CAS ignores post_logout_redirect_uri when default login/logout URL is set

[Petr Bodnár]

Hello,

we have found several surprising issues/bugs in the CAS class DefaultLogoutRedirectionStrategy in relation to the CAS setting "cas.view.default-redirect-url", i.e. the default login/logout URL. These go probably back to CAS version 6.x.

One the issues is that due to the logic in this class, CAS ignores the post_logout_redirect_uri request parameter when a default login/logout URL is set in CAS properties.

For now, we have fixed this issue with OIDC (and possibly also with other logout flows - see all the usages of putLogoutRedirectUrl(final HttpServletRequest request, final String service)) by simply moving the class's code which reads and uses the variable authorizedRedirectUrlFromRequest to the very beginning of the method.

Anyone else facing similar issue? And while the fix seems 100% logical, maybe we have overlooked something?

Best regards

Petr

[Issaka Rabo Moutari]

Hello team, I came across this bug and developed a Groovy script as a solution. I'm sharing it with you in case it might be helpful to others ! 

Object run(Object... args) {
    def context = args[0]
    def logger = args[1]

    def httpRequest = WebUtils.getHttpServletRequestFromExternalWebflowContext(context)
    def service = httpRequest.getParameter("service")

    def flowScope = context.flowScope

    logger.info("Custom logout interceptor. Incoming service = ${service}")

     if (!service) {
        // Supprimer l'URL de redirection
        if (flowScope.contains("logoutRedirectUrl")) {
            flowScope.remove("logoutRedirectUrl")
        }

       
    }

    return new Event(this, "success")
}

[Petr Bodnár]

Hello Issaka,

thanks for sharing the script. I can't see a relation to the reported problem though. Why does the script remove "logoutRedirectUrl" from the flowScope when "service" is not present (while DefaultLogoutRedirectionStrategy reads the logout URL from CAS properties, not from flowScope)? And how do you tell CAS to use this script?

Best regards

Petr

[Issaka Rabo Moutari]

Hi, the issue I encountered is that I wanted to differentiate the redirect URL after login and after logout. When I add the property cas.view.default-redirect-url=${cas.server.name}/home in application.properties, the redirection applies both after login and after logout, which is not desired.
So I implemented this script to intercept the logout without a service, remove the default redirect URL, and continue to /cas/logout.

==========================script================================

Object run(Object... args) {
    def context = args[0]
    def logger = args[1]

    def httpRequest = WebUtils.getHttpServletRequestFromExternalWebflowContext(context)
    def service = httpRequest.getParameter("service")

    def flowScope = context.flowScope

    logger.info("Custom logout interceptor. Incoming service = ${service}")

    /* Debug complet
    flowScope.asMap().each { k, v ->
        logger.info("FLOW SCOPE >> ${k} = ${v}")
    }*/

    if (!service) {

        logger.info("No service provided. Forcing redirect removal.")

        // Supprimer l'URL de redirection
        if (flowScope.contains("logoutRedirectUrl")) {
            flowScope.remove("logoutRedirectUrl")
        }

       
    }

    return new Event(this, "success")
}

=====================application.properties=======================

cas.view.default-redirect-url=${cas.server.name}/home

cas.webflow.login-decorator.groovy.location=file:/opt/cas/config/logout-redirect.groovy

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ccbfe724-5e3d-4a7f-bbc9-2ce2ea621021n%40apereo.org.