Auth0 Logout not working properly when using a custom domain at auth0

[OmarHawk]

Overview of the issue

Hi,

in our set-up we are using auth0 as identity provider, where auth0 is having a custom host name configured. The default LogoutResource detects auth0 by checking the issuerUri, see here in the imperative sample:

generator-jhipster/generators/server/templates/src/main/java/package/web/rest/LogoutResource_imperative.java.ejs

Lines 56 to 60 in 28005f0

	if (issuerUri.contains("auth0.com")) {
	logoutUrl.append(issuerUri.endsWith("/") ? issuerUri + "v2/logout" : issuerUri + "/v2/logout");
	} else {
	logoutUrl.append(this.registration.getProviderDetails().getConfigurationMetadata().get("end_session_endpoint").toString());
	}

Since we are having a custom host name (enterprise...) where auth0.com is not mentioned at all, we fall back into the else branch, where there is the call this.registration.getProviderDetails().getConfigurationMetadata().get("end_session_endpoint").toString().

Since auth0 is seemingly not publishing this as part of the /.well-known/openid-configuration endpoint, the .toString() produces a NullPointerException... in any case auth0 seems to require some special handling when it comes to Logouts, so we would probably require a different detection mechanism for auth0...

2023-05-05 17:17:30.148 ERROR   [XNIO-1 task-1] o.z.p.s.c.AdviceTraits - Internal Server Error
java.lang.NullPointerException: Cannot invoke "Object.toString()" because the return value of "java.util.Map.get(Object)" is null
	at de.mt.dataview.web.rest.LogoutResource.logout(LogoutResource.java:41)
	at de.mt.dataview.web.rest.LogoutResource$$FastClassBySpringCGLIB$$c64cca3a.invoke(<generated>)
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)

Motivation for or Use Case

Auth0 detection not working in any case.

Reproduce the error

See above

Related issues

Suggest a Fix

Maybe allow to define auth0 as idp in a config when it is not possible to detect it implicitly... any ideas for other detection mechanisms welcome :-)

JHipster Version(s)

7.9.3

JHipster configuration

Entity configuration(s) entityName.json files generated in the .jhipster directory

Browsers and Operating System

• Checking this box is mandatory (this is just to show you read everything)

[mraible]

If you contact Auth0 support, you can get the end_session_endpoint turned on. Or just remove the conditional so it always uses Auth0.

[OmarHawk]

Well, ideally, it would not be needed to remove any generated code to avoid issues when there are new versions. end_session_endpoint well, that is just one part of the solution, as it seems to require special parameters appended to the URL (client_id / returnTo). Latest for these two, I'd have to detect auth0 (or get rid of the conditionals, which is not the desired option ;-)) Ideally, it would be possbile to detect auth0 in a different way than hostname...

[mraible]

@OmarHawk I agree we should have a better solution. I'll add a bug bounty and try to look into this before the end of the month.

[atomfrede]

@OmarHawk Would it be okay to configure the auth0 domains in jhipster? Which by default contains only auth0 such that the generated code need to check if the issuer is one of the configured auth0 issuers? If so I can do a PR.

[OmarHawk]

I think so. In the end it is about reducing the amount of changes to generated code :D

[atomfrede]

I will take care of it (except @mraible you have another idea). It is similar to what we have for the csp policies, which are configurable via spring properties.