Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/backchannel_logout completes successfully but does not exit synapse #16852

Open
kvalmnois opened this issue Jan 24, 2024 · 2 comments
Open

/backchannel_logout completes successfully but does not exit synapse #16852

kvalmnois opened this issue Jan 24, 2024 · 2 comments

Comments

@kvalmnois
Copy link

kvalmnois commented Jan 24, 2024
edited by reivilibre
Loading

Description
I am trying to configure single sign out using keycloak via /backchannel_logout. When the request is passed to synapse, I get a response of 200 (200 "POST /_synapse/client/oidc/backchannel_logout HTTP/1.1" "Apache-HttpClient/4.5.14 (Java/17.0.8)"),
But I can still make requests for /whoami and stuff.

Steps to reproduce
/synapse/client/oidc/backchannel_logout

Homeserver

Synapse Version
1.91

Installation Method
docker

Database
psql

Workers
Single process

Platform
linux

Configuration
oidc_providers:

  • idp_id: keycloak
    idp_name: "Keycloak"
    issuer: "https://test:8443/auth/realms/TEST"
    client_id: "test-app"
    client_secret: "client_secret"
    scopes: ["openid", "profile"]
    user_mapping_provider:
    config:
    localpart_template: "{{ user.preferred_username }}"
    display_name_template: "{{ user.name }}"
    backchannel_logout_enabled: true
    backchannel_logout_session_supported: true

Relevant log output

2024-01-24 17:17:48,242 - synapse.access.http.8008 - 420 - DEBUG - POST-4623 - 172.35.0.21 - 8008 - Received request: POST /_synapse/client/oidc/backchannel_logout
2024-01-24 17:17:48,242 - synapse.handlers.oidc - 845 - DEBUG - POST-4623 - Attempting to decode JWT (LogoutToken) 'token'
2024-01-24 17:17:48,243 - synapse.handlers.oidc - 869 - DEBUG - POST-4623 - Decoded JWT (LogoutToken) {'iat': 1706116668, 'jti': '541f3bf9-a7e8-4ef8-9469-a7407936e9ed', 'iss': 'https://test:8443/auth/realms/TEST', 'aud': 'test-app', 'sub': '7c35f38b-b84f-4569-af65-e5cd290e538d', 'typ': 'Logout', 'sid': '830ed376-5509-4e81-933f-13aef266d237', 'events': {'http://schemas.openid.net/event/backchannel-logout': {}, 'revoke_offline_access': True}}; validating
2024-01-24 17:17:48,244 - [synapse.storage](http://synapse.storage/).txn - 738 - DEBUG - POST-4623 - [TXN START] {get_user_by_external_id-6a25}
2024-01-24 17:17:48,245 - [synapse.storage](http://synapse.storage/).txn - 842 - DEBUG - POST-4623 - [TXN END] {get_user_by_external_id-6a25} 0.001171 sec
2024-01-24 17:17:48,246 - [synapse.storage](http://synapse.storage/).txn - 738 - DEBUG - POST-4623 - [TXN START] {invalidate_login_tokens_by_session_id-6a26}
2024-01-24 17:17:48,247 - [synapse.storage](http://synapse.storage/).txn - 842 - DEBUG - POST-4623 - [TXN END] {invalidate_login_tokens_by_session_id-6a26} 0.001186 sec
2024-01-24 17:17:48,248 - [synapse.storage](http://synapse.storage/).txn - 738 - DEBUG - POST-4623 - [TXN START] {get_devices_by_auth_provider_session_id-6a27}
2024-01-24 17:17:48,249 - [synapse.storage](http://synapse.storage/).txn - 842 - DEBUG - POST-4623 - [TXN END] {get_devices_by_auth_provider_session_id-6a27} 0.000867 sec
2024-01-24 17:17:48,249 - synapse.access.http.8008 - 465 - INFO - POST-4623 - 172.35.0.21 - 8008 - {None} Processed request: 0.007sec/-0.000sec (0.003sec, 0.001sec) (0.001sec/0.003sec/3) 0B 200 "POST /_synapse/client/oidc/backchannel_logout HTTP/1.1" "Apache-HttpClient/4.5.14 (Java/17.0.8)" [0 dbevts]

token params:
{ "iat": 1706116668, "jti": "541f3bf9-a7e8-4ef8-9469-a7407936e9ed", "iss": "https://test:8443/auth/realms/TEST", "aud": "test-app", "sub": "7c35f38b-b84f-4569-af65-e5cd290e538d", "typ": "Logout", "sid": "830ed376-5509-4e81-933f-13aef266d237", "events": { "http://schemas.openid.net/event/backchannel-logout": {}, "revoke_offline_access": true } }

Anything else that would be useful to know?
@reivilibre
Copy link
Contributor

From the log it indeed looks like nothing is being revoked; I'd expect to see log lines saying

  • 'Revoking mapping session'; and/or
  • 'Logging out %r (device %r) via SSO (%r) logout notification (session %r).'

This seems to indicate that there is no device with the provided session ID that is being logged out.

This query in the database should confirm that:

SELECT * FROM device_auth_providers WHERE auth_provider_session_id = '830ed376-5509-4e81-933f-13aef266d237';

If not, what does it say?

@col-panic
Copy link

Can confirm with v1.114.0 - I see the following request

synapse-1  | 2024-09-18T09:01:34.971629845Z 2024-09-18 09:01:34,971 - synapse.access.http.8008 - 473 - INFO - POST-276 - 192.168.65.1 - 8008 - {None} Processed request: 0.008sec/-0.000sec (0.002sec, 0.000sec) (0.000sec/0.004sec/3) 0B 200 "POST /_synapse/client/oidc/backchannel_logout HTTP/1.1" "Apache-HttpClient/4.5.14 (Java/21.0.4)" [0 dbevts]

but the corresponding element session in the adjacent browser tab is still running!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@col-panic @reivilibre @kvalmnois