Frontchannel Logout on Protocol OIDC

[Ronaldo Hideki Yamada]

As specified in:

https://openid.net/specs/openid-connect-frontchannel-1_0.html

Representative client implemented in:

https://github.com/zmartzone/mod_auth_openidc

Suggestions:

Show frontchannel_logout switch on client for protocol oidc:

https://github.com/keycloak/keycloak/blob/d9029b06b907663220933315b566892455f6c26f/themes/src/main/resources/theme/base/admin/resources/partials/client-detail.html#L243

Add a client atribute [clientEdit.attributes.frontchannel_logout_url] for store frontchannel logout on this same file.

On  OIDCLoginProtocol::frontchannelLogout OIDCLoginProtocol.java#L323

https://github.com/keycloak/keycloak/blob/d9029b06b907663220933315b566892455f6c26f/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java#L323

Append to a list of frontchannel_logout_url stored on userSession a the configurated frontchannel_logout_url, with query params sid (session_state? see below) and iss.

on this method return null for KC engine goto next autenticated client.

On  OIDCLoginProtocol::finishLogout OIDCLoginProtocol.java#L329

https://github.com/keycloak/keycloak/blob/d9029b06b907663220933315b566892455f6c26f/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java#L329

Render a transition page with Saved list of frontchannel_logout_url in src attribute of image (Yes apache returns 1 pixel png, and bypass browser iframe protections)

additionally on same page add iframe wuth same urls.

For final logout_redirect_uri:

The page should all methods below:

    1) Refresh Header

    2) meta-http-equiv Refresh

    3) a javascript check for (iframe/image loading)||timeout and redirect.

* For those clients KC should issue access_token with sid (=session_state).

[Pedro Igor]

Hi,

Sounds like a good plan. 

However, I have some considerations about front-channel logout.

Firstly, could you elaborate on why back-channel logout is not enough for you?

Secondly, the fact that most browsers are restricting 3rd party cookies, requests from the iframe might not pass cookies when making the logout requests. Although it should be possible to logout at the application using the iss/sid, the logout endpoint is open to DoS attack. We could potentially pass the id_token too using the id_token_hint parameter to somewhat overcome this problem, but this is out of the spec.

For last, could you elaborate why you need the image + iframes for each client session?

Regards.

Pedro Igor

[Ronaldo Hideki Yamada]

Hi Pedro,

Yes, our users have blocked third party cookies.

We already use another solution of SSO and our clients have implemented front channel logout.

Backchannel is great, but sometimes our clients do not implement it.

We deployed KC dozens of clients too, but browsers could block cookie reading on "cross site window(post) messaging" and turn KC session management useless.

I think sending id_token_hint is a good idea and client frontchannel_logout endpoints could ignore additional query params. But session_state protected and an UUID could turn DoS attacks useless.

For images, some web servers sent the following Header "content-security-policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';" KC itself. frontchannel_endpoint as image to overcome this. Additional requests can increase change of logout.

Regards,

Ronaldo

[Ronaldo Hideki Yamada]

Hi Pedro,

 

I just read KC already backchannel compatible with RFC, instead of proprietary one (events, session_state array). 

 

There are concerns about use of backchannel, first KC must POST requests on an increasing number of external servers, and our KC has only access to LDAP, DB and few services like Recaptcha. Unlike browsers already have this access, this was the main reason to adopt (future possibly broken) SessionManagement in the past.

 

Due, most of our users logged on some systems. KC will centrally handle dozens of these post requests, instead delegate to a distributed browser of users.

 

An alternative approach for backchannel logout could use them on front basis?

If transition logout page post(XHR) KCLogoutToken to client´s backchannel_logout_endpoints?

Will the client(server) distinguish between KC and Browser? There are issues with CORS?

 

Regards,

[Pedro Igor Craveiro e Silva]

I see, thanks for the clarification.

I would say we should go with the specs. So I think it makes sense to add support for front-channel logout along the lines you proposed.

For CSP, we do set the header with some default values. However, you should be able to change that via the admin console. If that helps. I think the part related to images/regular iframes is what we should discuss more.

But yeah, I think a PR makes sense and we can discuss there the last bits.

Regards.

Pedro Igor

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/f514a448-0a5f-4ed2-87dc-0f1dabd31e7cn%40googlegroups.com.

[Ronaldo Hideki Yamada]

Hi everyone,


I have opened [KEYCLOAK-17653] and created a Keycloak fork rhyamada/keycloak, and have particular interest in following issue to be merged [KEYCLOAK-15221].
I also writed some testes baseated o backchannel logout tests, and ran all tests them successful.

> mvn clean install -DskipTests=true -q

> mvn -f distribution/pom.xml clean install -DskipTests=true -q

> mvn -f testsuite/integration-arquillian/pom.xml clean install -Dtest=forms.LogoutTest#frontChannelLogout

> mvn -f testsuite/integration-arquillian/pom.xml clean install 

I´m writing this repo rhyamada/keycloak_frontchannel_logout_test for testing purposes.

Anyone can check work and make suggestions?

Best regards,
Ronaldo

[Ronaldo Hideki Yamada]

Hi Everyone,

I created a PR for this.

KEYCLOAK-17653 by rhyamada · Pull Request #8081 · keycloak/keycloak (github.com)

My fork 

rhyamada/keycloak: Open Source Identity and Access Management For Modern Applications and Services (github.com)

A Example test

rhyamada/keycloak_frontchannel_logout_test (github.com)

Best regards,

Ronaldo

[Pedro Igor]

Thanks. I've labeled and assigned the PR.

[Ronaldo Hideki Yamada]

I have seen than PR was broken (CodeQL Analysis), but i can’t get details https://github.com/keycloak/keycloak/pull/8081/checks?check_run_id=2679217828

My browser freezes, any workaround about this?

Additionally i was created this colab notebook  to build repo and run LogoutTest. 

There are any checks to pay attention on this flow?

 

https://github.com/rhyamada/keycloak_frontchannel_logout_test/blob/main/Keycloak.ipynb

[Ronaldo Hideki Yamada]

Now have opened, full of errors like this:

Error: 5-26 21:13:41] [autobuild] [ERROR] Failed to execute goal on project integration-arquillian-util: Could not resolve dependencies for project org.keycloak.testsuite:integration-arquillian-util:jar:14.0.0-SNAPSHOT: Failed to collect dependencies at org.jboss.arquillian.container:arquillian-container-karaf-managed:jar:2.2.0.Final -> org.jboss.arquillian.container:arquillian-container-osgi:jar:2.2.0.Final -> org.jboss.osgi.metadata:jbosgi-metadata:jar:4.0.0.CR1: Failed to read artifact descriptor for org.jboss.osgi.metadata:jbosgi-metadata:jar:4.0.0.CR1: Could not transfer artifact org.jboss.osgi.metadata:jbosgi-metadata:pom:4.0.0.CR1 from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [jboss-public-repository-group (http://repository.jboss.org/nexus/content/groups/public/, default, releases+snapshots)] -> [Help 1]

Newer maven has blocked all http repos.