From f4ecaa38a69cadda8fa9c3fd65fc2a9f92f3d393 Mon Sep 17 00:00:00 2001
From: Michal Skrivanek <michal.skrivanek@redhat.com>
Date: Wed, 28 Sep 2022 18:52:19 +0200
Subject: [PATCH 1/2] [WIP] further rfresh_token debugging

---
 .../engine/core/sso/service/TokenCleanupService.java   |  7 ++++---
 .../engine/core/sso/servlets/OAuthRevokeServlet.java   | 10 ++++++----
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/service/TokenCleanupService.java b/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/service/TokenCleanupService.java
index 441733965f8..600c75abe62 100644
--- a/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/service/TokenCleanupService.java
+++ b/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/service/TokenCleanupService.java
@@ -58,7 +58,8 @@ public static void cleanupSsoSession(
                 log.debug("No existing Session found for token: {}, cannot invalidate session",
                         ssoSession.getAccessToken());
             } else {
-                log.debug("Existing Session found for token: {}, invalidating session", ssoSession.getAccessToken());
+                log.debug("Existing Session found for token: {}, refresh_token: {}, invalidating session",
+                        ssoSession.getAccessToken(), refreshToken);
                 try {
                     existingSession.invalidate();
                 } catch (IllegalStateException ex) {
@@ -66,8 +67,8 @@ public static void cleanupSsoSession(
                 }
             }
             if (ssoContext.getSsoLocalConfig().getBoolean("ENGINE_SSO_ENABLE_EXTERNAL_SSO")) {
-                log.debug("Existing Session found for token: {}, invalidating session on external OP",
-                        ssoSession.getAccessToken());
+                log.debug("Existing Session found for token: {}, refresh_token: {}, invalidating session on external OP",
+                        ssoSession.getAccessToken(), refreshToken);
                 ExternalOIDCService.logout(ssoContext, refreshToken);
             }
             invokeAuthnLogout(ssoContext, ssoSession);
diff --git a/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/OAuthRevokeServlet.java b/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/OAuthRevokeServlet.java
index 571cc741414..5b9df0a7350 100644
--- a/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/OAuthRevokeServlet.java
+++ b/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/OAuthRevokeServlet.java
@@ -34,9 +34,10 @@ public void init(ServletConfig config) throws ServletException {
     @Override
     protected void service(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
-        log.debug("Entered OAuthRevokeServlet QueryString: {}, Parameters : {}",
+        log.debug("Entered OAuthRevokeServlet QueryString: {}, Parameters : {}, refresh_token: {}",
                 request.getQueryString(),
-                SsoService.getRequestParameters(request));
+                SsoService.getRequestParameters(request),
+                ssoSession.getRefreshToken());
 
         try {
             String token = SsoService.getRequestParameter(request, SsoConstants.HTTP_PARAM_TOKEN);
@@ -55,10 +56,11 @@ protected void service(HttpServletRequest request, HttpServletResponse response)
                     ssoSession.getAssociatedClientIds().remove(clientIdAndSecret[0]);
                 }
                 if (revokeAllScope || ssoSession.getAssociatedClientIds().isEmpty()) {
-                    log.info("User {}@{} with profile [{}] successfully logged out",
+                    log.info("User {}@{} with profile [{}] successfully logged out, refresh_token: {}",
                             SsoService.getUserId(ssoSession.getPrincipalRecord()),
                             ssoContext.getUserAuthzName(ssoSession),
-                            ssoSession.getProfile());
+                            ssoSession.getProfile(),
+                            ssoSession.getRefreshToken());
                     TokenCleanupService.cleanupSsoSession(ssoContext, ssoSession, associatedClientIds);
                 }
             }

From c66bacea8a2ee2167901f4564c8c7d904b35fd2c Mon Sep 17 00:00:00 2001
From: michalskrivanek <michal.skrivanek@redhat.com>
Date: Thu, 29 Sep 2022 08:29:44 +0200
Subject: [PATCH 2/2] Update OAuthRevokeServlet.java

---
 .../ovirt/engine/core/sso/service/TokenCleanupService.java  | 4 +++-
 .../ovirt/engine/core/sso/servlets/OAuthRevokeServlet.java  | 6 +++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/service/TokenCleanupService.java b/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/service/TokenCleanupService.java
index 600c75abe62..097f6c98b86 100644
--- a/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/service/TokenCleanupService.java
+++ b/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/service/TokenCleanupService.java
@@ -69,7 +69,9 @@ public static void cleanupSsoSession(
             if (ssoContext.getSsoLocalConfig().getBoolean("ENGINE_SSO_ENABLE_EXTERNAL_SSO")) {
                 log.debug("Existing Session found for token: {}, refresh_token: {}, invalidating session on external OP",
                         ssoSession.getAccessToken(), refreshToken);
-                ExternalOIDCService.logout(ssoContext, refreshToken);
+                if (refreshToken != null) {
+                    ExternalOIDCService.logout(ssoContext, refreshToken);
+                }
             }
             invokeAuthnLogout(ssoContext, ssoSession);
             SsoService.notifyClientsOfLogoutEvent(ssoContext,
diff --git a/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/OAuthRevokeServlet.java b/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/OAuthRevokeServlet.java
index 5b9df0a7350..6fc6ba97ce3 100644
--- a/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/OAuthRevokeServlet.java
+++ b/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/OAuthRevokeServlet.java
@@ -34,10 +34,9 @@ public void init(ServletConfig config) throws ServletException {
     @Override
     protected void service(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
-        log.debug("Entered OAuthRevokeServlet QueryString: {}, Parameters : {}, refresh_token: {}",
+        log.debug("Entered OAuthRevokeServlet QueryString: {}, Parameters : {}",
                 request.getQueryString(),
-                SsoService.getRequestParameters(request),
-                ssoSession.getRefreshToken());
+                SsoService.getRequestParameters(request));
 
         try {
             String token = SsoService.getRequestParameter(request, SsoConstants.HTTP_PARAM_TOKEN);
@@ -48,6 +47,7 @@ protected void service(HttpServletRequest request, HttpServletResponse response)
 
             SsoSession ssoSession = ssoContext.getSsoSession(token);
             if (ssoSession != null) {
+                log.debug("refresh_token: {}", ssoSession.getRefreshToken());
                 Set<String> associatedClientIds = new TreeSet<>(ssoSession.getAssociatedClientIds());
                 boolean revokeAllScope = SsoService.scopeAsList(scope).contains("ovirt-ext=revoke:revoke-all");
                 if (revokeAllScope) {