Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(jans-auth-server): allow end session with expired id_token_hint (by checking signature and aud/sid) #2430

Closed
yuriyz opened this issue Sep 21, 2022 · 0 comments · Fixed by #2431
Closed

feat(jans-auth-server): allow end session with expired id_token_hint (by checking signature and aud/sid) #2430

yuriyz opened this issue Sep 21, 2022 · 0 comments · Fixed by #2431
Assignees
@yuriyz
Labels
comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request
Milestone
1.0.3

Comments

@yuriyz
Copy link
Contributor

yuriyz commented Sep 21, 2022

Describe the issue

Allow end session with expired id_token_hint (by checking signature and audi/sid)

oxauth counterpart: GluuFederation/oxAuth#1721

Actual behavior

At present, AS is "verifying" the id_token_hint by looking it up in the token store. If the token has expired it will have been purged, and so the request to end_session is rejected.

Expected behavior

Instead of trying to look up the ID token, to validate the id_token_hint:

  1. Verify the signature on the JWT if present, also checking that it was signed by one of oxAuth's signing keys.
  2. As per the spec:
    • Use the sid claim in the it token hint to look up the session in the 0xAuth session store.
    • If a session is found, check that the aud claim in the token matches one of the client_ids belonging to the session.

If sid of id_token_hint does not match request will be rejected.

New configuration properties:

  • allowEndSessionWithUnmatchedSid with default value false. If true, sid check will be skipped.
  • rejectEndSessionIfIdTokenExpired with default value false. If true and id_token is not found in db, request will be rejected.
@yuriyz yuriyz added comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request labels Sep 21, 2022
@yuriyz yuriyz added this to the 1.0.3 milestone Sep 21, 2022
@yuriyz yuriyz self-assigned this Sep 21, 2022
@yuriyz yuriyz changed the title feat(jans-auth-server): allow end session with expired id_token_hint (by checking signature and aud/sid) #1721 feat(jans-auth-server): allow end session with expired id_token_hint (by checking signature and aud/sid) #2430 Sep 21, 2022
@yuriyz yuriyz changed the title feat(jans-auth-server): allow end session with expired id_token_hint (by checking signature and aud/sid) #2430 feat(jans-auth-server): allow end session with expired id_token_hint (by checking signature and aud/sid) Sep 21, 2022
yuriyz added a commit that referenced this issue Sep 21, 2022
@yuriyz
feat(jans-auth-server): allow end session with expired id_token_hint …
0808247 
…(by checking signature and sid) #2430

docs: no docs (swagger is updated)
#2372
@yuriyz yuriyz mentioned this issue Sep 21, 2022
Merged
5 tasks
yuriyz added a commit that referenced this issue Sep 21, 2022
@yuriyz
feat(jans-auth-server): allow end session with expired id_token_hint …
1b46b44 
…(by checking signature and sid) #2430 (#2431)

docs: no docs (swagger is updated)
#2430
This was referenced Nov 1, 2022
Merged
Merged
@mo-auto3 mo-auto3 mentioned this issue Nov 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yuriyz yuriyz

Labels
comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
1.0.3
1 participant
@yuriyz