Missing logout with OpenID Connect delegation
198 views
Skip to first unread message
Vincenzo Colonnella
Feb 18, 2021, 12:20:51 PM2/18/21
to CAS Community
Hello everybody.
I am running CAS 6.3.2 and set up Delegated Authentication towards an external OpenID Connect service based upon Keycloak.
Authentication works fine, I get back a Principal with ID taken from the "preferred_username" field.
But when application logs out from CAS, the session against the external provider keeps alive and further authentication attempts go through without credential submission.
It seems that the Pac4J OidcLogoutActionBuilder does not come into play also if it should, I am having an hard time to tell why.
When KeycloakOidcClient is created, OidcLogoutActionBuilder seems to be built and logoutUrl is correct (but I had to explicitly set it in configuration, otherwise it was null).
I cannot understand why the authentication flow misses that logout step, I believe CAS server should send a request to that logoutUrl when client ticket is destroyed.
Dependencies in build.gradle:
compile "org.apereo.cas:cas-server-support-jdbc-drivers:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-jpa-ticket-registry:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-jpa-service-registry:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-jdbc:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-pac4j-webflow:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-rest:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-reports:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-openid:${casServerVersion}"
compile "org.apereo.cas:cas-server-core-authentication-api:${casServerVersion}"
compile "org.apereo.cas:cas-server-core-api-configuration-model:${casServerVersion}"
CAS Configuration: cas.properties (attached)
Service json: general-1001.json (attached)
Sample log: sample.log (attached)
compile "org.apereo.cas:cas-server-support-jdbc-drivers:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-jpa-ticket-registry:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-jpa-service-registry:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-jdbc:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-pac4j-webflow:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-saml:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-rest:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-reports:${casServerVersion}"
compile "org.apereo.cas:cas-server-support-openid:${casServerVersion}"
compile "org.apereo.cas:cas-server-core-authentication-api:${casServerVersion}"
compile "org.apereo.cas:cas-server-core-api-configuration-model:${casServerVersion}"
CAS Configuration: cas.properties (attached)
Service json: general-1001.json (attached)
Sample log: sample.log (attached)
Thank you very much.
Vincenzo Colonnella
Vincenzo Colonnella
Feb 25, 2021, 4:28:42 AM2/25/21
to CAS Community
Hello everybody.
I have understood better the reason of that behavior. It's not true that Oidc logout flow doesn't come into play. It builds a redirection for the client to go to external Identity Provider logout url.
But if "cas.logout.redirectUrl" is defined, also that works as a redirection built for the client. In that case, the Oidc logout redirection gets overridden by the latter one.
If I undefine that general logout configuration, Oidc logout redirection works. But the outcome is to have no redirection at all after logout, and this seems quite bad.
In my opinion, instead of "overriding", the Oidc logout flow should be "merged" with that "cas.logout.redirectUrl" by building a redirection request for external provider that adds a "redirect_uri" query parameter in the Oidc request: so after logout from the external provider, the client gets redirected again to the final logout destination. But at the moment this seems not considered by current implementation of "cas-server-support-pac4j-authentication" and "pac4j-oidc" libraries.
I have understood better the reason of that behavior. It's not true that Oidc logout flow doesn't come into play. It builds a redirection for the client to go to external Identity Provider logout url.
But if "cas.logout.redirectUrl" is defined, also that works as a redirection built for the client. In that case, the Oidc logout redirection gets overridden by the latter one.
If I undefine that general logout configuration, Oidc logout redirection works. But the outcome is to have no redirection at all after logout, and this seems quite bad.
In my opinion, instead of "overriding", the Oidc logout flow should be "merged" with that "cas.logout.redirectUrl" by building a redirection request for external provider that adds a "redirect_uri" query parameter in the Oidc request: so after logout from the external provider, the client gets redirected again to the final logout destination. But at the moment this seems not considered by current implementation of "cas-server-support-pac4j-authentication" and "pac4j-oidc" libraries.
I hope this hint can help anyone with same issue. I don't know if I can suggest a feature request.
Thank you very much.
Vincenzo Colonnella
Mahmoud Elnahrawy
May 2, 2021, 7:30:51 AM5/2/21
to CAS Community, vcolo...@sigmaspa.com
Can tell me what exactly did to solve your problem please , i have same you case
please explain in detail
Petr Bodnár
Oct 17, 2025, 2:49:07 PM (3 days ago) Oct 17
to CAS Community, Mahmoud Elnahrawy, vcolo...@sigmaspa.com
FYI, we have actually run into the same problem (it seems to affect not just the delegation flow) and refreshed this topic in this new thread: CAS ignores post_logout_redirect_uri when default login/logout URL is set.
Reply all
Reply to author
Forward
0 new messages