Loading...

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: RH-SSO-7.2.0.DR2
Affects Version/s: RH-SSO-7.0.0.GA
Component/s: None
Labels:
None

Steps to Reproduce:
Hide

Configure a client (app2) with a logout-service-post-binding-url and a http-redirect logout url.

Remove the http-post logout url

log into app1

log into app2

trigger logout from app1

rhsso will log the following exception and no LogoutRequest will get sent to app2

15:14:16,756 WARN [org.keycloak.services] (default task-6) KC-SERVICES0051: Failed to logout client, continuing: java.lang.NullPointerException
at java.net.URI$Parser.parse(URI.java:3042)
at java.net.URI.<init>(URI.java:588)
at java.net.URI.create(URI.java:850)
at org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(SAML2LogoutRequestBuilder.java:101)
at org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(SAML2LogoutRequestBuilder.java:78)
at org.keycloak.protocol.saml.SamlProtocol.frontchannelLogout(SamlProtocol.java:501)
at org.keycloak.services.managers.AuthenticationManager.browserLogout(AuthenticationManager.java:226)
at org.keycloak.protocol.saml.SamlService$BindingProtocol.logoutRequest(SamlService.java:335)
at org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:204)
at org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.execute(SamlService.java:467)
at org.keycloak.protocol.saml.SamlService.redirectBinding(SamlService.java:489)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:792)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

In SamlProtocol.fronchannelLogout(), it looks like isLogoutPostBindingForClient() continues to return true but the bindingUri is null:

491 public Response frontchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) {
492 ClientModel client = clientSession.getClient();
493 SamlClient samlClient = new SamlClient(client);
494 if (!(client instanceof ClientModel))
495 return null;
496 try {
497 if (isLogoutPostBindingForClient(clientSession))
{ 498 String bindingUri = getLogoutServiceUrl(uriInfo, client, SAML_POST_BINDING); 499 SAML2LogoutRequestBuilder logoutBuilder = createLogoutRequest(bindingUri, clientSession, client); 500 JaxrsSAML2BindingBuilder binding = createBindingBuilder(samlClient); 501 return binding.postBinding(logoutBuilder.buildDocument()).request(bindingUri); 502 }
else
{ 503 logger.debug("frontchannel redirect binding"); 504 String bindingUri = getLogoutServiceUrl(uriInfo, client, SAML_REDIRECT_BINDING); 505 SAML2LogoutRequestBuilder logoutBuilder = createLogoutRequest(bindingUri, clientSession, client); 506 JaxrsSAML2BindingBuilder binding = createBindingBuilder(samlClient); 507 return binding.redirectBinding(logoutBuilder.buildDocument()).request(bindingUri); 508 }
509 } catch (ConfigurationException e)
{ 510 throw new RuntimeException(e); 511 }
catch (ProcessingException e)
{ 512 throw new RuntimeException(e); 513 }
catch (IOException e)
{ 514 throw new RuntimeException(e); 515 }
catch (ParsingException e)
{ 516 throw new RuntimeException(e); 517 }
518
Show
Configure a client (app2) with a logout-service-post-binding-url and a http-redirect logout url. Remove the http-post logout url log into app1 log into app2 trigger logout from app1 rhsso will log the following exception and no LogoutRequest will get sent to app2 15:14:16,756 WARN [org.keycloak.services] (default task-6) KC-SERVICES0051: Failed to logout client, continuing: java.lang.NullPointerException at java.net.URI$Parser.parse(URI.java:3042) at java.net.URI.<init>(URI.java:588) at java.net.URI.create(URI.java:850) at org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(SAML2LogoutRequestBuilder.java:101) at org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(SAML2LogoutRequestBuilder.java:78) at org.keycloak.protocol.saml.SamlProtocol.frontchannelLogout(SamlProtocol.java:501) at org.keycloak.services.managers.AuthenticationManager.browserLogout(AuthenticationManager.java:226) at org.keycloak.protocol.saml.SamlService$BindingProtocol.logoutRequest(SamlService.java:335) at org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:204) at org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.execute(SamlService.java:467) at org.keycloak.protocol.saml.SamlService.redirectBinding(SamlService.java:489) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:792) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) In SamlProtocol.fronchannelLogout(), it looks like isLogoutPostBindingForClient() continues to return true but the bindingUri is null: 491 public Response frontchannelLogout(UserSessionModel userSession, ClientSessionModel clientSession) { 492 ClientModel client = clientSession.getClient(); 493 SamlClient samlClient = new SamlClient(client); 494 if (!(client instanceof ClientModel)) 495 return null; 496 try { 497 if (isLogoutPostBindingForClient(clientSession)) { 498 String bindingUri = getLogoutServiceUrl(uriInfo, client, SAML_POST_BINDING); 499 SAML2LogoutRequestBuilder logoutBuilder = createLogoutRequest(bindingUri, clientSession, client); 500 JaxrsSAML2BindingBuilder binding = createBindingBuilder(samlClient); 501 return binding.postBinding(logoutBuilder.buildDocument()).request(bindingUri); 502 } else { 503 logger.debug("frontchannel redirect binding"); 504 String bindingUri = getLogoutServiceUrl(uriInfo, client, SAML_REDIRECT_BINDING); 505 SAML2LogoutRequestBuilder logoutBuilder = createLogoutRequest(bindingUri, clientSession, client); 506 JaxrsSAML2BindingBuilder binding = createBindingBuilder(samlClient); 507 return binding.redirectBinding(logoutBuilder.buildDocument()).request(bindingUri); 508 } 509 } catch (ConfigurationException e) { 510 throw new RuntimeException(e); 511 } catch (ProcessingException e) { 512 throw new RuntimeException(e); 513 } catch (IOException e) { 514 throw new RuntimeException(e); 515 } catch (ParsingException e) { 516 throw new RuntimeException(e); 517 } 518

SFDC Cases Links:
SFDC Cases Counter:

Description

A client's logout handling appears to get stuck between HTTP-POST and HTTP-Redirect. This can result in a RH-SSO skipping the logout of an application during global logout.

I wasn't able to figure out how to configure my way out of this issue. I had to delete the client and re-configure it with only the redirect logout url to resolve the issue.

Attachments

Issue Links

incorporates

RHSSO-971 [7.1.z] client's logout handling gets stuck between HTTP-POST and HTTP-Redirect

Closed

client's logout handling gets stuck between HTTP-POST and HTTP-Redirect

Details

Description

Attachments

Issue Links

Activity

People

Dates