Skip to content

oidcAuthorizationCode AuthConfig redirects to afterLogoutUrl instead of issuerUrl when access-token and refresh-token in Redis cache have expired #9574

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
oidcAuthorizationCode AuthConfig redirects to afterLogoutUrl instead of issuerUrl when access-token and refresh-token in Redis cache have expired#9574
Labels
Area: Gloo GatewayIssues related to the Gloo Gateway projectArea: extauthType: BugSomething isn't workingstaleIssues that are stale. These will not be prioritized without further engagement on the issue.
@DuncanDoyle

Description

@DuncanDoyle
DuncanDoyle
opened on Jun 4, 2024

Gloo Edge Product

Enterprise

Gloo Edge Version

1.16.9

Kubernetes Version

1.27.8

Describe the bug

Given an application that is protected with an oidcAuthorizationCode AuthConfig, in the following scenario the browser is redirected to the afterLogoutUrl instead of the issuerUrl:

  1. Access the application. Gloo sends a redirect to the IdP (Keycloak in my case).
  2. Login to Keycloak. The OAuth/OIDC "dance" is initiated (access-code exchange for access-token and refresh-token)
  3. A new session is created in Redis with the access-token and refresh-token.
  4. User is granted access to the application and redis session cookie is returned.
  5. Remove the session from Keycloak, simulating a session timeout, which basically means that the refresh-token can no longer be used to retrieve a new access-token.
  6. Wait till the access-token expires.
  7. Hit the application again, and observe that the user is redirected to the afterLogoutUrl instead of the IdP (Keycloak) login screen.

Note that in the case that you don't use afterLogoutUrl, the browser is redirected to the appUrl, and in my case, that URL is also protected with oidcAuthorizationCode flow ... so there is an immediate redirect to the IdP login screen.

Note that there is difference in behaviour between the case where Redis still has the session with the expired tokens, and the case where there is no Redis session at all anymore. When the session is still in Redis, we see the behaviour as described above. When the session is no longer in Redis, for example because we've set the maxAge of the session cookie (which sets a TTL on the session entry in Redis) ... the user is redirected to the issuerUrl and NOT to the afterLogoutUrl.

IMO, in the situation described here, where the user does NOT take the explicit action to logout (i.e. call the logoutPath), the user should be redirected to the issuerUrl and not the afterLogoutUrl.

Expected Behavior

The user/browser should be redirected to issuerUrl instead of afterLogoutUrl or appUrl if the tokens in the existing session in Redis have expired. The reasoning is that the user has not initiated an explicit logout action (i.e. calling logoutPath endpoint) and should therefore not be redirected to the afterLogoutUrl or appUrl.

Steps to reproduce the bug

Reproducer project here: https://github.com/DuncanDoyle/ge-9574-oidc-afterlogouturl

Additional Environment Detail

No response

Additional Context

No response

Related Issues

This behaviour seems to have been introduced as a fix to this issue: solo-io#4927

Metadata

Assignees

No one assigned

    Labels

    Area: Gloo GatewayIssues related to the Gloo Gateway projectArea: extauthType: BugSomething isn't workingstaleIssues that are stale. These will not be prioritized without further engagement on the issue.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions