Initiate logout flow oauth2/auth

notNeo · August 17, 2020, 6:49am

is the logout request only for openid?

I can request the login, consent and presumably the logout per oauth2/auth.
this model indicates the necessary data, needed for a logout to be successfull

github.com

ory/hydra-client-go/blob/master/models/logout_request.go#L16


// Editing this file might prove futile when you re-run the swagger generate command

import (
	"github.com/go-openapi/strfmt"
	"github.com/go-openapi/swag"
)

// LogoutRequest Contains information about an ongoing logout request.
//
// swagger:model logoutRequest
type LogoutRequest struct {

	// RequestURL is the original Logout URL requested.
	RequestURL string `json:"request_url,omitempty"`

	// RPInitiated is set to true if the request was initiated by a Relying Party (RP), also known as an OAuth 2.0 Client.
	RpInitiated bool `json:"rp_initiated,omitempty"`

	// SessionID is the login session ID that was requested to log out.
	Sid string `json:"sid,omitempty"`

is the session_id to be set at login, does hydra set one at random or is another variable responsible in case it is missing, such as the login_verifier?

tl;dr
how would one go about and logging out a client which has an access token?
I could not find any resources except for openid.

vinckr · August 18, 2020, 12:12pm

An Access Token (proof of authorization) is not the same thing as a “login session”
(which is what we have OpenID Connect for).

From the docs:
" A logout request may be initiated by the OpenID Provider (OP - you ) or by the Relying Party (RP - the OAuth2 Client):
The RP-initiated flow needs an id_token_hint and may optionally define state and post_logout_redirect_uri .

About the session_id:
“LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the “sid” parameter in the ID Token and in OIDC Front-/Back- channel logout. It’s value can generally be used to associate consecutive login requests by a certain user.”

Let me know if that helped!

notNeo · August 17, 2020, 12:53pm

atm i don’t bother about openID and just try to get the basics right.

I know that a logout won’t invalidate an access_token.
but there is a logout endpoint for “/oauth2/auth/requests/logout”, which appears to be for the relaying party (client). correct me if I’m wrong

I can’t find any model conforming to the requirements as pointed out by the documentation thus my question. but I had the same problem with the login flow and deduced the needed params from the link in the consent-node, which isn’t practical. i can’t do the same for the logout because I can’t get logout to work properly. (“unable to fetch the requested resource”)

maybe there is documentation or code that I missed you could point me to?

EDIT:
the login request (containing the Sid) results if sent only in a response containing the csrf and a 302 to a location containing the challenge. but not the random Sid which has purposedly been set automatically

hackerman · August 17, 2020, 12:57pm

I don’t really understand the question, what are you trying to do, what are you expecting to happen, and what happens instead?

notNeo · August 17, 2020, 1:38pm

there is the request to get the login challenge, the url containing the following:

[
“client_id”: “auth-code-client”,
“nonce”: nonce,
“redirect_uri”: “http://127.0.0.1:5555/callback”,
“response_type”: “code”,
“scope”: “openid offline”,
“state”: state
]

I want to acquire equal information to succeed at the logout endpoint at “/oauth2/auth/requests/logout”

ps: the “nonce” and the “state” are placeholders for the random string

hackerman · August 17, 2020, 1:50pm

So you want to see, for example, the ClientID associated with the logout request?

notNeo · August 18, 2020, 6:12am

I guess I am expressing myself in an unclear fashion.
I have no clue how the information itself stands out especially in my formulation, so I will try again.

my goal is to get the logout_challenge. which parameters do I have to encode into the url? and which endpoint do I have to address? is it documented? can someone point me to the source, where it is implemented?

EDIT:
I am looking for the logout equivalent of this:

github.com

ory/hydra/blob/master/cmd/token_user.go#L152


			RedirectURL: redirectUrl,
			Scopes:      scopes,
		}

		state, err := randx.RuneSequence(24, randx.AlphaLower)
		cmdx.Must(err, "Could not generate random state: %s", err)

		nonce, err := randx.RuneSequence(24, randx.AlphaLower)
		cmdx.Must(err, "Could not generate random state: %s", err)

		authCodeURL := conf.AuthCodeURL(
			string(state),
			oauth2.SetAuthURLParam("audience", strings.Join(audience, "+")),
			oauth2.SetAuthURLParam("nonce", string(nonce)),
			oauth2.SetAuthURLParam("prompt", strings.Join(prompt, "+")),
			oauth2.SetAuthURLParam("max_age", strconv.Itoa(maxAge)),
		)

		if !flagx.MustGetBool(cmd, "no-open") {
			_ = webbrowser.Open(serverLocation) // ignore errors
		}

notNeo · August 18, 2020, 12:12pm

okay I may have sounded more aggressive than I like to admit.

the logout flow is well documented. my mistake was disregarding the endpoint “/oauth2/sessions” for it not being documented in its own section.

vinckr · August 18, 2020, 12:21pm

Dont worry about it!
Implementing this on your own can often be frustrating, because it is quite complex, even with documentation.

hackerman is unfortunately busy at the moment, but I am certain he will get back to your issue, when there is some free time.

vinckr · August 18, 2020, 12:54pm

By the way, I was just looking through older issues on ORY Hydra.
Is this related to your problem?
Add oAuth2Client to logoutRequest similar to loginRequest. #1483

notNeo · August 18, 2020, 2:31pm

well I don’t like the approach of using a separate client_id for each user. I would rather use the subject
field to differentiate users while the client_id could represent the service serving to the user. something like “mobile_app”.

I suppose there is no issue of subjects from the same client identifying as another.

vinckr · August 19, 2020, 3:44pm

Does this adress your problem?

hackerman · August 21, 2020, 9:15am

Ok so your problem is resolved then?

Yes, please don’t use client_ids as a substitute for users!