Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redirection to the post-logout callback URI sometimes beats asynchronous back-channel logout for that RP #3186

Closed
4 of 6 tasks
mig5 opened this issue Jul 13, 2022 · 2 comments
Labels
feat New feature or request. stale Feedback from one or more authors is required to proceed.

Comments

@mig5
Copy link
Contributor

mig5 commented Jul 13, 2022

Preflight checklist

Describe your problem

My OAuth2.0 client is configured with the post-logout callback URI to be the front page of the RP, and with back-channel logout.

When a user clicks logout on this RP, it initiates the logout flows with Hydra.

Sometimes,since the back-channel logout flows became asynchronous in #2849 , we have observed rare scenarios whereby Hydra redirects the user's browser back to the post-logout callback URI faster than it performed back-channel logout on that same RP.

The effect is that the user sometimes ends up back on the front page of the RP but it still looks like they are logged in. Maybe a half second later, we see the back-channel logout flow work and end the session in the backend, but the user doesn't know this. They usually click Logout a second time and they think that it worked the second time (but in fact, their session was ended already before they clicked the second time)

Describe your ideal solution

It would be ideal if somehow the back-channel logout occurred before the redirect did. But I guess that's the old behaviour when it was synchronous.

Is there a way you can make it so that the redirect only happens after the same RP that initiated the logout has had its back-channel logout flow complete? A sort of half-way between synchronous and asynchronous (the other RPs of course can have the backchannel logout occur asynchronously)

Workarounds or alternatives

An alternative is to always 'end the session early' in the RP before it initiates the OP logout flows, but after it has obtained the id_token from the session to send to the OP as part of that request.

It would then be perhaps good to mention in the documentation that it is a good idea to 'always end the session early, in the RP that is initiating the logout flows. Even though this means back-channel logout for this same RP won't really do anything (you have already ended the user's session), it ensures that if your post-logout redirect URI is to this same RP, it won't look (to the user) like they are still logged in (if your RP makes it look that way), should their browser be redirected to that URI before the asynchronous back-channel logout had a chance to complete for this RP.'

Version

1.11.8

Additional Context

No response

@mig5 mig5 added the feat New feature or request. label Jul 13, 2022
@aeneasr
Copy link
Member

aeneasr commented Dec 6, 2022

Sorry for the late reply, this is a fair point. We shold document this behavior:

An alternative is to always 'end the session early' in the RP before it initiates the OP logout flows, but after it has obtained the id_token from the session to send to the OP as part of that request.

Copy link

github-actions bot commented Dec 7, 2023

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

  • open a PR referencing and resolving the issue;
  • leave a comment on it and discuss ideas on how you could contribute towards resolving it;
  • leave a comment and describe in detail why this issue is critical for your use case;
  • open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️

@github-actions github-actions bot added the stale Feedback from one or more authors is required to proceed. label Dec 7, 2023
@github-actions github-actions bot closed this as completed Jan 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feat New feature or request. stale Feedback from one or more authors is required to proceed.
Projects
None yet
Development

No branches or pull requests

2 participants