Sso logout uses different endpoint

Question

Sso logout uses different endpoint

cache-sk opened this issue 3 years ago · 0 comments

cache-sk commented 3 years ago

Stratos Version

4.4.0 release

Frontend Deployment type

Cloud Foundry Application (cf push)

Backend (Jet Stream) Deployment type

Cloud Foundry Application (cf push)

Expected behaviour

Sso logout should probably use same endpoint as sso login.

Actual behaviour

When SSO is activated, login uses /sso_login which in method initSSOlogin in file authuaa.go redirects to p.Config.ConsoleConfig.AuthorizationEndpoint

Logout uses /sso_logout which in method ssoLogoutOfUAA also in file authuaa.go redirects to p.Config.ConsoleConfig.UAAEndpoint.

I think, this should be redirected to same endpoint.

Can i ask, why are there two endpoints, which looks like it should be same? I have noticed this because in our test cf enviroment somebody configured authorization_endpoint to https://login.something and token_endpoint to https://uaa.something, which both points to the same Uaa, but due different domains, user is never logged out from login domain (browser flow cookies).

Also, I didn't find anywhere in docs, that there must be logout in SSO_OPTIONS enviroment atribute, to activate sso logout, and if SSO_ALLOWLIST is used, it must contain logout too, because only logout and not full url is used as state in callback after logout - this is probably bug too.