Univention Bugzilla – Bug 57482
backchannel logout does not work if umc/http/processes > 1
Last modified: 2024-09-04 17:51:08 CEST
UCS: 5.0-8 errata1088 Using oidc the portal logout does not work with multiprocessing. ucr set umc/http/processes=1 is not what we want but the only option we have for a valid backchannel logout. We added more debug code and saw empty sessions in the case a backchannel logout is triggered (but we have the session information cause we see that in the login) """ 30.07.24 13:42:11.423 MAIN ( ALL ) : oidc.post:517: backchannel OP logout 30.07.24 13:42:11.426 MAIN ( ALL ) : oidc._verify_jwt:268: OIDC JWK-Payload: {'exp': 172233985 1, 'iat': 1722339731, 'jti': 'e7388fa7-8f20-47a2-9016-ec470daccc4b', 'iss': 'https://IDP_FQDN/auth/realms/px', 'aud': 'ucsportaloidc', 'sub': 'b5818e49-7704-4fc4-baca-da974746a849', 'typ': 'Logout', 'events': {'http://schemas.openid.net/event/backchannel-logout': {}}} 30.07.24 13:42:11.426 MAIN ( ALL ) : oidc.post:529: SESSIONS: [] 30.07.24 13:42:11.426 MAIN ( ALL ) : oidc.post:530: SESSION.session: {} """
In normal UMC multiprocessing, Apache sets a "UMCWEB_ROUTEID" cookie so that the same user will always get the same UMC. However this obviously doesn't work during an OIDC backchannel logout. Keycloak doesn't send any cookies to the UMC, nor does it know of the "UMCWEB_ROUTEID" cookie. The backchannel logout requests then hits any of the UMC processes and most likely not the one where the user has their session. I also don't currently see any way to make this work easily. Keycloak will obviously not have knowledge of our "UMCWEB_ROUTEID" cookie to include in the request, nor could we make this knowledge available to Keycloak somehow.
univention-management-console.yaml cefb8b73f236 | Bug #57482: add an SQL database for shared session storage univention-management-console (12.0.34-8) 9df82770425b | feat(umc, univention/ucs#2412): OIDC backchannel logout refresh cefb8b73f236 | Bug #57482: add an SQL database for shared session storage univention-ldap.yaml cefb8b73f236 | Bug #57482: add an SQL database for shared session storage univention-ldap (16.0.16-3) 9df82770425b | feat(umc, univention/ucs#2412): OIDC backchannel logout refresh cefb8b73f236 | Bug #57482: add an SQL database for shared session storage ucs-test (10.0.22-64) 9df82770425b | feat(umc, univention/ucs#2412): OIDC backchannel logout refresh cefb8b73f236 | Bug #57482: add an SQL database for shared session storage The OIDC backchannel logout can hit any of the UMCs if multiprocessing is configured. This commit introduces a persistent storage for sessions between UMC processes. Currently only the sessionId and various relevant OIDC token claims are saved. This makes it not possible to use sessions between multiple UMC processes but rather just adds the ability for other UMC processes to delete the sessions of others. Also add a test that tests OIDC backchannel logout with multiprocessing enabled. This also makes automatic portal refresh work with OIDC backchannel logout. For now this works by using Postgres LISTEN/NOTIFY. This feature currently only works if Postgres is the configured session database for UMC. If any other database is used the automatic refresh won't work, however OIDC backchannel logout will continue to work.
OK: Shared session storage for backchannel logout and session refresh using postgres OK: Works on every server role OK: Non-postgres databases "supported", but if another kind of sql db is used, the portal reload listen feature doesn't work. OK: No UMC crashes if no/wrong kind of db is configured OK: Works across multiple processes/UMC servers which share the same name due to an HA-Proxy OK: Tool for setting global db settings (univention-management-console-settings) OK: Keycloak tests OK: Multi-Env tests OK: YAML Verified
<https://errata.software-univention.de/#/?erratum=5.0x1117> <https://errata.software-univention.de/#/?erratum=5.0x1118>