-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC sid vs session_state #2560
Comments
I confirm this is not a bug, but intentional. In the auth code flow of Microsoft Entra ID, successful login sends back When the Microsoft user logs out, the request made to the configured front_channel_logout contains the SID as parameter using parameter name Regards, |
If somebody connects moodle to non Entra IDP (which supports Front Channel logout with specification for Front Channel Logout and Session management), then this plugin works incorrectly and single sign logout does not work correctly in moodle via front channel. |
According to https://openid.net/specs/openid-connect-session-1_0.html, the parameter that contains the session identifier in authentication request return values is And according to the document you refer (https://openid.net/specs/openid-connect-frontchannel-1_0.html), the parameter in logout URI is called Effectively these two values are the same thing - session identifier, but they are called differently in the different steps in the workflow, according to IODC protocol. I have tested in a KeyCloak IdP (so non-Entra ID), and I confirm the same behaviour - login redirect sends session identifier in Regards, |
Hi,
why OIDC plugin use session_state parameter as sid claim for front_channel_logout? https://github.com/microsoft/o365-moodle/blob/master/auth/oidc/classes/loginflow/authcode.php#L271
The OIDC front channel logout document (https://openid.net/specs/openid-connect-frontchannel-1_0.html) specifies: The RP MAY verify that any iss and sid parameters match the iss and sid Claims in an ID Token issued for the current session or a recent session of this RP with the OP and ignore the logout request if they do not. But plugin ignores sid claim in ID Token and incrorrectly use session_state query parameter, which defines document https://openid.net/specs/openid-connect-session-1_0.html for Session Management, not for front channel logout.
Thanks for answer
The text was updated successfully, but these errors were encountered: