Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alternative implementation to logout with id_token_hint #3053

Open
wants to merge 5 commits into
base: develop
Choose a base branch
from
+64 −8
Open

Alternative implementation to logout with id_token_hint #3053

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
248739b
Draft to logout
strehle Sep 17, 2024
c6d89e4
Merge remote-tracking branch 'origin/develop' into draftFixLogout
strehle Sep 26, 2024
9052473
fix tests
strehle Sep 26, 2024
2f5ec5a
Tests added
strehle Sep 26, 2024
a692b42
Test added
strehle Sep 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthentication.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ public class UaaAuthentication implements Authentication, Serializable {
private Set<String> authenticationMethods;
private Set<String> authContextClassRef;
private Long lastLoginSuccessTime;
private String idpIdToken;

private Map userAttributes;

Expand Down Expand Up @@ -184,6 +185,14 @@ public boolean equals(Object o) {
return true;
}

public String getIdpIdToken() {
return this.idpIdToken;
}

public void setIdpIdToken(final String idpIdToken) {
this.idpIdToken = idpIdToken;
}

@Override
public int hashCode() {
int result = authorities.hashCode();
Expand Down
6 changes: 5 additions & 1 deletion ...in/java/org/cloudfoundry/identity/uaa/authentication/ZoneAwareWhitelistLogoutHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,11 @@ protected String determineTargetUrl(HttpServletRequest request, HttpServletRespo
if (logoutUrl == null) {
return getZoneHandler().determineTargetUrl(request, response);
} else {
return externalOAuthLogoutHandler.constructOAuthProviderLogoutUrl(request, logoutUrl, oauthConfig);
String idTokenHint = null;
if (authentication instanceof UaaAuthentication uaaAuthentication) {
idTokenHint = uaaAuthentication.getIdpIdToken();
}
return externalOAuthLogoutHandler.constructOAuthProviderLogoutUrl(request, logoutUrl, idTokenHint, oauthConfig);
}
}

Expand Down
6 changes: 6 additions & 0 deletions .../cloudfoundry/identity/uaa/authentication/manager/ExternalLoginAuthenticationManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
import org.cloudfoundry.identity.uaa.provider.ExternalIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
import org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthAuthenticationManager;
import org.cloudfoundry.identity.uaa.scim.ScimGroupExternalMember;
import org.cloudfoundry.identity.uaa.scim.ScimGroupExternalMembershipManager;
import org.cloudfoundry.identity.uaa.user.DialableByPhone;
Expand Down Expand Up @@ -39,6 +40,7 @@
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;

Expand Down Expand Up @@ -155,6 +157,10 @@ public Authentication authenticate(Authentication request) throws Authentication
uaaAuthenticationDetails = UaaAuthenticationDetails.UNKNOWN;
}
UaaAuthentication success = new UaaAuthentication(new UaaPrincipal(user), user.getAuthorities(), uaaAuthenticationDetails);
success.setSamlMessageContext(new SAMLMessageContext());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you mean to add this? Not sure how it is related to the change.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not Saml, but you see here is the set of the SAML credential which can be re-retrieved after login

if (authenticationData instanceof ExternalOAuthAuthenticationManager.AuthenticationData authenticationInternal) {
success.setIdpIdToken(authenticationInternal.getIdToken());
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant that the better place for id_toiken_hint is here, because here is the SAML .
The class https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaLoginHint.java is for OAuth-Token-Requests, e.g. https://devforum.okta.com/t/how-to-pass-login-hint-into-authorization-url/26905

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You added line 160 as part of this PL so I'm not sure of your point. Ideally this ExternalLoginAuthenticationManager wouldn't have SAML or OIDC specific code in it. That's why my PL keeps all the id_token_hint changes in the OIDC classes.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no it not the check, but the fact that UaaLoginHint is used to parse the login_hint parameter.

My request is: use either UaaAuthentication because here are all session relevant information.

In case of SAML the credential is also stored here.

The other class is used to parse requests and therefore you had to jsonIgore

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my new commit on PL 3049. I'm storing the id_token in the UaaAuthentication now. I think the only significant difference is that I use the existing ExternalOAuthCodeToken to carry the id_token over to where it can be set in the UaaAuthentication, and all of my changes are contained in the OAuth packages.

}
populateAuthenticationAttributes(success, request, authenticationData);
publish(new IdentityProviderAuthenticationSuccessEvent(user, success, user.getOrigin(), IdentityZoneHolder.getCurrentZoneId()));
return success;
Expand Down
11 changes: 9 additions & 2 deletions ...java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,12 +227,14 @@ public AuthenticationData getExternalAuthenticationDetails(Authentication authen
AuthenticationData authenticationData = new AuthenticationData();

AbstractExternalOAuthIdentityProviderDefinition config = (AbstractExternalOAuthIdentityProviderDefinition) provider.getConfig();
Map<String, Object> claims = getClaimsFromToken(codeToken, config);
String idToken = getTokenFromCode(codeToken, config);
Map<String, Object> claims = getClaimsFromToken(idToken, config);

if (claims == null) {
return null;
}
authenticationData.setClaims(claims);
authenticationData.setIdToken(idToken);

Map<String, Object> attributeMappings = config.getAttributeMappings();

Expand Down Expand Up @@ -791,10 +793,11 @@ public KeyInfoService getKeyInfoService() {
return keyInfoService;
}

protected static class AuthenticationData {
public static class AuthenticationData {

private Map<String, Object> claims;
private String username;
private String idToken;
private List<? extends GrantedAuthority> authorities;
private Map<String, Object> attributeMappings;

Expand Down Expand Up @@ -830,5 +833,9 @@ public List<? extends GrantedAuthority> getAuthorities() {
public void setAuthorities(List<? extends GrantedAuthority> authorities) {
this.authorities = authorities;
}

public String getIdToken() { return this.idToken; }

public void setIdToken(String idToken) { this.idToken = idToken; }
}
}
12 changes: 10 additions & 2 deletions ...rc/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthLogoutHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,12 @@ public ExternalOAuthLogoutHandler(final IdentityProviderProvisioning providerPro
protected String determineTargetUrl(final HttpServletRequest request, final HttpServletResponse response, final Authentication authentication) {
final AbstractExternalOAuthIdentityProviderDefinition<OIDCIdentityProviderDefinition> oauthConfig =
this.getOAuthProviderForAuthentication(authentication);
String idTokenHint = null;
final String logoutUrl = this.getLogoutUrl(oauthConfig);

if (authentication instanceof UaaAuthentication uaaAuthentication) {
idTokenHint = uaaAuthentication.getIdpIdToken();
}
if (logoutUrl == null) {
final String defaultUrl = getZoneDefaultUrl();
if (LOGGER.isWarnEnabled()) {
Expand All @@ -52,10 +56,10 @@ protected String determineTargetUrl(final HttpServletRequest request, final Http
return defaultUrl;
}

return this.constructOAuthProviderLogoutUrl(request, logoutUrl, oauthConfig);
return this.constructOAuthProviderLogoutUrl(request, logoutUrl, idTokenHint, oauthConfig);
}

public String constructOAuthProviderLogoutUrl(final HttpServletRequest request, final String logoutUrl,
public String constructOAuthProviderLogoutUrl(final HttpServletRequest request, final String logoutUrl, String idTokenHint,
final AbstractExternalOAuthIdentityProviderDefinition<OIDCIdentityProviderDefinition> oauthConfig) {
final StringBuilder oauthLogoutUriBuilder = new StringBuilder(request.getRequestURL());
if (StringUtils.hasText(request.getQueryString())) {
Expand All @@ -66,6 +70,10 @@ public String constructOAuthProviderLogoutUrl(final HttpServletRequest request,
final StringBuilder sb = new StringBuilder(logoutUrl);
sb.append("?post_logout_redirect_uri=");
sb.append(oauthLogoutUri);
if (idTokenHint != null) {
sb.append("&id_token_hint=");
sb.append(idTokenHint);
}
sb.append("&client_id=");
sb.append(oauthConfig.getRelyingPartyId());
return sb.toString();
Expand Down
8 changes: 8 additions & 0 deletions ...r/src/test/java/org/cloudfoundry/identity/uaa/authentication/SessionResetFilterTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import org.cloudfoundry.identity.uaa.zone.IdentityZone;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;
Expand Down Expand Up @@ -206,6 +207,13 @@ public void testUserNotFound() throws Exception {
verify(session, times(1)).invalidate();
}

@Test
public void testIdTokenSetAndGet() {
Assert.assertNull(authentication.getIdpIdToken());
authentication.setIdpIdToken("token");
Assert.assertEquals("token", authentication.getIdpIdToken());
}

protected long dropMilliSeconds(long time) {
return ( time / 1000l ) * 1000l;
}
Expand Down
16 changes: 15 additions & 1 deletion ...va/org/cloudfoundry/identity/uaa/authentication/ZoneAwareWhitelistLogoutHandlerTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,14 @@
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.cloudfoundry.identity.uaa.provider.NoSuchClientException;
import org.springframework.security.core.context.SecurityContextHolder;

import javax.servlet.ServletException;
import java.io.IOException;
import java.util.Collections;

import static org.junit.Assert.assertEquals;
import static org.mockito.Mockito.doReturn;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.when;
Expand Down Expand Up @@ -69,6 +71,7 @@ public void setUp() {
public void tearDown() {
IdentityZoneHolder.clear();
IdentityZone.getUaa().setConfig(original);
SecurityContextHolder.clearContext();
}

@Test
Expand Down Expand Up @@ -123,6 +126,17 @@ public void test_whitelist_redirect_with_wildcard() {
assertEquals("http://www.somethingelse.com", handler.determineTargetUrl(request, response));
}

@Test
public void test_id_token_hint() {
UaaAuthentication uaaAuthentication = mock(UaaAuthentication.class);
SecurityContextHolder.getContext().setAuthentication(uaaAuthentication);
doReturn("eyToken").when(uaaAuthentication).getIdpIdToken();
configuration.getLinks().getLogout().setDisableRedirectParameter(false);
when(oAuthLogoutHandler.getLogoutUrl(null)).thenReturn("");
when(oAuthLogoutHandler.constructOAuthProviderLogoutUrl(request, "", "eyToken", null)).thenReturn("http://testing.com");
assertEquals("http://testing.com", handler.determineTargetUrl(request, response));
}

@Test
public void test_client_redirect() {
configuration.getLinks().getLogout().setWhitelist(Collections.singletonList("http://somethingelse.com"));
Expand Down Expand Up @@ -156,7 +170,7 @@ public void test_external_client_redirect() {
configuration.getLinks().getLogout().setWhitelist(Collections.singletonList("http://somethingelse.com"));
configuration.getLinks().getLogout().setDisableRedirectParameter(false);
when(oAuthLogoutHandler.getLogoutUrl(null)).thenReturn("");
when(oAuthLogoutHandler.constructOAuthProviderLogoutUrl(request, "", null)).thenReturn("/login");
when(oAuthLogoutHandler.constructOAuthProviderLogoutUrl(request, "", null, null)).thenReturn("/login");
request.setParameter("redirect", "http://testing.com");
request.setParameter(CLIENT_ID, CLIENT_ID);
assertEquals("/login", handler.determineTargetUrl(request, response));
Expand Down
2 changes: 1 addition & 1 deletion ...va/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -688,7 +688,7 @@ void idToken_In_Redirect_Should_Use_it() {
xCodeToken.setIdToken(idToken);
externalOAuthAuthenticationManager.authenticate(xCodeToken);

verify(externalOAuthAuthenticationManager, times(1)).getClaimsFromToken(same(xCodeToken), any());
verify(externalOAuthAuthenticationManager, times(0)).getClaimsFromToken(same(xCodeToken), any());
verify(externalOAuthAuthenticationManager, times(1)).getClaimsFromToken(eq(idToken), any());
verify(externalOAuthAuthenticationManager, never()).getRestTemplate(any());

Expand Down
2 changes: 1 addition & 1 deletion ...est/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthLogoutHandlerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ void determineDefaultTargetUrl() {

@Test
void constructOAuthProviderLogoutUrl() {
oAuthLogoutHandler.constructOAuthProviderLogoutUrl(request, "", oAuthIdentityProviderDefinition);
oAuthLogoutHandler.constructOAuthProviderLogoutUrl(request, "", "", oAuthIdentityProviderDefinition);
}

@Test
Expand Down
Loading