Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC sid vs session_state #2560

Closed
pavelwitassek opened this issue May 20, 2024 · 3 comments
Closed

OIDC sid vs session_state #2560

pavelwitassek opened this issue May 20, 2024 · 3 comments
Assignees
@weilai-irl
Labels
Issue type - help wanted General questions on how to use the plugins, e.g. configurations etc.

Comments

@pavelwitassek
Copy link

Hi,

why OIDC plugin use session_state parameter as sid claim for front_channel_logout? https://github.com/microsoft/o365-moodle/blob/master/auth/oidc/classes/loginflow/authcode.php#L271

The OIDC front channel logout document (https://openid.net/specs/openid-connect-frontchannel-1_0.html) specifies: The RP MAY verify that any iss and sid parameters match the iss and sid Claims in an ID Token issued for the current session or a recent session of this RP with the OP and ignore the logout request if they do not. But plugin ignores sid claim in ID Token and incrorrectly use session_state query parameter, which defines document https://openid.net/specs/openid-connect-session-1_0.html for Session Management, not for front channel logout.

Thanks for answer
@weilai-irl
Copy link
Collaborator

Hi @pavelwitassek

I confirm this is not a bug, but intentional.

In the auth code flow of Microsoft Entra ID, successful login sends back code and session_state values, with the latter storing the SID. I think this is down to the Microsoft Entra ID's implementation of OIDC protocol.

When the Microsoft user logs out, the request made to the configured front_channel_logout contains the SID as parameter using parameter name sid this time. This value is then used to find the matching login to log the user out.

Regards,
Lai

@weilai-irl weilai-irl self-assigned this Jun 10, 2024
@weilai-irl weilai-irl added the Issue type - help wanted General questions on how to use the plugins, e.g. configurations etc. label Jun 10, 2024
@pavelwitassek
Copy link
Author

If somebody connects moodle to non Entra IDP (which supports Front Channel logout with specification for Front Channel Logout and Session management), then this plugin works incorrectly and single sign logout does not work correctly in moodle via front channel.

@weilai-irl
Copy link
Collaborator

Hi @pavelwitassek

According to https://openid.net/specs/openid-connect-session-1_0.html, the parameter that contains the session identifier in authentication request return values is session_state.

And according to the document you refer (https://openid.net/specs/openid-connect-frontchannel-1_0.html), the parameter in logout URI is called sid.

Effectively these two values are the same thing - session identifier, but they are called differently in the different steps in the workflow, according to IODC protocol.

I have tested in a KeyCloak IdP (so non-Entra ID), and I confirm the same behaviour - login redirect sends session identifier in session_state variable. I think this is conclusive.

Regards,
Lai

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@weilai-irl weilai-irl

Labels
Issue type - help wanted General questions on how to use the plugins, e.g. configurations etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@weilai-irl @pavelwitassek