WSO2IS-5.7.0 OIDC SSO logout without id_token_hint - wso2

I am working with OIDC and WSo2IS-5.7.0. I Want to implement rp initiated global logout (I want to terminate the session from RP and as well as OP or WSO2 in my case.) When user clicks on logout button, I am redirecting the user to this URL :
https://myserver:9443/oidc/logout?id_token_hint=<idtoken>&post_logout_redirect_uri=https://myotherserver.com/myapp/index
It is working fine and user is redirected to login page of wso2. My client consider it not secure and want to do the same without being send id_token to front end. Is it possible with wso2is-5.7.0?
If yes, how?
If no, isn't it insecure that we send id token to FE? anyone can use it to make API call?

It is not possible. In WSO2 implementation we use the id_token_hint to extract the client_id from the id_token (sent as the id_token_hint). This is necessary to retrieve the service provider information for which the id_token was issued to.
Otherwise we don't have a way to validate whether the value sent in post_logout_redirect_uri is a registered callback for the service provider.
So if we omit the id_token_hint, we cannot validate the post_logout_redirect_uri sent which will open up another security hole allowing redirection to untrusted uris.

Related

How to test a SAML Hijack or Replay

We need to manually test a SAML Hijack or Replay.
We have been trying Postman but it only responds with a message that we need to accept javascript. We only want to see a Response from the ACS/SP that the user is logged in. We have full access to the original SAML response via SAML tracer, and we administer the IDP and user database. Does anyone know how to test this?
It would be best if we can do this directly on a browser so we can actually login.

How to use Cognito LOGOUT endpoint to really log out?

I'm trying to use Federated Authentication to enable login with Microsoft AD. It works fine and we can login. But when I call LOGOUT endpoint as the documentation says ( https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html ) and try to login again I'm not being redirected to Microsoft page to type my email and password again.
It seems like the email and password I typed are in cache and I just can see this login page again if I clean cache. How can we really logout the user in a way that when he login he needs to type his email and password again ?
Edit: I enabled 'Sing Out Idp Flow' as suggested in the answer but now I'm getting a 400 response saying "Required String parameter client_id is not present"
Does anybody have any clue how to solve this problem ?
You will need to ensure you select 'Enable IdP sign out flow' on your SAML Identity provider in Cognito. After navigating your browser to the logout endpoint, you should then be redirected to the SAML IDP logout aswell.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-console.html
Select Enable IdP sign out flow if you want your user to be logged out
from the SAML IdP when logging out from Amazon Cognito.
Enabling this flow sends a signed logout request to the SAML IdP when
the LOGOUT Endpoint is called.
Configure this endpoint for consuming logout responses from your IdP.
This endpoint uses post binding.
Edit: I enabled 'Sing Out Idp Flow' as suggested in the answer but now I'm getting a 400 response saying "Required String parameter client_id is not present" Does anybody have any clue how to solve this problem ?
You need to include the client_id parameter when calling the logout endpoint, the parameter is specified as required in the documentation you provided. The client id can be found in AWS Cognito console in User pools > Your User pool name > App Integration > Your app client name and you should see a Client ID there.

How can I remove session for specific user for specific ServiceProvider in WSO2 IS?

There is any webservice providing by WSO2 Identity server, to remove a session for specific user to specific ServiceProvider?
I am using SAMLSSO for many web application and they all are integrating with WSO2 server.
Now let's say scenario is,User is login with 2 application at the same time. I want to logout it from one application.
There is one service provided by logout and it's providing single logout and session will be remove for all application. There is webservice provided by IS or way to achieve logout for one specific application ?
What you are asking is to have the capability of removing a specific participant from the session created in the Identity Server side. I don't see a straight forward way (OOTB) of achieving this.
Closest you can achieve is as below.
Make your application perform a forceAuth. ForceAuth will request for user credentials despite having the cookies in the browser. (This will prevent the user from experiencing the SSO comfort. Still you can authenticate against the IS)
Prevent the application from sending an SLO request to WSO2. Rather, terminate the self(application) session upon logout.
When your application really wants to perform an SLO (logout all the applications, not just yours), your application can send an SLO request to the Identity Server.
Performing a force authentication :
SAML - Send forceAuth=true as a query paramter in your login request. Or else change the SAML AuthenricationRequest payload body to indicate a force authentication as in the spec(Line 2042).
OIDC - Send prompt=login as an additional query parameter in the /authorization request.
You can do this by calling the REST API and SOAP API provided by WSO2 IS. This will remove the session at WSO2 IS but I'm not sure if it will also trigger the SLO to other service providers or not.
Reference:
https://is.docs.wso2.com/en/latest/develop/calling-admin-services/
https://is.docs.wso2.com/en/latest/develop/session-mgt-rest-api/
Trigger a SOAP request getUserProfile from the UserProfileMgtService.wsdl. The default user profile will be 'default' or you can put the customized profile name you used. This will return the details. Grab the user id from this.
Trigger a GET to the API: /{user-id}/sessions with the user-id from step 1 to get the list of all active sessions this user currently have. Go through the list of sessions and find the session ID of the Service Provider you need to clear.
Trigger a DELETE request to API: /{user-id}/sessions/{session-id} with the user id from step 1 & session id from step 2

Django OAuth Toolkit how to log the user out

I have set up Django OAuth Toolkit in my project where the authorization server is separate from the application server (i.e accounts.example.com and app.example.com). App server redirects to accounts server using authorize flow; the user inputs credentials to sign in to auth server, then auth server redirects the user back to application; so that the app can retrieve tokens.
The above flow currently works as expected. If I do not click explicitly Log out the user and the application signs out (e.g session expires or browser cookies are cleared), the above flow will be performed again and there won't be a need for credentials because auth server still knows who is signed it.
However, I am having trouble with explicitly logging the user out of the application. If a user explicitly clicks login, firstly, the token must be revoked and secondly, the auth server must sign out. What is the proper way to achieve this? As far as I am concerned, I won't be able to use Ajax to log out the user because the session must be destroyed in auth server.
So, I have been thinking of redirecting the user to accounts.example.com/signout?token=${accessToken}&client_id=${clientID}. However, I am not sure if this is the right approach. Is this how these sign out requests work with OAuth? Does that mean that when I sign out from the system, I need to always provide Access Token and Client ID?

How to make a pure JavaScript based Google or Facebook OAuth 2.0 secure to spoofing?

I am implementing JavaScript based Google or Facebook OAuth for a client login system, where I hope to use the Access Token and Email Id combination returned from Google/Facebook after successful authentication of the user to create session on the Server. I have a .NET based server application. I am hoping to send this Access Token and Email Id combination using some AJAX methods like $.ajax and creating a session for this email id on the server end.
Now I have a limitation, my server is behind a firewall and it cannot contact Google/Facebook to validate the access token.
One of my colleague pointed me out that as there is no communication between my Server and Google/Facebook, any malicious user can send me user A's email id with any random access token, and I have no way to check the validity of this token whether it actually belongs to User A.
My server is using SSL communication. So, how can I make this scenario secure.
I don’t think you should use a token you can’t validate. I don’t think your app can be run if you can’t contact IDPs to validate tokens. It’s a bit surprising, most firewalls let you call out, they don’t let others call in.
You could request an ID token as described here Cloud endpoints oauth2 error
This contains a signed user ID and email in a JWT.
This article might help https://support.zendesk.com/entries/23675367-Setting-up-single-sign-on-with-JWT-JSON-Web-Token-
disclaimer: I haven't tried any of this personally. Also, as Tim says, are you sure you can't call out from behind your firewall?