[prev in list] [next in list] [prev in thread] [next in thread]
List: wsas-java-dev
Subject: Re: [Dev] IS 5.3.0 - OpenID Connect Logout
From: "Vazquez-Hidalgo, Javier" <Javier.Vazquez-Hidalgo () tdsecurities ! com>
Date: 2017-06-27 16:12:50
Message-ID: d8f6ec3344f347c0bf55fde449f57ad5 () BLUPR27MB0067 ! 066d ! mgd ! msft ! net
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
[Attachment #4 (text/plain)]
Hi Farasath,
Thank you very much for the info, you nailed it. One thing to add for anyone wanting \
to provide OpenID logout with redirection is that the id_token had to be signed, \
otherwise IS fails to validate the token.
Regards,
Javier
From: Farasath Ahamed [mailto:farasatha@wso2.com]
Sent: Friday, June 23, 2017 4:56 AM
To: Vazquez-Hidalgo, Javier
Cc: dev@wso2.org
Subject: Re: [Dev] IS 5.3.0 - OpenID Connect Logout
In order to redirect to application home page after logout, you can use the \
post_logout_redirect_uri and id_token_hint query parameters.
URL Template would be
https://localhost:9443/oidc/logout?post_logout_redirect_uri=<redirect-url>&id_token_hint=<id-token>
Sample URL
https://localhost:9443/oidc/logout?post_logout_redirect_uri=http://localhost:8080/play \
ground2/&id_token_hint=eyJhbGciOiJSUzI1NiIsIng1dCI6Ik5tSm1PR1V4TXpabFlqTTJaRFJoTlRabFl \
UQTFZemRoWlRSaU9XRTBOV0kyTTJKbU9UYzFaQSIsImtpZCI6ImQwZWM1MTRhMzJiNmY4OGMwYWJkMTJhMjg0M \
DY5OWJkZDNkZWJhOWQifQ.eyJhdXRoX3RpbWUiOjE0OTUxNDE2MTEsImV4cCI6MTQ5NTE0NTIzOSwic3ViIjoi \
YWRtaW4iLCJhenAiOiI3THd6OE9vVmRSUGNhY1BfZjI0WEYxTWo4N3NhIiwiYXRfaGFzaCI6IlV5NzJrVHVQbH \
lrWkR4R0hhZzh5M0EiLCJhdWQiOlsiN0x3ejhPb1ZkUlBjYWNQX2YyNFhGMU1qODdzYSJdLCJpc3MiOiJodHRw \
czpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJpYXQiOjE0OTUxNDE2Mzl9.cNzJ4Iu7cep1X \
Jhj79uO6blpGIo0V8zDgLtn35pL9QV-zhQmgShuzvAt6gc8mRP6KIAlIOjGP2-OIKG52WNqRlWmEmlH7dPnvKAsRrxMLPu1cWrVsld9dqbhCxHTpa0vNrkMnUJ5v_wR_P495B-7dH5OKqG8MiR2qdoqA7h85mA
Please note that this redirect_uri needs to one of the callback uris that you \
registered with the OAuth app. Multiple callback uris can be registered for OAuth \
using regexes as below. Refer [1] For example you have,
callback uri --> https://localhost/callback
redirect uri after logout --> https://localhost/home
set the callback uri in SP config as \
regexp=(https://localhost/callback|https://localhost/home<https://localhost/callback|https:/localhost/home>)
[1] https://omindu.wordpress.com/tag/multiple-callbacks/
Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com<http://wso2.com/>
Mobile: +94777603866<tel:%2B94777603866>
Blog: blog.farazath.com<http://blog.farazath.com>
Twitter: @farazath619<https://twitter.com/farazath619>
[http://c.content.wso2.com/signatures/wso2-signature-general.png]<http://wso2.com/signature>
On Fri, Jun 23, 2017 at 4:58 AM, Vazquez-Hidalgo, Javier \
<Javier.Vazquez-Hidalgo@tdsecurities.com<mailto:Javier.Vazquez-Hidalgo@tdsecurities.com>> \
wrote: Hello,
I have an application that acquires an access token for a user, then I logout the \
user by redirecting to https://idp_hostname:9443/oidc/logout. This flow is working \
and I get the screen below at \
(https://idp_hostname:9443/authenticationendpoint/oauth2_logout.do)
[cid:image001.png@01D2EF3E.B01431D0]
My question is, how can I redirect the user back to my application? Is there a query \
parameter I can pass e.g. \
https://idp_hostname:9443/oidc/logout?redirectUrl=http://myapp/?
Thanks,
Javier Vazquez
If you wish to unsubscribe from receiving commercial electronic messages from TD Bank \
Group, please click here<http://www.td.com/tdoptout> or go to the following web \
address: www.td.com/tdoptout<http://www.td.com/tdoptout> Si vous souhaitez vous \
désabonner des messages électroniques de nature commerciale envoyés par Groupe \
Banque TD veuillez cliquer ici<http://www.td.com/tddesab> ou vous rendre à l'adresse \
www.td.com/tddesab<http://www.td.com/tddesab>
NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure \
prohibited. If received in error, please go to \
www.td.com/legal<http://www.td.com/legal> for instructions. AVIS : Message \
confidentiel dont le contenu peut être privilégié. Utilisation/divulgation \
interdites sans permission. Si reçu par erreur, prière d'aller au \
www.td.com/francais/avis_juridique<http://www.td.com/francais/avis_juridique> pour \
des instructions.
_______________________________________________
Dev mailing list
Dev@wso2.org<mailto:Dev@wso2.org>
http://wso2.org/cgi-bin/mailman/listinfo/dev
[Attachment #5 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi \
Farasath,<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thank \
you very much for the info, you nailed it. One thing to add for anyone wanting to \
provide OpenID logout with redirection is that the id_token had to be signed, \
otherwise IS fails to validate the token.<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Javier
<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> \
Farasath Ahamed [mailto:farasatha@wso2.com] <br>
<b>Sent:</b> Friday, June 23, 2017 4:56 AM<br>
<b>To:</b> Vazquez-Hidalgo, Javier<br>
<b>Cc:</b> dev@wso2.org<br>
<b>Subject:</b> Re: [Dev] IS 5.3.0 - OpenID Connect Logout<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">In order to redirect to application home page after logout, you \
can use the post_logout_redirect_uri and id_token_hint query \
parameters.<o:p></o:p></p> <div>
<p class="MsoNormal"><br>
URL Template would be<br>
<a href="https://localhost:9443/oidc/">https://localhost:9443/oidc/</a>logout?<b>post_ \
logout_redirect_uri</b>=<redirect-url>&<b>id_token_hint</b>=<id-token><br>
<br>
<br>
Sample URL<br>
<a href="https://localhost:9443/oidc/logout?post_logout_redirect_uri=http://localhost: \
8080/playground2/&id_token_hint=eyJhbGciOiJSUzI1NiIsIng1dCI6Ik5tSm1PR1V4TXpabFlqTT \
JaRFJoTlRabFlUQTFZemRoWlRSaU9XRTBOV0kyTTJKbU9UYzFaQSIsImtpZCI6ImQwZWM1MTRhMzJiNmY4OGMw \
YWJkMTJhMjg0MDY5OWJkZDNkZWJhOWQifQ.eyJhdXRoX3RpbWUiOjE0OTUxNDE2MTEsImV4cCI6MTQ5NTE0NTI \
zOSwic3ViIjoiYWRtaW4iLCJhenAiOiI3THd6OE9vVmRSUGNhY1BfZjI0WEYxTWo4N3NhIiwiYXRfaGFzaCI6I \
lV5NzJrVHVQbHlrWkR4R0hhZzh5M0EiLCJhdWQiOlsiN0x3ejhPb1ZkUlBjYWNQX2YyNFhGMU1qODdzYSJdLCJ \
pc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJpYXQiOjE0OTUxNDE2Mzl9. \
cNzJ4Iu7cep1XJhj79uO6blpGIo0V8zDgLtn35pL9QV-zhQmgShuzvAt6gc8mRP6KIAlIOjGP2-OIKG52WNqRl \
WmEmlH7dPnvKAsRrxMLPu1cWrVsld9dqbhCxHTpa0vNrkMnUJ5v_wR_P495B-7dH5OKqG8MiR2qdoqA7h85mA" \
target="_blank">https://localhost:9443/oidc/logout?post_logout_redirect_uri=http://loc \
alhost:8080/playground2/&id_token_hint=eyJhbGciOiJSUzI1NiIsIng1dCI6Ik5tSm1PR1V4TXp \
abFlqTTJaRFJoTlRabFlUQTFZemRoWlRSaU9XRTBOV0kyTTJKbU9UYzFaQSIsImtpZCI6ImQwZWM1MTRhMzJiN \
mY4OGMwYWJkMTJhMjg0MDY5OWJkZDNkZWJhOWQifQ.eyJhdXRoX3RpbWUiOjE0OTUxNDE2MTEsImV4cCI6MTQ5 \
NTE0NTIzOSwic3ViIjoiYWRtaW4iLCJhenAiOiI3THd6OE9vVmRSUGNhY1BfZjI0WEYxTWo4N3NhIiwiYXRfaG \
FzaCI6IlV5NzJrVHVQbHlrWkR4R0hhZzh5M0EiLCJhdWQiOlsiN0x3ejhPb1ZkUlBjYWNQX2YyNFhGMU1qODdz \
YSJdLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJpYXQiOjE0OTUxND \
E2Mzl9.cNzJ4Iu7cep1XJhj79uO6blpGIo0V8zDgLtn35pL9QV-zhQmgShuzvAt6gc8mRP6KIAlIOjGP2-OIKG \
52WNqRlWmEmlH7dPnvKAsRrxMLPu1cWrVsld9dqbhCxHTpa0vNrkMnUJ5v_wR_P495B-7dH5OKqG8MiR2qdoqA7h85mA</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Please note that this redirect_uri needs to one of the callback \
uris that you registered with the OAuth app. Multiple callback uris can be registered \
for OAuth using regexes as below. Refer [1]<o:p></o:p></p> </div>
<div>
<p class="MsoNormal">For example you have,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">callback uri --> <a \
href="https://localhost/callback">https://localhost/callback</a><o:p></o:p></p> \
</div> <div>
<p class="MsoNormal">redirect uri after logout --> <a \
href="https://localhost/home"> https://localhost/home</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">set the callback uri in SP config as regexp=(<a \
href="https://localhost/callback|https:/localhost/home">https://localhost/callback|https://localhost/home</a>)<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">[1] <a \
href="https://omindu.wordpress.com/tag/multiple-callbacks/">https://omindu.wordpress.com/tag/multiple-callbacks/</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt;color:#888888">Farasath \
Ahamed<o:p></o:p></span></p> </div>
<p class="MsoNormal"><span style="font-size:9.5pt;color:#888888">Software \
Engineer, WSO2 Inc.; <a href="http://wso2.com/" target="_blank"><span \
style="color:#1155CC">http://wso2.com</span></a><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt;color:#888888">Mobile: <a \
href="tel:%2B94777603866" target="_blank"><span \
style="color:#1155CC">+94777603866</span></a><o:p></o:p></span></p> </div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt;color:#888888">Blog: <a \
href="http://blog.farazath.com" \
target="_blank">blog.farazath.com</a><o:p></o:p></span></p> </div>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt;color:#888888">Twitter: <a \
href="https://twitter.com/farazath619" target="_blank"> \
@farazath619</a></span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><a href="http://wso2.com/signature" target="_blank"><span \
style="text-decoration:none"><img border="0" id="_x0000_i1025" \
src="http://c.content.wso2.com/signatures/wso2-signature-general.png"></span></a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Fri, Jun 23, 2017 at 4:58 AM, Vazquez-Hidalgo, Javier <<a \
href="mailto:Javier.Vazquez-Hidalgo@tdsecurities.com" \
target="_blank">Javier.Vazquez-Hidalgo@tdsecurities.com</a>> wrote:<o:p></o:p></p> \
<div> <div>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hello,<o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I \
have an application that acquires an access token for a user, then I logout the user \
by redirecting to <a href="https://idp_hostname:9443/oidc/logout" \
target="_blank">https://idp_hostname:9443/oidc/logout</a>. This flow is working and I \
get the screen below at (<a \
href="https://idp_hostname:9443/authenticationendpoint/oauth2_logout.do" \
target="_blank">https://idp_hostname:9443/authenticationendpoint/oauth2_logout.do</a>)<o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><img \
border="0" width="1245" height="170" id="m_4950590950337322811Picture_x0020_1" \
src="cid:image001.png@01D2EF3E.B01431D0"><o:p></o:p></p> <p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">My \
question is, how can I redirect the user back to my application? Is there a query \
parameter I can pass e.g. <a \
href="https://idp_hostname:9443/oidc/logout?redirectUrl=http://myapp/" \
target="_blank"> https://idp_hostname:9443/oidc/logout?<b><span \
style="color:red">redirectUrl=http://myapp/</span></b></a>?<o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" \
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thanks,<o:p></o:p></p> <p \
class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Javier \
Vazquez<o:p></o:p></p> </div>
<p><span style="font-size:8.0pt;font-family:"Arial","sans-serif""><br>
<br>
If you wish to unsubscribe from receiving commercial electronic messages from TD Bank \
Group, please click <a href="http://www.td.com/tdoptout" target="_blank">here</a> or \
go to the following web address: <a href="http://www.td.com/tdoptout" \
target="_blank">www.td.com/tdoptout</a><br> Si vous souhaitez vous désabonner des \
messages électroniques de nature commerciale envoyés par Groupe Banque TD veuillez \
cliquer <a href="http://www.td.com/tddesab" target="_blank">ici</a> ou vous rendre à \
l'adresse <a href="http://www.td.com/tddesab" target="_blank">www.td.com/tddesab</a> \
</span> <o:p></o:p></p>
<p><span style="font-size:8.0pt;font-family:"Arial","sans-serif""><br>
NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure \
prohibited. If received in error, please go to <a href="http://www.td.com/legal" \
target="_blank">www.td.com/legal</a> for instructions.<br> AVIS : Message \
confidentiel dont le contenu peut être privilégié. Utilisation/divulgation \
interdites sans permission. Si reçu par erreur, prière d'aller au <a \
href="http://www.td.com/francais/avis_juridique" \
target="_blank">www.td.com/francais/avis_juridique</a> pour des \
instructions.</span><o:p></o:p></p> </div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Dev mailing list<br>
<a href="mailto:Dev@wso2.org">Dev@wso2.org</a><br>
<a href="http://wso2.org/cgi-bin/mailman/listinfo/dev" \
target="_blank">http://wso2.org/cgi-bin/mailman/listinfo/dev</a><o:p></o:p></p> \
</div> <p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>
["image001.png" (image/png)]
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
--===============6891659896940743038==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic