Conversation
orenyk
changed the title
Contributor
Author
|
This is not currently working even though it should if I'm understanding everything correctly. The feature spec I wrote passed with the old remote logout implementation (nullifying |
**Why:** the way this currently worked led to the user's session being cleared on subsequent visits, which meant that any authentication request information was lost. This correctly deletes the session from the Redis cache. changelog: Bug Fixes, Authentication, Fix issue with SAML remote logout causing subsequent authentication requests not to redirect correctly
orenyk
force-pushed
the
oyk-fix-remote-logout
branch
from
7d9f139 to
2f3bc32
Compare
orenyk
commented
Feb 25, 2022
orenyk
commented
Feb 25, 2022
Contributor
Author
|
Verified that this works locally with Postman - sending the remote logout request via Postman logged out the user in the browser. |
**Why:** The recent updates were not actually working - we were using the incorrect session key to invalidate the session in redis. This update stores the session ID on the SP identity record during SAML authentication (similar to OIDC) so that it can be retrieved during remote logout. This is actually a safer behavior since it means that a user will only be logged out if the session they logged in with is still valid (whereas before they would have been logged out regardless if they had started a new Login.gov session after authenticating to the SP). [skip changelog] # covered by entry in #5990
orenyk
force-pushed
the
oyk-fix-remote-logout
branch
from
2f3bc32 to
b37d6ce
Compare
zachmargolis
approved these changes
Feb 25, 2022
Contributor
zachmargolis
left a comment
zachmargolis
left a comment
There was a problem hiding this comment.
LGTM, just a few ideas to make the test assertions clearer
orenyk
force-pushed
the
oyk-fix-remote-logout
branch
3 times, most recently
from
6e4ac71 to
a058fba
Compare
orenyk
force-pushed
the
oyk-fix-remote-logout
branch
2 times, most recently
from
61ad582 to
1e86830
Compare
zachmargolis
approved these changes
Feb 25, 2022
orenyk
force-pushed
the
oyk-fix-remote-logout
branch
from
1e86830 to
e3bfc0e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why: The recent updates were not actually working - we were using
the incorrect session key to invalidate the session in redis. This
update stores the session ID on the SP identity record during SAML
authentication (similar to OIDC) so that it can be retrieved during
remote logout. This is actually a safer behavior since it means that a
user will only be logged out if the session they logged in with is still
valid (whereas before they would have been logged out regardless if they
had started a new Login.gov session after authenticating to the SP).
[skip changelog] # covered by entry in #5990