Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Logout Test - RP Initiated should validate id_token_hint is present

See original GitHub issue

Issue

Conformance suite is testing a case when they don’t include id_token_hint param in the request to end_session endpoint.

Current implementation

Logout is processed and after that the user agent is redirected to the url in post_logout_redirect_uri.

Expected result

According to the documentation we have to validate id_token_hint param for security considerations and stop the process if it is not present. Another platform shows an invalid_request error message whether this one is not sent.

Test log:

https://op.certification.openid.net:62152/test_info/OP-RpInitLogout-No-id_token_hint

End session url:

https://jenkins-ldap.gluu.org/oxauth/restv1/end_session?post_logout_redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A62152%2Flogout&state=D7ajugCIxZBKWr3Re3QLSF2BLconFw7s

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:5 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
yuriyzcommented, Mar 5, 2020

I see, introduced new configuration property forceIdTokenHintPrecense. So you can test it with fapiCompatibility=false && forceIdTokenHintPrecense=true.

0reactions
miltonbocommented, Mar 4, 2020

@yuriyz We have an issue very similar than oxTrust with oxAuth. Now that I’m using ce-ob.gluu.org environment to pass logout tests, conformance suite is sending wrong parameters, it doesn’t include request param, but we have fapiCompatibility activated and an invalid_request error is gotten.

Authorization url created by the conformance suite

https://ce-ob.gluu.org/oxauth/restv1/authorize?state=IqjEjyC98q8uWVct&nonce=5yVJBCdutXOC72yD&response_type=id_token+token&scope=openid+offline_access&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A62175%2Fauthz_cb&prompt=consent&client_id=1d88aae1-e5a5-40ec-a077-a4c7ed438430

Read more comments on GitHub >

github_iconTop Results From Across the Web

'id_token_hint' in RP Initiated Logout - Stack Overflow
It would prevent attackers from clickjacking and logging out users from their accounts because only the real RP can present the valid ID ......
Read more >
Final: OpenID Connect RP-Initiated Logout 1.0
When both client_id and id_token_hint are present, the OP MUST verify that the Client Identifier matches the one used when issuing the ID...
Read more >
Updated RP-initiated logout in Connect2id server 12.15
If both id_token_hint and client_id are present in a logout request the Connect2id will check the ID token was issued to the client_id ......
Read more >
RP-initiated logout: require valid id_token_hint to take action ...
The current draft implies that sending the end-user's browser to the post_logout_redirect_uri of a logout request without an id_token_hint ...
Read more >
Issues with Federated Logout with Kentor/Idsv #421 - GitHub
When testing I have got both sign in flow and logout working for those. Logout with both RP-initiated and Idp-initiated logout.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Mitigate replay of modified JWT from Passport-JS

Next page

FAPI : swap clients - test fail because we are sending an unexpected kind of error