gonzalad commented on issue #20: FEDIZ-212: fix logout when no httpSession present URL: https://github.com/apache/cxf-fediz/pull/20#issuecomment-335427742 Hi Sergey, The important thing about this PR is more the fact that doing a logout with a null principal (ie oidc httpSession expired, user already clicked on logout button on another OIDC Client app, ...) behaves in the same way (from the end user perspective) as a logout request with a non-null principal : - it doesn't raise an exception - and redirects to idpLogoutUri - and ultimately redirects back to the post_logout_redirect_url configured for the configured OIDC Client. > should we move the session invalidation inside the branch with the non-null principal ? The call mc.getHttpServletRequest().getSession().invalidate() can be moved to the ``` if (mc.getSecurityContext().getUserPrincipal() != null) { ``` block or be kept outside. I've just tested both way, it works both way. Thanks ! ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
With regards, Apache Git Services
