IllegalStateException in view-state CallFrontChannelLogoutUriView
Description
Environment
IdP 5.1.3
Plugin: net.shibboleth.idp.plugin.nashorn Current Version: 2.0.0
Plugin: net.shibboleth.plugin.storage.jdbc Current Version: 2.0.1
Plugin: net.shibboleth.idp.plugin.oidc.config Current Version: 2.2.0
Plugin: net.shibboleth.idp.plugin.oidc.op Current Version: 4.2.0
Plugin: net.shibboleth.oidc.common Current Version: 3.2.0
Attachments
is caused by
Activity
Steffen HofmannJanuary 27, 2025 at 6:08 PM
I have tested the change. There are now no more errors. The behavior is as expected. Thank you Henri! 🎉
Henri MikkonenJanuary 22, 2025 at 8:24 AM
Refactored the logoutprop/oidc -flow: moved the EncodeMessage -action from DoFrontChannelLogout -state into LogoutPending -state.
This means that it'll be called solely when front-channel logout propagation is performed with frontChannelSuccess option set to false, which is the default. If the option is set to true, then the front channel logout URI is called via iframe in the CallFrontChannelLogoutUriView -view. In that case, the response doesn't need to be encoded in the same way, as the logout URI to the iframe is obtained directly from the outbound message object
Steffen HofmannJanuary 21, 2025 at 4:57 PM
As we need to send the browser to the external URI, we don’t really have any means to check the response. That’s why the front-channel logout propagation results are considered as non-success in the UI by default, similarly to SAML.
Thank you Henri. Then I understood it and my idea to change the behavior with the property 'idp.oidc.logout.frontChannelSuccess = true' was the right way.
Henri MikkonenJanuary 21, 2025 at 12:42 PM
It’s a regression caused by . As a part of that work, all uses of Location-headers within Nimbus response messages were switched into using HttpServletResponse.sendRedirect(..) instead. That broke the logic of front-channel propagation flow, whenever frontChannelSuccess option is set to true. It’s default by false, and our tests didn’t cover that. I’ll investigate what’s the best way to fix it.
What must be return when requesting the URL under
frontchannel_logout_uri
so that it is interpreted as a success? Status code 200 is not sufficient for my tests.
As we need to send the browser to the external URI, we don’t really have any means to check the response. That’s why the front-channel logout propagation results are considered as non-success in the UI by default, similarly to SAML.
Steffen HofmannJanuary 20, 2025 at 4:15 PM
Hello Henri,
nice to talk to you again about the logout :-).
I can confirm that the error only occurs when
idp.oidc.logout.frontChannelSuccess = true
is set.
Only then the view-state
CallFrontChannelLogoutUriView
is called and the exception is thrown.
What must be return when requesting the URL under
frontchannel_logout_uri
so that it is interpreted as a success? Status code 200 is not sufficient for my tests.
Let me know if I can help you.
Best regards from Berlin
Steffen
When using the FrontChannelLogout, an IllegalStateException occurs in the view-state CallFrontChannelLogoutUriView.
I am attaching the log output.
I have not yet looked at this with the debugger and hope that the log lines will give me an idea. Otherwise I'll check it in more detail.