lua-resty-openidc
lua-resty-openidc copied to clipboard
zmartzone
Keycloak revoke tokens issue
Hello, please comment on this issue... Case reproduces on Firefox browser, on Chrome works OK.
Scenario:
User logs in then logs out. The user changes clock on machine back in time - from eg. 2PM to 1PM User logs in, logs out
Expected behaviour
User is logged out
Actual behaviour
User still is logged in
Environment
What Firefox does is it gets confused that previous request from first login are latest and uses them. When sending cookies.
But where I have concerns is the fact that after logout, user browser gets only sugestion not to use previous session/cookies.
I assumed that it's where following option comes in: revoke_tokens_on_logout = true
However it didi not solved my problem and as revealed in DEBUG log; keycloak well-known-configuration response did not have endpoint to revoke Refresh/access tokens
Is my keycloak configuration wrong? Does keycloak even provide such option? I assume it should: https://openid.net/specs/openid-connect-core-1_0.html#TokenLifetime https://tools.ietf.org/html/rfc7009
- lua-resty-openidc version 1.7.1
- OpenID Connect provider Keycloak 5.0.0
- browser Firefox 68.0.1
- client OS: ubuntu
{
'issuer':'https://10.32.202.52/auth/realms/zzzzz',
'authorization_endpoint':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/auth',
'token_endpoint':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/token',
'token_introspection_endpoint':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/token/introspect',
'userinfo_endpoint':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/userinfo',
'end_session_endpoint':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/logout',
'jwks_uri':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/certs',
'check_session_iframe':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/login-status-iframe.html',
'grant_types_supported':[
'authorization_code',
'implicit',
'refresh_token',
'password',
'client_credentials'
],
'response_types_supported':[
'code',
'none',
'id_token',
'token',
'id_token token',
'code id_token',
'code token',
'code id_token token'
],
'subject_types_supported':[
'public',
'pairwise'
],
'id_token_signing_alg_values_supported':[
'ES384',
'RS384',
'HS256',
'HS512',
'ES256',
'RS256',
'HS384',
'ES512',
'RS512'
],
'userinfo_signing_alg_values_supported':[
'ES384',
'RS384',
'HS256',
'HS512',
'ES256',
'RS256',
'HS384',
'ES512',
'RS512',
'none'
],
'request_object_signing_alg_values_supported':[
'ES384',
'RS384',
'ES256',
'RS256',
'ES512',
'RS512',
'none'
],
'response_modes_supported':[
'query',
'fragment',
'form_post'
],
'registration_endpoint':'https://10.32.202.52/auth/realms/zzzzz/clients-registrations/openid-connect',
'token_endpoint_auth_methods_supported':[
'private_key_jwt',
'client_secret_basic',
'client_secret_post',
'client_secret_jwt'
],
'token_endpoint_auth_signing_alg_values_supported':[
'RS256'
],
'claims_supported':[
'aud',
'sub',
'iss',
'auth_time',
'name',
'given_name',
'family_name',
'preferred_username',
'email'
],
'claim_types_supported':[
'normal'
],
'claims_parameter_supported':false,
'scopes_supported':[
'openid',
'phone',
'email',
'address',
'web-origins',
'roles',
'profile',
'offline_access'
],
'request_parameter_supported':true,
'request_uri_parameter_supported':true,
'code_challenge_methods_supported':[
'plain',
'S256'
],
'tls_client_certificate_bound_access_tokens':true,
'introspection_endpoint':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/token/introspect'
}
-501-edge-01","log":{"message":"46#46: *24 [lua] openidc.lua:1351: authenticate(): Logout path (/logout) is currently navigated -> Processing local session removal before redirecting to next step of logout process, client: 10.158.100.1, server: _, request: 'GET /logout HTTP/2.0', host: '10.32.202.52', referrer: 'https://10.32.202.52/'"}} {"type":"log","level":"ERROR","facility":"23","time":"2019-07-30T12:38:21+00:00","timezone":"Etc/UTC","process":"nginx","system":"MY nginx","systemid":"MY-MY-ingress-controller-dnh9q","host":"myhost","log":{"message":"46#46: *24 [lua] openidc.lua:550: openidc_discover(): openidc_discover: URL is: https://10.32.202.52/auth/realms/zzzzz/.well-known/openid-configuration, client: 10.158.100.1, server: _, request: 'GET /logout HTTP/2.0', host: '10.32.202.52', referrer: 'https://10.32.202.52/'"}} {"type":"log","level":"ERROR","facility":"23","time":"2019-07-30T12:38:21+00:00","timezone":"Etc/UTC","process":"nginx","system":"MY nginx","systemid":"MY-MY-ingress-controller-dnh9q","host":"myhost","log":{"message":"46#46: *24 [lua] openidc.lua:556: openidc_discover(): discovery data not in cache, making call to discovery endpoint, client: 10.158.100.1, server: _, request: 'GET /logout HTTP/2.0', host: '10.32.202.52', referrer: 'https://10.32.202.52/'"}} {"type":"log","level":"ERROR","facility":"23","time":"2019-07-30T12:38:21+00:00","timezone":"Etc/UTC","process":"nginx","system":"MY nginx","systemid":"MY-MY-ingress-controller-dnh9q","host":"myhost","log":{"message":"46#46: *24 [lua] openidc.lua:397: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy, client: 10.158.100.1, server: _, request: 'GET /logout HTTP/2.0', host: '10.32.202.52', referrer: 'https://10.32.202.52/'"}} {"type":"log","level":"ERROR","facility":"23","time":"2019-07-30T12:38:21+00:00","timezone":"Etc/UTC","process":"nginx","system":"MY nginx","systemid":"MY-MY-ingress-controller-dnh9q","host":"myhost","log":{"message":"46#46: *24 [lua] openidc.lua:568: openidc_discover(): response data: {'issuer':'https://10.32.202.52/auth/realms/zzzzz','authorization_endpoint':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/auth','token_endpoint':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/token','token_introspection_endpoint':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/token/introspect','userinfo_endpoint':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/userinfo','end_session_endpoint':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/logout','jwks_uri':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/certs','check_session_iframe':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/login-status-iframe.html','grant_types_supported':['authorization_code','implicit','refresh_token','password','client_credentials'],'response_types_supported':['code','none','id_token','token','id_token token','code id_token','code token','code id_token token'],'subject_types_supported':['public','pairwise'],'id_token_signing_alg_values_supported':['ES384','RS384','HS256','HS512','ES256','RS256','HS384','ES512','RS512'],'userinfo_signing_alg_values_supported':['ES384','RS384','HS256','HS512','ES256','RS256','HS384','ES512','RS512','none'],'request_object_signing_alg_values_supported':['ES384','RS384','ES256','RS256','ES512','RS512','none'],'response_modes_supported':['query','fragment','form_post'],'registration_endpoint':'https://10.32.202.52/auth/realms/zzzzz/clients-registrations/openid-connect','token_endpoint_auth_methods_supported':['private_key_jwt','client_secret_basic','client_secret_post','client_secret_jwt'],'token_endpoint_auth_signing_alg_values_supported':['RS256'],'claims_supported':['aud','sub','iss','auth_time','name','given_name','family_name','preferred_username','email'],'claim_types_supported':['normal'],'claims_parameter_supported':false,'scopes_supported':['openid','phone','email','address','web-origins','roles','profile','offline_access'],'request_parameter_supported':true,'request_uri_parameter_supported':true,'code_challenge_methods_supported':['plain','S256'],'tls_client_certificate_bound_access_tokens':true,'introspection_endpoint':'https://10.32.202.52/auth/realms/zzzzz/protocol/openid-connect/token/introspect'}, client: 10.158.100.1, server: _, request: 'GET /logout HTTP/2.0', host: '10.32.202.52', referrer: 'https://10.32.202.52/'"}} {"type":"log","level":"ERROR","facility":"23","time":"2019-07-30T12:38:21+00:00","timezone":"Etc/UTC","process":"nginx","system":"MY nginx","systemid":"MY-MY-ingress-controller-dnh9q","host":"myhost","log":{"message":"46#46: *24 [lua] openidc.lua:626: openidc_get_token_auth_method(): 1 => private_key_jwt, client: 10.158.100.1, server: _, request: 'GET /logout HTTP/2.0', host: '10.32.202.52', referrer: 'https://10.32.202.52/'"}} {"type":"log","level":"ERROR","facility":"23","time":"2019-07-30T12:38:21+00:00","timezone":"Etc/UTC","process":"nginx","system":"MY nginx","systemid":"MY-MY-ingress-controller-dnh9q","host":"myhost","log":{"message":"46#46: *24 [lua] openidc.lua:72: supported(): Can't use private_key_jwt without opts.client_rsa_private_key, client: 10.158.100.1, server: _, request: 'GET /logout HTTP/2.0', host: '10.32.202.52', referrer: 'https://10.32.202.52/'"}} {"type":"log","level":"ERROR","facility":"23","time":"2019-07-30T12:38:21+00:00","timezone":"Etc/UTC","process":"nginx","system":"MY nginx","systemid":"MY-MY-ingress-controller-dnh9q","host":"myhost","log":{"message":"46#46: *24 [lua] openidc.lua:626: openidc_get_token_auth_method(): 2 => client_secret_basic, client: 10.158.100.1, server: _, request: 'GET /logout HTTP/2.0', host: '10.32.202.52', referrer: 'https://10.32.202.52/'"}} {"type":"log","level":"ERROR","facility":"23","time":"2019-07-30T12:38:21+00:00","timezone":"Etc/UTC","process":"nginx","system":"MY nginx","systemid":"MY-MY-ingress-controller-dnh9q","host":"myhost","log":{"message":"46#46: *24 [lua] openidc.lua:629: openidc_get_token_auth_method(): no configuration setting for option so select the first supported method specified by the OP: client_secret_basic, client: 10.158.100.1, server: _, request: 'GET /logout HTTP/2.0', host: '10.32.202.52', referrer: 'https://10.32.202.52/'"}} {"type":"log","level":"ERROR","facility":"23","time":"2019-07-30T12:38:21+00:00","timezone":"Etc/UTC","process":"nginx","system":"MY nginx","systemid":"MY-MY-ingress-controller-dnh9q","host":"myhost","log":{"message":"46#46: *24 [lua] openidc.lua:643: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_basic, client: 10.158.100.1, server: _, request: 'GET /logout HTTP/2.0', host: '10.32.202.52', referrer: 'https://10.32.202.52/'"}} {"type":"log","level":"ERROR","facility":"23","time":"2019-07-30T12:38:21+00:00","timezone":"Etc/UTC","process":"nginx","system":"MY nginx","systemid":"MY-MY-ingress-controller-dnh9q","host":"myhost","log":{"message":"46#46: *24 [lua] openidc.lua:1184: openidc_logout(): revoke_tokens_on_logout is enabled. trying to revoke access and refresh tokens..., client: 10.158.100.1, server: _, request: 'GET /logout HTTP/2.0', host: '10.32.202.52', referrer: 'https://10.32.202.52/'"}} {"type":"log","level":"ERROR","facility":"23","time":"2019-07-30T12:38:21+00:00","timezone":"Etc/UTC","process":"nginx","system":"MY nginx","systemid":"MY-MY-ingress-controller-dnh9q","host":"myhost","log":{"message":"46#46: *24 [lua] openidc.lua:1140: openidc_revoke_token(): no revocation endpoint supplied. unable to revoke refresh_token., client: 10.158.100.1, server: _, request: 'GET /logout HTTP/2.0', host: '10.32.202.52', referrer: 'https://10.32.202.52/'"}} {"type":"log","level":"ERROR","facility":"23","time":"2019-07-30T12:38:21+00:00","timezone":"Etc/UTC","process":"nginx","system":"MY nginx","systemid":"MY-MY-ingress-controller-dnh9q","host":"myhost","log":{"message":"46#46: *24 [lua] openidc.lua:1140: openidc_revoke_token(): no revocation endpoint supplied. unable to revoke access_token., client: 10.158.100.1, server: _, request: 'GET /logout HTTP/2.0', host: '10.32.202.52', referrer: 'https://10.32.202.52/'"}}
I believe it is an issue with Firefox not throwing away cookies that it should throw away. This link may help: https://support.mozilla.org/en-US/questions/943191 ; someone would need to dig in and confirm...
Does anyone knows if its possible to revoke Access and Refresh tokens via this library with Keycloak?
no its not but it wouldn't be too hard to add it either in the library or in the calling code