Skip to content

Improve defensiveness of logout logic#1492

Merged
monfresh merged 1 commit intomasterfrom
mb-oidc-logout
Jun 14, 2017
Merged

Improve defensiveness of logout logic#1492
monfresh merged 1 commit intomasterfrom
mb-oidc-logout

Conversation

@monfresh
Copy link
Contributor

@monfresh monfresh commented Jun 14, 2017

Why: A bug was discovered where an OIDC Service Provider's
configuration included attributes that are only meant for SAML,
namely assertion_consumer_logout_service_url. That attribute was
set to an empty string, but the logic in
SingleLogoutHandler#slo_not_implemented_at_sp? was checking for
nil? only, which caused SamlIdpController#logout to proceed all the
way to call generate_slo_request with a nil URL (instead of
returning early at finish_slo_at_idp), which resulted in an
exception in SecureHeadersWhitelister.extract_domain due to the nil
URL.

How: In addition to the empty SAML attribute, reproducing this bug
also requires that the user have an active identity with the OIDC SP.
In SAML, identities get deactivated during the logout process, but
OIDC identities remain active (which could be another bug).
This is why the spec signs the user in fully to the SP first to create
the identity, then signs out, then signs in again, but cancels the
sign in process on the 2FA screen.

Using blank? instead of nil? fixes the bug.

@monfresh monfresh requested a review from zachmargolis June 14, 2017 18:32
zachmargolis
zachmargolis approved these changes Jun 14, 2017
View reviewed changes
Copy link
Contributor

@zachmargolis zachmargolis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for the fix

@monfresh
Improve defensiveness of logout logic
8f51d45 
**Why**: A bug was discovered where an OIDC Service Provider's
configuration included attributes that are only meant for SAML,
namely `assertion_consumer_logout_service_url`. That attribute was
set to an empty string, but the logic in
`SingleLogoutHandler#slo_not_implemented_at_sp?` was checking for
`nil?` only, which caused `SamlIdpController#logout` to proceed all the
way to call `generate_slo_request` with a nil URL (instead of
returning early at `finish_slo_at_idp`), which resulted in an
exception in `SecureHeadersWhitelister.extract_domain` due to the `nil`
URL.

**How**: In addition to the empty SAML attribute, reproducing this bug
also requires that the user have an active identity with the OIDC SP.
In SAML, identities get deactivated during the logout process, but
OIDC identities remain active (which could be another bug).
This is why the spec signs the user in fully to the SP first to create
the identity, then signs out, then signs in again, but cancels the
sign in process on the 2FA screen.

Using `blank?` instead of `nil?` fixes the bug.
@monfresh monfresh merged commit a51222a into master Jun 14, 2017
@monfresh monfresh deleted the mb-oidc-logout branch June 14, 2017 20:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@zachmargolis zachmargolis zachmargolis approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

status - ready for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@monfresh @zachmargolis