Merge pull request quarkusio#35919 from sberyozkin/oidc_logout_with_expired_idtoken

Honor OIDC logout requests when ID token has expired

Author: sberyozkin

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/SecurityEvent.java

@@ -9,6 +9,8 @@
  *
  */
 public class SecurityEvent {
+    public static final String SESSION_TOKENS_PROPERTY = "session-tokens";
+
     public enum Type {
         /**
          * OIDC Login event which is reported after the first user authentication but also when the user's session
@@ -30,6 +32,12 @@ public enum Type {
          */
         OIDC_LOGOUT_RP_INITIATED,
 
+        /**
+         * OIDC Logout event is reported when the current user has started an RP-initiated OIDC logout flow but the session has
+         * already expired.
+         */
+        OIDC_LOGOUT_RP_INITIATED_SESSION_EXPIRED,
+
         /**
          * OIDC BackChannel Logout initiated event is reported when the BackChannel logout request to logout the current user
          * has been received.

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java

@@ -354,6 +354,14 @@ public Uni<? extends SecurityIdentity> apply(Throwable t) {
                                                                                         t.getCause())));
                                             }
                                             // Token has expired, try to refresh
+                                            if (isRpInitiatedLogout(context, configContext)) {
+                                                LOG.debug("Session has expired, performing an RP initiated logout");
+                                                fireEvent(SecurityEvent.Type.OIDC_LOGOUT_RP_INITIATED_SESSION_EXPIRED,
+                                                        Map.of(SecurityEvent.SESSION_TOKENS_PROPERTY, session));
+                                                return Uni.createFrom().item((SecurityIdentity) null)
+                                                        .call(() -> buildLogoutRedirectUriUni(context, configContext,
+                                                                currentIdToken));
+                                            }
                                             if (session.getRefreshToken() == null) {
                                                 LOG.debug(
                                                         "Token has expired, token refresh is not possible because the refresh token is null");
@@ -983,6 +991,12 @@ private void fireEvent(SecurityEvent.Type eventType, SecurityIdentity securityId
         }
     }
 
+    private void fireEvent(SecurityEvent.Type eventType, Map<String, Object> properties) {
+        if (resolver.isSecurityEventObserved()) {
+            resolver.getSecurityEvent().fire(new SecurityEvent(eventType, properties));
+        }
+    }
+
     private String getRedirectPath(OidcTenantConfig oidcConfig, RoutingContext context) {
         Authentication auth = oidcConfig.getAuthentication();
         return auth.getRedirectPath().isPresent() ? auth.getRedirectPath().get() : context.request().path();

integration-tests/oidc-code-flow/src/main/resources/application.properties

@@ -80,6 +80,8 @@ quarkus.oidc.tenant-logout.application-type=web-app
 quarkus.oidc.tenant-logout.authentication.cookie-path=/tenant-logout
 quarkus.oidc.tenant-logout.logout.path=/tenant-logout/logout
 quarkus.oidc.tenant-logout.logout.post-logout-path=/tenant-logout/post-logout
+quarkus.oidc.tenant-logout.authentication.session-age-extension=2M
+quarkus.oidc.tenant-logout.token.refresh-expired=true
 
 quarkus.oidc.tenant-refresh.auth-server-url=${keycloak.url}/realms/logout-realm
 quarkus.oidc.tenant-refresh.client-id=quarkus-app

integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/CodeFlowTest.java

@@ -611,6 +611,22 @@ public void testRPInitiatedLogout() throws IOException {
 
             page = webClient.getPage("http://localhost:8081/tenant-logout");
             assertEquals("Sign in to logout-realm", page.getTitleText());
+
+            // login again
+            loginForm = page.getForms().get(0);
+            loginForm.getInputByName("username").setValueAttribute("alice");
+            loginForm.getInputByName("password").setValueAttribute("alice");
+            page = loginForm.getInputByName("login").click();
+            assertEquals("Tenant Logout, refreshed: false", page.asNormalizedText());
+
+            assertNotNull(getSessionCookie(webClient, "tenant-logout"));
+
+            await().atLeast(Duration.ofSeconds(11));
+
+            page = webClient.getPage("http://localhost:8081/tenant-logout/logout");
+            assertTrue(page.asNormalizedText().contains("You were logged out, please login again"));
+            assertNull(getSessionCookie(webClient, "tenant-logout"));
+
             webClient.getCookieManager().clearCookies();
         }
     }

integration-tests/oidc-code-flow/src/test/java/io/quarkus/it/keycloak/KeycloakRealmResourceManager.java

@@ -35,7 +35,7 @@ public Map<String, String> start() {
         // revoke refresh tokens so that they can only be used once
         logoutRealm.setRevokeRefreshToken(true);
         logoutRealm.setRefreshTokenMaxReuse(0);
-        logoutRealm.setSsoSessionMaxLifespan(15);
+        logoutRealm.setSsoSessionMaxLifespan(10);
         logoutRealm.setAccessTokenLifespan(5);
         client.createRealm(logoutRealm);
         realms.add(logoutRealm);