Hello everybody.
I have understood better the reason of that behavior. It's not true that
Oidc logout flow doesn't come into play. It builds a redirection for the
client to go to external Identity Provider logout url.
But if "cas.logout.redirectUrl" is defined, also that works as a
redirection built for the client. In that case, the Oidc logout redirection
gets overridden by the latter one.
If I undefine that general logout configuration, Oidc logout redirection
works. But the outcome is to have no redirection at all after logout, and
this seems quite bad.
In my opinion, instead of "overriding", the Oidc logout flow should be
"merged" with that "cas.logout.redirectUrl" by building a redirection
request for external provider that adds a "redirect_uri" query parameter in
the Oidc request: so after logout from the external provider, the client
gets redirected again to the final logout destination. But at the moment
this seems not considered by current implementation of
"cas-server-support-pac4j-authentication" and "pac4j-oidc" libraries.
I hope this hint can help anyone with same issue. I don't know if I can
suggest a feature request.
Thank you very much.
Vincenzo Colonnella
Il giorno giovedì 18 febbraio 2021 alle 18:20:51 UTC+1 Vincenzo Colonnella
ha scritto:
>
> Hello everybody.
>
> I am running CAS 6.3.2 and set up Delegated Authentication towards an
> external OpenID Connect service based upon Keycloak.
> Authentication works fine, I get back a Principal with ID taken from the
> "preferred_username" field.
>
> But when application logs out from CAS, the session against the external
> provider keeps alive and further authentication attempts go through without
> credential submission.
> It seems that the Pac4J OidcLogoutActionBuilder does not come into play
> also if it should, I am having an hard time to tell why.
> When KeycloakOidcClient is created, OidcLogoutActionBuilder seems to be
> built and logoutUrl is correct (but I had to explicitly set it in
> configuration, otherwise it was null).
>
> I cannot understand why the authentication flow misses that logout step, I
> believe CAS server should send a request to that logoutUrl when client
> ticket is destroyed.
>
> Dependencies in build.gradle:
> compile
> "org.apereo.cas:cas-server-support-jdbc-drivers:${casServerVersion}"
> compile
> "org.apereo.cas:cas-server-support-jpa-ticket-registry:${casServerVersion}"
> compile
> "org.apereo.cas:cas-server-support-jpa-service-registry:${casServerVersion}"
> compile "org.apereo.cas:cas-server-support-jdbc:${casServerVersion}"
> compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}"
> compile
> "org.apereo.cas:cas-server-support-pac4j-webflow:${casServerVersion}"
> compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
> compile "org.apereo.cas:cas-server-support-rest:${casServerVersion}"
> compile "org.apereo.cas:cas-server-support-reports:${casServerVersion}"
> compile "org.apereo.cas:cas-server-support-openid:${casServerVersion}"
> compile
> "org.apereo.cas:cas-server-core-authentication-api:${casServerVersion}"
> compile
> "org.apereo.cas:cas-server-core-api-configuration-model:${casServerVersion}"
>
> CAS Configuration: cas.properties (attached)
>
> Service json: general-1001.json (attached)
>
> Sample log: sample.log (attached)
>
> Thank you very much.
> Vincenzo Colonnella
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a1ea5905-725d-4d19-bbaa-1cb3c778aae8n%40apereo.org.
