[ELY-2534] OIDC logout support

Author: rsearls

http/oidc/src/main/java/org/wildfly/security/http/oidc/AuthenticationError.java

@@ -36,9 +36,7 @@ public enum Reason {
         INVALID_TOKEN,
         STALE_TOKEN,
         NO_AUTHORIZATION_HEADER,
-        NO_QUERY_PARAMETER_ACCESS_TOKEN,
-        NO_SESSION_ID,
-        METHOD_NOT_ALLOWED
+        NO_QUERY_PARAMETER_ACCESS_TOKEN
     }
 
     private Reason reason;

http/oidc/src/main/java/org/wildfly/security/http/oidc/ElytronMessages.java

@@ -279,11 +279,10 @@ interface ElytronMessages extends BasicLogger {
     @Message(id = 23070, value = "Authentication request format must be one of the following: oauth2, request, request_uri.")
     RuntimeException invalidAuthenticationRequestFormat();
 
-    @Message(id = 23071, value = "%s is not a valid value for %s")
+    @Message(id = 23071, value = "Invalid logout output: %s is not a valid value for %s")
     RuntimeException invalidLogoutPath(String pathValue, String pathName);
 
-    @Message(id = 23072, value = "The end substring of %s: %s can not be identical to %s: %s")
-    RuntimeException invalidLogoutCallbackPath(String callbackPathTitle, String callbacPathkValue,
-                                               String logoutPathTitle, String logoutPathValue);
+    @Message(id = 23072, value = "Invalid %s: %s the value must be an absolute URI")
+    RuntimeException invalidLogoutCallbackPath(String callbackPathTitle, String callbackPathValue);
 }
 

http/oidc/src/main/java/org/wildfly/security/http/oidc/LogoutHandler.java

@@ -38,13 +38,13 @@
  */
 final class LogoutHandler {
 
-    public static final String POST_LOGOUT_REDIRECT_URI_PARAM = "post_logout_redirect_uri";
-    public static final String ID_TOKEN_HINT_PARAM = "id_token_hint";
+    private static final String POST_LOGOUT_REDIRECT_URI_PARAM = "post_logout_redirect_uri";
+    private static final String ID_TOKEN_HINT_PARAM = "id_token_hint";
     private static final String LOGOUT_TOKEN_PARAM = "logout_token";
     private static final String LOGOUT_TOKEN_TYPE = "Logout";
     private static final String CLIENT_ID_SID_SEPARATOR = "-";
-    public static final String SID = "sid";
-    public static final String ISS = "iss";
+    private static final String SID = "sid";
+    private static final String ISS = "iss";
 
     /**
      * A bounded map to store sessions marked for invalidation after receiving logout requests through the back-channel
@@ -95,6 +95,7 @@ boolean tryLogout(OidcHttpFacade facade) {
     boolean isSessionMarkedForInvalidation(OidcHttpFacade facade) {
         HttpScope session = facade.getScope(Scope.SESSION);
         if (session == null || ! session.exists()) return false;
+
         RefreshableOidcSecurityContext securityContext = (RefreshableOidcSecurityContext) session.getAttachment(OidcSecurityContext.class.getName());
         if (securityContext == null) {
             return false;
@@ -104,6 +105,7 @@ boolean isSessionMarkedForInvalidation(OidcHttpFacade facade) {
         if (idToken == null) {
             return false;
         }
+
         return sessionsMarkedForInvalidation.remove(getSessionKey(facade, idToken.getSid())) != null;
     }
 
@@ -116,10 +118,10 @@ private void redirectEndSessionEndpoint(OidcHttpFacade facade) {
         try {
             URIBuilder redirectUriBuilder = new URIBuilder(clientConfiguration.getEndSessionEndpointUrl())
                     .addParameter(ID_TOKEN_HINT_PARAM, securityContext.getIDTokenString());
-            String postLogoutPath = clientConfiguration.getPostLogoutPath();
-            if (postLogoutPath != null) {
-                redirectUriBuilder.addParameter(POST_LOGOUT_REDIRECT_URI_PARAM,
-                        getRedirectUri(facade) + postLogoutPath);
+            String postLogoutUri = clientConfiguration.getPostLogoutUri();
+            if (postLogoutUri != null) {
+                log.trace("post_logout_redirect_uri: " + postLogoutUri);
+                redirectUriBuilder.addParameter(POST_LOGOUT_REDIRECT_URI_PARAM, postLogoutUri);
             }
 
             logoutUri = redirectUriBuilder.build().toString();

http/oidc/src/main/java/org/wildfly/security/http/oidc/Oidc.java

@@ -175,7 +175,7 @@ public class Oidc {
     public static final String PROVIDER_URL = "provider-url";
     public static final String LOGOUT_PATH = "logout-path";
     public static final String LOGOUT_CALLBACK_PATH = "logout-callback-path";
-    public static final String POST_LOGOUT_PATH = "post-logout-path";
+    public static final String POST_LOGOUT_URI = "post-logout-uri";
     public static final String LOGOUT_SESSION_REQUIRED = "logout-session-required";
 
     /**

http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfiguration.java

@@ -143,9 +143,9 @@ public enum RelativeUrlsUsed {
     protected String requestObjectSigningKeyAlias;
     protected String requestObjectSigningKeyStoreType;
     protected JWKEncPublicKeyLocator encryptionPublicKeyLocator;
-    private boolean logoutSessionRequired = true;
+    private String logoutSessionRequired;
 
-    private String postLogoutPath;
+    private String postLogoutUri;
     private boolean sessionRequiredOnLogout = true;
     private String logoutPath = "/logout";
     private String logoutCallbackPath = "/logout/callback";
@@ -808,19 +808,19 @@ public JWKEncPublicKeyLocator getEncryptionPublicKeyLocator() {
         return this.encryptionPublicKeyLocator;
     }
 
-    public void setPostLogoutPath(String postLogoutPath) {
-        this.postLogoutPath = postLogoutPath;
+    public void setPostLogoutUri(String postLogoutUri) {
+        this.postLogoutUri = postLogoutUri;
     }
 
-    public String getPostLogoutPath() {
-        return postLogoutPath;
+    public String getPostLogoutUri() {
+        return postLogoutUri;
     }
 
-    public boolean isLogoutSessionRequired() {
+    public String getLogoutSessionRequired() {
         return logoutSessionRequired;
     }
 
-    public void setLogoutSessionRequired(boolean logoutSessionRequired) {
+    public void setLogoutSessionRequired(String logoutSessionRequired) {
         this.logoutSessionRequired = logoutSessionRequired;
     }
 

http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcClientConfigurationBuilder.java

@@ -27,7 +27,7 @@
 import static org.wildfly.security.http.oidc.Oidc.TokenStore;
 import static org.wildfly.security.http.oidc.Oidc.LOGOUT_PATH;
 import static org.wildfly.security.http.oidc.Oidc.LOGOUT_CALLBACK_PATH;
-import static org.wildfly.security.http.oidc.Oidc.POST_LOGOUT_PATH;
+import static org.wildfly.security.http.oidc.Oidc.POST_LOGOUT_URI;
 import static org.wildfly.security.http.oidc.Oidc.LOGOUT_SESSION_REQUIRED;
 
 import java.io.IOException;
@@ -199,7 +199,10 @@ protected OidcClientConfiguration internalBuild(final OidcJsonConfiguration oidc
 
         oidcClientConfiguration.setTokenSignatureAlgorithm(oidcJsonConfiguration.getTokenSignatureAlgorithm());
 
-        String tmpLogoutPath = System.getProperty(LOGOUT_PATH);
+        String tmpLogoutPath = oidcJsonConfiguration.getLogoutPath();
+        if (tmpLogoutPath == null) {
+            tmpLogoutPath = System.getProperty(LOGOUT_PATH);
+        }
         log.debug("sysProp LOGOUT_PATH: " + (tmpLogoutPath == null ? "NULL" : tmpLogoutPath));
         if (tmpLogoutPath != null) {
             if (isValidPath(tmpLogoutPath)) {
@@ -209,38 +212,42 @@ protected OidcClientConfiguration internalBuild(final OidcJsonConfiguration oidc
             }
         }
 
-
-        String tmpLogoutCallbackPath = System.getProperty(LOGOUT_CALLBACK_PATH);
+        String tmpLogoutCallbackPath = oidcJsonConfiguration.getLogoutCallbackPath();
+        if (tmpLogoutCallbackPath == null) {
+            tmpLogoutCallbackPath = System.getProperty(LOGOUT_CALLBACK_PATH);
+        }
         log.debug("sysProp LOGOUT_CALLBACK_PATH: " + (tmpLogoutCallbackPath == null ? "NULL" : tmpLogoutCallbackPath));
         if (tmpLogoutCallbackPath != null) {
-            if (isValidPath(tmpLogoutCallbackPath)
-                    && !tmpLogoutCallbackPath.endsWith(oidcClientConfiguration.getLogoutPath())) {
+            if (tmpLogoutCallbackPath.startsWith("http")) {
                 oidcClientConfiguration.setLogoutCallbackPath(tmpLogoutCallbackPath);
             } else {
-                if (!isValidPath(tmpLogoutCallbackPath)) {
-                    throw log.invalidLogoutPath(tmpLogoutPath, LOGOUT_CALLBACK_PATH);
-                } else {
-                    throw log.invalidLogoutCallbackPath(LOGOUT_CALLBACK_PATH, tmpLogoutCallbackPath,
-                            LOGOUT_PATH, oidcClientConfiguration.getLogoutPath());
-                }
+                throw log.invalidLogoutCallbackPath(LOGOUT_CALLBACK_PATH, tmpLogoutCallbackPath);
             }
         }
 
-        String tmpPostLogoutPath = System.getProperty(POST_LOGOUT_PATH);
-        log.debug("sysProp POST_LOGOUT_PATH: " + (tmpPostLogoutPath == null ? "NULL" : tmpPostLogoutPath));
-        if (tmpPostLogoutPath != null) {
-            if (isValidPath(tmpPostLogoutPath)) {
-                oidcClientConfiguration.setPostLogoutPath(tmpPostLogoutPath);
+        String tmpPostLogoutUri = oidcJsonConfiguration.getPostLogoutUri();
+        if (tmpPostLogoutUri == null) {
+            tmpPostLogoutUri = System.getProperty(POST_LOGOUT_URI);
+        }
+        log.debug("sysProp POST_LOGOUT_URI: " + (tmpPostLogoutUri == null ? "NULL" : tmpPostLogoutUri));
+        if (tmpPostLogoutUri != null) {
+            if (tmpPostLogoutUri.startsWith("http")) {
+                oidcClientConfiguration.setPostLogoutUri(tmpPostLogoutUri);
             } else {
-                throw log.invalidLogoutPath(tmpLogoutPath, POST_LOGOUT_PATH);
+                throw log.invalidLogoutPath(tmpPostLogoutUri, POST_LOGOUT_URI);
             }
         }
 
-        String tmpLogoutSessionRequired = System.getProperty(LOGOUT_SESSION_REQUIRED);
-        if (tmpLogoutSessionRequired != null) {
-            oidcClientConfiguration.setLogoutSessionRequired(
-                    Boolean.valueOf(tmpLogoutSessionRequired));
+        String tmpLogoutSessionRequired = oidcJsonConfiguration.getLogoutSessionRequired();
+        if (tmpLogoutSessionRequired == null) {
+            String sysPropLogoutSessionRequired = System.getProperty(LOGOUT_SESSION_REQUIRED);
+            if (sysPropLogoutSessionRequired == null) {
+                tmpLogoutSessionRequired = "true";
+            } else {
+                tmpLogoutSessionRequired = sysPropLogoutSessionRequired;
+            }
         }
+        oidcClientConfiguration.setLogoutSessionRequired(tmpLogoutSessionRequired);
 
         return oidcClientConfiguration;
     }

http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcHttpFacade.java

@@ -550,21 +550,4 @@ public String getPath() {
             return path;
         }
     }
-
-    // rls debug only
-    public String rlsGetSessionIds() {
-        Collection<String> sessions = request.getScopeIds(Scope.SESSION);
-        if (sessions == null) {
-            return "## OidcHttpFacade  Scope.SESSION sessionIds is null.";
-        } else if (sessions.isEmpty()){
-            return "Scope.SESSION sessionIds is empty.";
-        }
-        StringBuffer sb = new StringBuffer();
-            sb.append("Scope.SESSION sessionIds: [");
-        for (String s : sessions) {
-            sb.append(s + ", ");
-        }
-        sb.append("]\n");
-        return sb.toString();
-    }
 }

http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcJsonConfiguration.java

@@ -43,7 +43,11 @@
 import static org.wildfly.security.http.oidc.Oidc.ENABLE_PKCE;
 import static org.wildfly.security.http.oidc.Oidc.EXPOSE_TOKEN;
 import static org.wildfly.security.http.oidc.Oidc.IGNORE_OAUTH_QUERY_PARAMETER;
+import static org.wildfly.security.http.oidc.Oidc.LOGOUT_PATH;
+import static org.wildfly.security.http.oidc.Oidc.LOGOUT_CALLBACK_PATH;
+import static org.wildfly.security.http.oidc.Oidc.LOGOUT_SESSION_REQUIRED;
 import static org.wildfly.security.http.oidc.Oidc.MIN_TIME_BETWEEN_JWKS_REQUESTS;
+import static org.wildfly.security.http.oidc.Oidc.POST_LOGOUT_URI;
 import static org.wildfly.security.http.oidc.Oidc.PRINCIPAL_ATTRIBUTE;
 import static org.wildfly.security.http.oidc.Oidc.PROVIDER_URL;
 import static org.wildfly.security.http.oidc.Oidc.PROXY_URL;
@@ -99,8 +103,9 @@
         ALWAYS_REFRESH_TOKEN,
         REGISTER_NODE_AT_STARTUP, REGISTER_NODE_PERIOD, TOKEN_STORE, ADAPTER_STATE_COOKIE_PATH, PRINCIPAL_ATTRIBUTE,
         PROXY_URL, TURN_OFF_CHANGE_SESSION_ID_ON_LOGIN, TOKEN_MINIMUM_TIME_TO_LIVE,
-        MIN_TIME_BETWEEN_JWKS_REQUESTS, PUBLIC_KEY_CACHE_TTL,
-        IGNORE_OAUTH_QUERY_PARAMETER, VERIFY_TOKEN_AUDIENCE, TOKEN_SIGNATURE_ALGORITHM, SCOPE,
+        MIN_TIME_BETWEEN_JWKS_REQUESTS, POST_LOGOUT_URI, PUBLIC_KEY_CACHE_TTL,
+        IGNORE_OAUTH_QUERY_PARAMETER, LOGOUT_PATH, LOGOUT_CALLBACK_PATH, LOGOUT_SESSION_REQUIRED,
+        VERIFY_TOKEN_AUDIENCE, TOKEN_SIGNATURE_ALGORITHM, SCOPE,
         AUTHENTICATION_REQUEST_FORMAT, REQUEST_OBJECT_SIGNING_ALGORITHM, REQUEST_OBJECT_ENCRYPTION_ALG_VALUE,
         REQUEST_OBJECT_ENCRYPTION_ENC_VALUE, REQUEST_OBJECT_SIGNING_KEYSTORE_FILE,
         REQUEST_OBJECT_SIGNING_KEYSTORE_PASSWORD,REQUEST_OBJECT_SIGNING_KEY_PASSWORD, REQUEST_OBJECT_SIGNING_KEY_ALIAS,
@@ -152,13 +157,21 @@ public class OidcJsonConfiguration {
     protected int tokenMinimumTimeToLive = 0;
     @JsonProperty(MIN_TIME_BETWEEN_JWKS_REQUESTS)
     protected int minTimeBetweenJwksRequests = 10;
+    @JsonProperty(POST_LOGOUT_URI)
+    protected String postLogoutUri;
     @JsonProperty(PUBLIC_KEY_CACHE_TTL)
     protected int publicKeyCacheTtl = 86400; // 1 day
     // https://tools.ietf.org/html/rfc7636
     @JsonProperty(ENABLE_PKCE)
     protected boolean pkce = false;
     @JsonProperty(IGNORE_OAUTH_QUERY_PARAMETER)
     protected boolean ignoreOAuthQueryParameter = false;
+    @JsonProperty(LOGOUT_PATH)
+    protected String logoutPath;
+    @JsonProperty(LOGOUT_CALLBACK_PATH)
+    protected String logoutCallbackPath;
+    @JsonProperty(LOGOUT_SESSION_REQUIRED)
+    protected String logoutSessionRequired;
     @JsonProperty(VERIFY_TOKEN_AUDIENCE)
     protected boolean verifyTokenAudience = false;
     @JsonProperty(CONFIDENTIAL_PORT)
@@ -407,6 +420,14 @@ public int getMinTimeBetweenJwksRequests() {
         return minTimeBetweenJwksRequests;
     }
 
+    public String getPostLogoutUri() {
+        return postLogoutUri;
+    }
+
+    public void setPostLogoutUri(String postLogoutUri) {
+        this.postLogoutUri = postLogoutUri;
+    }
+
     public void setMinTimeBetweenJwksRequests(int minTimeBetweenJwksRequests) {
         this.minTimeBetweenJwksRequests = minTimeBetweenJwksRequests;
     }
@@ -436,6 +457,30 @@ public void setIgnoreOAuthQueryParameter(boolean ignoreOAuthQueryParameter) {
         this.ignoreOAuthQueryParameter = ignoreOAuthQueryParameter;
     }
 
+    public String getLogoutPath() {
+        return logoutPath;
+    }
+
+    public void setLogoutPath(String logoutPath) {
+        this.logoutPath = logoutPath;
+    }
+
+    public String getLogoutCallbackPath() {
+        return logoutCallbackPath;
+    }
+
+    public void setLogoutCallbackPath(String logoutCallbackPath) {
+        this.logoutCallbackPath = logoutCallbackPath;
+    }
+
+    public String getLogoutSessionRequired() {
+        return logoutSessionRequired;
+    }
+
+    public void setLogoutSessionRequired(String logoutSessionRequired) {
+        this.logoutSessionRequired = logoutSessionRequired;
+    }
+
     public boolean isVerifyTokenAudience() {
         return verifyTokenAudience;
     }

http/oidc/src/main/java/org/wildfly/security/http/oidc/RefreshableOidcSecurityContext.java

@@ -112,7 +112,6 @@ public boolean refreshToken(boolean checkActive) {
             }
             if (isActive() && isTokenTimeToLiveSufficient(this.token)) return true;
         }
-
         if (this.clientConfiguration == null || refreshToken == null) return false;
 
         if (log.isTraceEnabled()) {

http/oidc/src/main/java/org/wildfly/security/http/oidc/RequestAuthenticator.java

@@ -55,7 +55,6 @@ public RequestAuthenticator(OidcHttpFacade facade, OidcClientConfiguration deplo
     public AuthOutcome authenticate() {
         AuthOutcome authenticate = doAuthenticate();
         if (AuthOutcome.AUTHENTICATED.equals(authenticate) && !facade.isAuthorized()) {
-            log.trace("## RequestAutenticator.authenticate AUTHENTICATED but NOT Autorized");
             return AuthOutcome.FAILED;
         }
         return authenticate;