send requests there,which kind contradicts with the usage of Idendity Server – Askar Sanbayev Jan 01 '21 at 16:35
  • If you could record a browser trace for the logout request and next login request by following the steps in https://support.zendesk.com/hc/en-us/articles/204410413-Generating-a-HAR-file-for-troubleshooting and share, we can try to identify what's going on. – Sajith Jan 01 '21 at 17:20

1 Answers1

1

According to the browser traces shared in the comments, it seems you are sending the logout request to an incorrect hostname+port (aisoip-devis.xxxxx.kz:9443). Due to that reason, the commonauthId cookie on the browser against the original hostname (aisoip-dev2.xxxxx.kz) is not cleared. Also, that cookie is not passed to WSO2 IS along with the logout request due to the hostname difference and WSO2 IS is unable to terminate the session on its side as well.

https://aisoip-devis.xxxxx.kz:9443/oidc/logout

https://aisoip-dev2.xxxxx.kz/oauth2/authorize

To correct this issue, you will have to send the logout request to the same hostname+port pair where you are sending the authentication request.

https://aisoip-dev2.xxxxx.kz/oidc/logout
Sajith
  • 1,240
  • 8
  • 15
  • Are there another ways of doing logout without redirecting my Front to oidc/logout page (it works fine,but isn't it insecure sending **idToken** and my **IDP** url to front end),i have separate front and back end. – Askar Sanbayev Jan 12 '21 at 04:34
  • @AskarSanbayev, AFAIK, this is the only way within the OIDC spec: https://openid.net/specs/openid-connect-rpinitiated-1_0.html Regarding security - you can keep the token on backend until the moment the user asks to log out, thus reducing exposure. Once the user is logged out - the token is invalid and cannot be used. Yes, it exposes certain information, but that's basically user name and session id within the token. – Pavel Gatilov Oct 25 '22 at 06:30