Hello IBM Folks,

I get the following error when I try to login to an application, which is using OpenID Connect together with another application in an SSO scenario, after a previous logout:

WASSessionCor E SessionContext checkSecurity SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:https://openam.test-server.ag:8443/openam/oauth2/KissRealm/a@b.de.

The involved applications are calling HttpServletRequest.logout() from a logout page located in the protected area as described in Enabling programmatic logout for an OpenID Connect Relying Party.

The applications are deployed on a traditional WebSphere Version 9 and the OpenID provider is ForgeRock OpenAM. On the WebSphere an OIDC Relying party is configured as described in Configuring an OpenID Connect Relying Party. I have other two applications where this scenario works. The diffence ist, that in the working scenarion I can see that the JSESSIONID cookie is set to another value by the logout page and the cookies LtpaToken2 and OIDCSESSIONID_SSOSAMPLE_RP are cleared:

Request header:
Cookie: JSESSIONID=0000XECKdQ-tkudkP449szs0z3T:-1; OIDCSTATE_SSOSAMPLE_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD1odHRwOi8vbG9jYWxob3N0OjkwODAvU1NPSURQL3Jlc3RyaWN0ZWQvaWRwUmVzdHJpY3RlZFBhZ2UuanNwdAAGbWV0aG9kdAADR0VUdAAHc3RhdGVJZHQANk1telMyT2RHODFHaDIxamhKM0xkVWlUbWk4VHpMSklBZVB1VUx4MjRfMTY1MjcwNzI5NzM4Nng=_a+Z4FOdLua6QmC440r5+LP/eQBNQkDRvxxixSw5X/mo=; OIDCSESSIONID_SSOSAMPLE_RP=itsF58KcHGQ77oYphCcmDPCz0OWYkRiK6jONfUT1ik; LtpaToken2=zjC2J1QkFb2NioQnjZG0kRTTZfXopJLp0S81ldvtrWJjm4uBFCylEmFrOBmrQo23c+Z7Ppdo6hmZaTIMDYZhcKShoxz/Cvu+hyyDJFdQqU+GNhht791nQvE86hpq0h6bx2/B/MLHlAK0zJfhV7GXaGmCXixTD+WsfcOGbdJY7pp6qvL/uY7HZnFlmTIljf/65DDLhcUGTGtKFNyUYQNJ6rTU8/wnpgipJMk8/DDPx37SeW0T41qL5EZWArUI18yRjSjYFAn9rldSbDLCyZIHdMltgIA/7y02l2FcyhUvHVdjxYhvXCBKTI6ca6Gz5cU86J0CDrLKPffsE1xgZRDFUTxoMEIV9+XbBZQztexRi2Th5mRBNcbEMsTWNXOUAxjn7+ONg8BeZ10Qek+n14N7A9f9Ijrzayirdgdw2Z/cHigD06PJFUeWKvdWCWPCc2NjRAEuGAsROqLortCbW7HtQHejhSxHU4rseROlV337pZwvnxoq3UCLIrhuLN2+HJozsXbOPRqW4n2SUXFaLjCexuqOiJxb05r5YBal+JvKhGT3aMUMp1qaB872xbbBrVR/2ZkpaTobbCYQKNsx4hpcJt3Ua8MBxyJZpHE1JkBg+iX8CfF9GtjqCGHJLSPPUzFTiH4cvj0EZWmiTZChquvtohjpjJE/v71Msm6L1csldSKshfZPKBXgCySo7srspSC40yVzOrHUMap/Vz3W5Y1gPFCBfrpOGcPpLlMJa9hydbk=

Response header:
Set-Cookie: JSESSIONID=000052lTzI9rXXCc2sq0wFqxo0g:-1; Path=/; HttpOnly
Set-Cookie: LtpaToken2=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/; HttpOnly
Set-Cookie: OIDCSESSIONID_SSOSAMPLE_RP=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/

In the non working scenario i can see, that the JSESSIONID is not cleared and remains the same when I try to access the application after the logout:

Request header:
Cookie: JSESSIONID=0000-TKbpDMUljIkKWvfZcwNAyc:-1; OIDCSTATE_KISS_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD9odHRwOi8vbG9jYWxob3N0OjkwODAvZnVuZGluZ3BpbG90L3Jlc3RyaWN0ZWQvT3JkZXJPdmVydmlldy5qc3B0AAZtZXRob2R0AANHRVR0AAdzdGF0ZUlkdAA3Q0ZxOElvS3pZYnNqdVRBaEJLN0l4bnhkY0xKSmkwaFduT3gyMWV2TjRfMTY1MjY5OTc3NjYxMng=_B8YHCq3AKBHwtAzv4y9uRVcaE7VWtnw9+iNcBtdiCKI=; OIDCSESSIONID_KISS_RP=cycC3QHueV1WI4dBUxylqD1lx8XwMBw8gOEZLzAwA; LtpaToken2=xxwbw6VkjUQzE0imssvlS9EXA62E3KwAf+uxwzY3hxXJK1jhLusUXlgHVu4/U3UzATVCrZd7Vnzdwo1ulS60ah5qctWUIBlE3CcjQley8qIsPn7YXnpg6eawDkEkLmLTkkFmbXeJxJwQJChT4sJNdoVa/KlNAUKhEnlAGXeSByKS3R5REa8Y79CWea8Yyc3qJT62hgLjwWsmbNkd7FJYUoKUxHCbKcd30mZr8gVKPtZGMDPLwfdn5jjcwRH24ci+m3ijftW1aN4Qa34eaG0Vzu10gzv8hHME87o1OIJh3P3v2CoyazT4KR/20doYyNsR2ds4SpM+hNXCZAsI87mS1Ts8TrtPSuw1MU0eN+5CfDcNmQZ85gSyCx0Fd403rJnip6m3u9lCNhTVdoL0TsEXlNVQ0Mha5+0Udo+x+WNqV6G8Du1aae7Gb6SF1rVYIlHq78h1Rq06mO2Qs06tkhUxjWW0WhcXCgBlTL68GnfJqsnvWysZCWUsMtYD1K0jFujXYptPN2CJAJ4j19AUad9lK1KRQRe/Xm3oQwiCIFda9g2EYXhi0Kjrx6Kb3vOXXvON6JHrN7/lVkagbwIbvGj2PupKR7gWBUq6NHRWihUIaWIVI6lEQwOxMJafbejPAzO43r9hRmY0kxkLCkZThPVo6Qq+I+wp+ME6QofiP4c37BGzYw2IBJ1Nu89ZKKb5t7H6ehpFaOrBLBnt+8gv9xdqPYnRMqbrm2vsUHmRGNiuu7A=

Response header:
Set-Cookie: LtpaToken2=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/; HttpOnly
Set-Cookie: OIDCSESSIONID_KISS_RP=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/

Access welcome page after logout:
Request header:
Cookie: JSESSIONID=0000-TKbpDMUljIkKWvfZcwNAyc:-1; OIDCSTATE_KISS_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD9odHRwOi8vbG9jYWxob3N0OjkwODAvZnVuZGluZ3BpbG90L3Jlc3RyaWN0ZWQvT3JkZXJPdmVydmlldy5qc3B0AAZtZXRob2R0AANHRVR0AAdzdGF0ZUlkdAA3Q0ZxOElvS3pZYnNqdVRBaEJLN0l4bnhkY0xKSmkwaFduT3gyMWV2TjRfMTY1MjY5OTc3NjYxMng=_B8YHCq3AKBHwtAzv4y9uRVcaE7VWtnw9+iNcBtdiCKI=

I'm not sure if this is causing the error? Futher I can see, that the cookie OIDCSTATE_KISS_RP is not deleted by the logout. But this is the same in the working and non working scenario.

I tried to define the property provider_<id>.revokeAccessToken property=true, but this had no effect!

I'm struggeling for a while with this issue and have no idea anymore what I should look for. Perhaps you can help me out.

Thank you and kind regards
Thomas Mayr



------------------------------
Thomas Mayr
------------------------------

Hi, The apps are running in the same App Server or different App Servers?

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering
------------------------------

Original Message:
Sent: Mon May 16, 2022 10:24 AM
From: Thomas Mayr
Subject: SESN0008E with OpenID Connect

Hello IBM Folks,

I get the following error when I try to login to an application, which is using OpenID Connect together with another application in an SSO scenario, after a previous logout:

WASSessionCor E SessionContext checkSecurity SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:https://openam.test-server.ag:8443/openam/oauth2/KissRealm/a@b.de.

The involved applications are calling HttpServletRequest.logout() from a logout page located in the protected area as described in Enabling programmatic logout for an OpenID Connect Relying Party.

The applications are deployed on a traditional WebSphere Version 9 and the OpenID provider is ForgeRock OpenAM. On the WebSphere an OIDC Relying party is configured as described in Configuring an OpenID Connect Relying Party. I have other two applications where this scenario works. The diffence ist, that in the working scenarion I can see that the JSESSIONID cookie is set to another value by the logout page and the cookies LtpaToken2 and OIDCSESSIONID_SSOSAMPLE_RP are cleared:

Request header:
Cookie: JSESSIONID=0000XECKdQ-tkudkP449szs0z3T:-1; OIDCSTATE_SSOSAMPLE_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD1odHRwOi8vbG9jYWxob3N0OjkwODAvU1NPSURQL3Jlc3RyaWN0ZWQvaWRwUmVzdHJpY3RlZFBhZ2UuanNwdAAGbWV0aG9kdAADR0VUdAAHc3RhdGVJZHQANk1telMyT2RHODFHaDIxamhKM0xkVWlUbWk4VHpMSklBZVB1VUx4MjRfMTY1MjcwNzI5NzM4Nng=_a+Z4FOdLua6QmC440r5+LP/eQBNQkDRvxxixSw5X/mo=; OIDCSESSIONID_SSOSAMPLE_RP=itsF58KcHGQ77oYphCcmDPCz0OWYkRiK6jONfUT1ik; LtpaToken2=zjC2J1QkFb2NioQnjZG0kRTTZfXopJLp0S81ldvtrWJjm4uBFCylEmFrOBmrQo23c+Z7Ppdo6hmZaTIMDYZhcKShoxz/Cvu+hyyDJFdQqU+GNhht791nQvE86hpq0h6bx2/B/MLHlAK0zJfhV7GXaGmCXixTD+WsfcOGbdJY7pp6qvL/uY7HZnFlmTIljf/65DDLhcUGTGtKFNyUYQNJ6rTU8/wnpgipJMk8/DDPx37SeW0T41qL5EZWArUI18yRjSjYFAn9rldSbDLCyZIHdMltgIA/7y02l2FcyhUvHVdjxYhvXCBKTI6ca6Gz5cU86J0CDrLKPffsE1xgZRDFUTxoMEIV9+XbBZQztexRi2Th5mRBNcbEMsTWNXOUAxjn7+ONg8BeZ10Qek+n14N7A9f9Ijrzayirdgdw2Z/cHigD06PJFUeWKvdWCWPCc2NjRAEuGAsROqLortCbW7HtQHejhSxHU4rseROlV337pZwvnxoq3UCLIrhuLN2+HJozsXbOPRqW4n2SUXFaLjCexuqOiJxb05r5YBal+JvKhGT3aMUMp1qaB872xbbBrVR/2ZkpaTobbCYQKNsx4hpcJt3Ua8MBxyJZpHE1JkBg+iX8CfF9GtjqCGHJLSPPUzFTiH4cvj0EZWmiTZChquvtohjpjJE/v71Msm6L1csldSKshfZPKBXgCySo7srspSC40yVzOrHUMap/Vz3W5Y1gPFCBfrpOGcPpLlMJa9hydbk=

Response header:
Set-Cookie: JSESSIONID=000052lTzI9rXXCc2sq0wFqxo0g:-1; Path=/; HttpOnly
Set-Cookie: LtpaToken2=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/; HttpOnly
Set-Cookie: OIDCSESSIONID_SSOSAMPLE_RP=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/

In the non working scenario i can see, that the JSESSIONID is not cleared and remains the same when I try to access the application after the logout:

Request header:
Cookie: JSESSIONID=0000-TKbpDMUljIkKWvfZcwNAyc:-1; OIDCSTATE_KISS_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD9odHRwOi8vbG9jYWxob3N0OjkwODAvZnVuZGluZ3BpbG90L3Jlc3RyaWN0ZWQvT3JkZXJPdmVydmlldy5qc3B0AAZtZXRob2R0AANHRVR0AAdzdGF0ZUlkdAA3Q0ZxOElvS3pZYnNqdVRBaEJLN0l4bnhkY0xKSmkwaFduT3gyMWV2TjRfMTY1MjY5OTc3NjYxMng=_B8YHCq3AKBHwtAzv4y9uRVcaE7VWtnw9+iNcBtdiCKI=; OIDCSESSIONID_KISS_RP=cycC3QHueV1WI4dBUxylqD1lx8XwMBw8gOEZLzAwA; LtpaToken2=xxwbw6VkjUQzE0imssvlS9EXA62E3KwAf+uxwzY3hxXJK1jhLusUXlgHVu4/U3UzATVCrZd7Vnzdwo1ulS60ah5qctWUIBlE3CcjQley8qIsPn7YXnpg6eawDkEkLmLTkkFmbXeJxJwQJChT4sJNdoVa/KlNAUKhEnlAGXeSByKS3R5REa8Y79CWea8Yyc3qJT62hgLjwWsmbNkd7FJYUoKUxHCbKcd30mZr8gVKPtZGMDPLwfdn5jjcwRH24ci+m3ijftW1aN4Qa34eaG0Vzu10gzv8hHME87o1OIJh3P3v2CoyazT4KR/20doYyNsR2ds4SpM+hNXCZAsI87mS1Ts8TrtPSuw1MU0eN+5CfDcNmQZ85gSyCx0Fd403rJnip6m3u9lCNhTVdoL0TsEXlNVQ0Mha5+0Udo+x+WNqV6G8Du1aae7Gb6SF1rVYIlHq78h1Rq06mO2Qs06tkhUxjWW0WhcXCgBlTL68GnfJqsnvWysZCWUsMtYD1K0jFujXYptPN2CJAJ4j19AUad9lK1KRQRe/Xm3oQwiCIFda9g2EYXhi0Kjrx6Kb3vOXXvON6JHrN7/lVkagbwIbvGj2PupKR7gWBUq6NHRWihUIaWIVI6lEQwOxMJafbejPAzO43r9hRmY0kxkLCkZThPVo6Qq+I+wp+ME6QofiP4c37BGzYw2IBJ1Nu89ZKKb5t7H6ehpFaOrBLBnt+8gv9xdqPYnRMqbrm2vsUHmRGNiuu7A=

Response header:
Set-Cookie: LtpaToken2=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/; HttpOnly
Set-Cookie: OIDCSESSIONID_KISS_RP=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/

Access welcome page after logout:
Request header:
Cookie: JSESSIONID=0000-TKbpDMUljIkKWvfZcwNAyc:-1; OIDCSTATE_KISS_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD9odHRwOi8vbG9jYWxob3N0OjkwODAvZnVuZGluZ3BpbG90L3Jlc3RyaWN0ZWQvT3JkZXJPdmVydmlldy5qc3B0AAZtZXRob2R0AANHRVR0AAdzdGF0ZUlkdAA3Q0ZxOElvS3pZYnNqdVRBaEJLN0l4bnhkY0xKSmkwaFduT3gyMWV2TjRfMTY1MjY5OTc3NjYxMng=_B8YHCq3AKBHwtAzv4y9uRVcaE7VWtnw9+iNcBtdiCKI=

I'm not sure if this is causing the error? Futher I can see, that the cookie OIDCSTATE_KISS_RP is not deleted by the logout. But this is the same in the working and non working scenario.

I tried to define the property provider_<id>.revokeAccessToken property=true, but this had no effect!

I'm struggeling for a while with this issue and have no idea anymore what I should look for. Perhaps you can help me out.

Thank you and kind regards
Thomas Mayr



------------------------------
Thomas Mayr
------------------------------

Hello Brian,

yes, all applications are deployed on the same application server. What I forgt to mention is, that if I delete the browser cookies I am able to acccess the applications again.

Further the following scenarios work, too:

Scenario 1: Login at application A (which has the login form) -> navigate to application B (no login required because already authorized) -> navigate back to application A -> logout from application A -> navigate to/login again at application A -> and so on
Scenario 2: Navigate to protected page of application B -> RP redirects the browser to application A (defined as authorization endpoint) -> login at application A (which has the login form) -> RP redirects the browser to the protected page of application B -> navigate to application A -> logout from application A -> navigate to/login again at application A

The following scenarios do not work (SESN0008E):
Scenario 3: Login at application A (which has the login form) -> navigate to application B (no login required because already authorized) -> logout from application B -> navigate to application A -> SESN0008E
Scenario 4: Login at application A (which has the login form) -> navigate to application B (no login required because already authorized) -> navigate back to application A -> logout from application A -> navigate to application B -> SESN0008E

Du to the fact that i am able to access the application after deleteing the browser cookies, I assume somthing is not cleaned up at logout. I additionally tried a HttpSession.invalidate() after the HttpServletRequest.logout() but this leads to a HTTP error 500.

Kind regards
Thomas


------------------------------
Thomas Mayr
------------------------------

Original Message:
Sent: Tue May 17, 2022 01:44 AM
From: Brian S Paskin
Subject: SESN0008E with OpenID Connect

Hi, The apps are running in the same App Server or different App Servers?

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering

Original Message:
Sent: Mon May 16, 2022 10:24 AM
From: Thomas Mayr
Subject: SESN0008E with OpenID Connect

Hello IBM Folks,

I get the following error when I try to login to an application, which is using OpenID Connect together with another application in an SSO scenario, after a previous logout:

WASSessionCor E SessionContext checkSecurity SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:https://openam.test-server.ag:8443/openam/oauth2/KissRealm/a@b.de.

The involved applications are calling HttpServletRequest.logout() from a logout page located in the protected area as described in Enabling programmatic logout for an OpenID Connect Relying Party.

The applications are deployed on a traditional WebSphere Version 9 and the OpenID provider is ForgeRock OpenAM. On the WebSphere an OIDC Relying party is configured as described in Configuring an OpenID Connect Relying Party. I have other two applications where this scenario works. The diffence ist, that in the working scenarion I can see that the JSESSIONID cookie is set to another value by the logout page and the cookies LtpaToken2 and OIDCSESSIONID_SSOSAMPLE_RP are cleared:

Request header:
Cookie: JSESSIONID=0000XECKdQ-tkudkP449szs0z3T:-1; OIDCSTATE_SSOSAMPLE_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD1odHRwOi8vbG9jYWxob3N0OjkwODAvU1NPSURQL3Jlc3RyaWN0ZWQvaWRwUmVzdHJpY3RlZFBhZ2UuanNwdAAGbWV0aG9kdAADR0VUdAAHc3RhdGVJZHQANk1telMyT2RHODFHaDIxamhKM0xkVWlUbWk4VHpMSklBZVB1VUx4MjRfMTY1MjcwNzI5NzM4Nng=_a+Z4FOdLua6QmC440r5+LP/eQBNQkDRvxxixSw5X/mo=; OIDCSESSIONID_SSOSAMPLE_RP=itsF58KcHGQ77oYphCcmDPCz0OWYkRiK6jONfUT1ik; LtpaToken2=zjC2J1QkFb2NioQnjZG0kRTTZfXopJLp0S81ldvtrWJjm4uBFCylEmFrOBmrQo23c+Z7Ppdo6hmZaTIMDYZhcKShoxz/Cvu+hyyDJFdQqU+GNhht791nQvE86hpq0h6bx2/B/MLHlAK0zJfhV7GXaGmCXixTD+WsfcOGbdJY7pp6qvL/uY7HZnFlmTIljf/65DDLhcUGTGtKFNyUYQNJ6rTU8/wnpgipJMk8/DDPx37SeW0T41qL5EZWArUI18yRjSjYFAn9rldSbDLCyZIHdMltgIA/7y02l2FcyhUvHVdjxYhvXCBKTI6ca6Gz5cU86J0CDrLKPffsE1xgZRDFUTxoMEIV9+XbBZQztexRi2Th5mRBNcbEMsTWNXOUAxjn7+ONg8BeZ10Qek+n14N7A9f9Ijrzayirdgdw2Z/cHigD06PJFUeWKvdWCWPCc2NjRAEuGAsROqLortCbW7HtQHejhSxHU4rseROlV337pZwvnxoq3UCLIrhuLN2+HJozsXbOPRqW4n2SUXFaLjCexuqOiJxb05r5YBal+JvKhGT3aMUMp1qaB872xbbBrVR/2ZkpaTobbCYQKNsx4hpcJt3Ua8MBxyJZpHE1JkBg+iX8CfF9GtjqCGHJLSPPUzFTiH4cvj0EZWmiTZChquvtohjpjJE/v71Msm6L1csldSKshfZPKBXgCySo7srspSC40yVzOrHUMap/Vz3W5Y1gPFCBfrpOGcPpLlMJa9hydbk=

Response header:
Set-Cookie: JSESSIONID=000052lTzI9rXXCc2sq0wFqxo0g:-1; Path=/; HttpOnly
Set-Cookie: LtpaToken2=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/; HttpOnly
Set-Cookie: OIDCSESSIONID_SSOSAMPLE_RP=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/

In the non working scenario i can see, that the JSESSIONID is not cleared and remains the same when I try to access the application after the logout:

Request header:
Cookie: JSESSIONID=0000-TKbpDMUljIkKWvfZcwNAyc:-1; OIDCSTATE_KISS_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD9odHRwOi8vbG9jYWxob3N0OjkwODAvZnVuZGluZ3BpbG90L3Jlc3RyaWN0ZWQvT3JkZXJPdmVydmlldy5qc3B0AAZtZXRob2R0AANHRVR0AAdzdGF0ZUlkdAA3Q0ZxOElvS3pZYnNqdVRBaEJLN0l4bnhkY0xKSmkwaFduT3gyMWV2TjRfMTY1MjY5OTc3NjYxMng=_B8YHCq3AKBHwtAzv4y9uRVcaE7VWtnw9+iNcBtdiCKI=; OIDCSESSIONID_KISS_RP=cycC3QHueV1WI4dBUxylqD1lx8XwMBw8gOEZLzAwA; LtpaToken2=xxwbw6VkjUQzE0imssvlS9EXA62E3KwAf+uxwzY3hxXJK1jhLusUXlgHVu4/U3UzATVCrZd7Vnzdwo1ulS60ah5qctWUIBlE3CcjQley8qIsPn7YXnpg6eawDkEkLmLTkkFmbXeJxJwQJChT4sJNdoVa/KlNAUKhEnlAGXeSByKS3R5REa8Y79CWea8Yyc3qJT62hgLjwWsmbNkd7FJYUoKUxHCbKcd30mZr8gVKPtZGMDPLwfdn5jjcwRH24ci+m3ijftW1aN4Qa34eaG0Vzu10gzv8hHME87o1OIJh3P3v2CoyazT4KR/20doYyNsR2ds4SpM+hNXCZAsI87mS1Ts8TrtPSuw1MU0eN+5CfDcNmQZ85gSyCx0Fd403rJnip6m3u9lCNhTVdoL0TsEXlNVQ0Mha5+0Udo+x+WNqV6G8Du1aae7Gb6SF1rVYIlHq78h1Rq06mO2Qs06tkhUxjWW0WhcXCgBlTL68GnfJqsnvWysZCWUsMtYD1K0jFujXYptPN2CJAJ4j19AUad9lK1KRQRe/Xm3oQwiCIFda9g2EYXhi0Kjrx6Kb3vOXXvON6JHrN7/lVkagbwIbvGj2PupKR7gWBUq6NHRWihUIaWIVI6lEQwOxMJafbejPAzO43r9hRmY0kxkLCkZThPVo6Qq+I+wp+ME6QofiP4c37BGzYw2IBJ1Nu89ZKKb5t7H6ehpFaOrBLBnt+8gv9xdqPYnRMqbrm2vsUHmRGNiuu7A=

Response header:
Set-Cookie: LtpaToken2=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/; HttpOnly
Set-Cookie: OIDCSESSIONID_KISS_RP=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/

Access welcome page after logout:
Request header:
Cookie: JSESSIONID=0000-TKbpDMUljIkKWvfZcwNAyc:-1; OIDCSTATE_KISS_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD9odHRwOi8vbG9jYWxob3N0OjkwODAvZnVuZGluZ3BpbG90L3Jlc3RyaWN0ZWQvT3JkZXJPdmVydmlldy5qc3B0AAZtZXRob2R0AANHRVR0AAdzdGF0ZUlkdAA3Q0ZxOElvS3pZYnNqdVRBaEJLN0l4bnhkY0xKSmkwaFduT3gyMWV2TjRfMTY1MjY5OTc3NjYxMng=_B8YHCq3AKBHwtAzv4y9uRVcaE7VWtnw9+iNcBtdiCKI=

I'm not sure if this is causing the error? Futher I can see, that the cookie OIDCSTATE_KISS_RP is not deleted by the logout. But this is the same in the working and non working scenario.

I tried to define the property provider_<id>.revokeAccessToken property=true, but this had no effect!

I'm struggeling for a while with this issue and have no idea anymore what I should look for. Perhaps you can help me out.

Thank you and kind regards
Thomas Mayr



------------------------------
Thomas Mayr
------------------------------

Ok, what you will probably have to do is have AppB use a different JSESSIONID maybe JSESSIONIDB since they are on the same server.

Enterprise Applications > Application name > Session Management > Enable Cookies. Check Override session management.  Change the name here too.

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering
------------------------------

Original Message:
Sent: Tue May 17, 2022 02:08 AM
From: Thomas Mayr
Subject: SESN0008E with OpenID Connect

Hello Brian,

yes, all applications are deployed on the same application server. What I forgt to mention is, that if I delete the browser cookies I am able to acccess the applications again.

Further the following scenarios work, too:

Scenario 1: Login at application A (which has the login form) -> navigate to application B (no login required because already authorized) -> navigate back to application A -> logout from application A -> navigate to/login again at application A -> and so on
Scenario 2: Navigate to protected page of application B -> RP redirects the browser to application A (defined as authorization endpoint) -> login at application A (which has the login form) -> RP redirects the browser to the protected page of application B -> navigate to application A -> logout from application A -> navigate to/login again at application A

The following scenarios do not work (SESN0008E):
Scenario 3: Login at application A (which has the login form) -> navigate to application B (no login required because already authorized) -> logout from application B -> navigate to application A -> SESN0008E
Scenario 4: Login at application A (which has the login form) -> navigate to application B (no login required because already authorized) -> navigate back to application A -> logout from application A -> navigate to application B -> SESN0008E

Du to the fact that i am able to access the application after deleteing the browser cookies, I assume somthing is not cleaned up at logout. I additionally tried a HttpSession.invalidate() after the HttpServletRequest.logout() but this leads to a HTTP error 500.

Kind regards
Thomas


------------------------------
Thomas Mayr

Original Message:
Sent: Tue May 17, 2022 01:44 AM
From: Brian S Paskin
Subject: SESN0008E with OpenID Connect

Hi, The apps are running in the same App Server or different App Servers?

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering

Original Message:
Sent: Mon May 16, 2022 10:24 AM
From: Thomas Mayr
Subject: SESN0008E with OpenID Connect

Hello IBM Folks,

I get the following error when I try to login to an application, which is using OpenID Connect together with another application in an SSO scenario, after a previous logout:

WASSessionCor E SessionContext checkSecurity SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:https://openam.test-server.ag:8443/openam/oauth2/KissRealm/a@b.de.

The involved applications are calling HttpServletRequest.logout() from a logout page located in the protected area as described in Enabling programmatic logout for an OpenID Connect Relying Party.

The applications are deployed on a traditional WebSphere Version 9 and the OpenID provider is ForgeRock OpenAM. On the WebSphere an OIDC Relying party is configured as described in Configuring an OpenID Connect Relying Party. I have other two applications where this scenario works. The diffence ist, that in the working scenarion I can see that the JSESSIONID cookie is set to another value by the logout page and the cookies LtpaToken2 and OIDCSESSIONID_SSOSAMPLE_RP are cleared:

Request header:
Cookie: JSESSIONID=0000XECKdQ-tkudkP449szs0z3T:-1; OIDCSTATE_SSOSAMPLE_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD1odHRwOi8vbG9jYWxob3N0OjkwODAvU1NPSURQL3Jlc3RyaWN0ZWQvaWRwUmVzdHJpY3RlZFBhZ2UuanNwdAAGbWV0aG9kdAADR0VUdAAHc3RhdGVJZHQANk1telMyT2RHODFHaDIxamhKM0xkVWlUbWk4VHpMSklBZVB1VUx4MjRfMTY1MjcwNzI5NzM4Nng=_a+Z4FOdLua6QmC440r5+LP/eQBNQkDRvxxixSw5X/mo=; OIDCSESSIONID_SSOSAMPLE_RP=itsF58KcHGQ77oYphCcmDPCz0OWYkRiK6jONfUT1ik; LtpaToken2=zjC2J1QkFb2NioQnjZG0kRTTZfXopJLp0S81ldvtrWJjm4uBFCylEmFrOBmrQo23c+Z7Ppdo6hmZaTIMDYZhcKShoxz/Cvu+hyyDJFdQqU+GNhht791nQvE86hpq0h6bx2/B/MLHlAK0zJfhV7GXaGmCXixTD+WsfcOGbdJY7pp6qvL/uY7HZnFlmTIljf/65DDLhcUGTGtKFNyUYQNJ6rTU8/wnpgipJMk8/DDPx37SeW0T41qL5EZWArUI18yRjSjYFAn9rldSbDLCyZIHdMltgIA/7y02l2FcyhUvHVdjxYhvXCBKTI6ca6Gz5cU86J0CDrLKPffsE1xgZRDFUTxoMEIV9+XbBZQztexRi2Th5mRBNcbEMsTWNXOUAxjn7+ONg8BeZ10Qek+n14N7A9f9Ijrzayirdgdw2Z/cHigD06PJFUeWKvdWCWPCc2NjRAEuGAsROqLortCbW7HtQHejhSxHU4rseROlV337pZwvnxoq3UCLIrhuLN2+HJozsXbOPRqW4n2SUXFaLjCexuqOiJxb05r5YBal+JvKhGT3aMUMp1qaB872xbbBrVR/2ZkpaTobbCYQKNsx4hpcJt3Ua8MBxyJZpHE1JkBg+iX8CfF9GtjqCGHJLSPPUzFTiH4cvj0EZWmiTZChquvtohjpjJE/v71Msm6L1csldSKshfZPKBXgCySo7srspSC40yVzOrHUMap/Vz3W5Y1gPFCBfrpOGcPpLlMJa9hydbk=

Response header:
Set-Cookie: JSESSIONID=000052lTzI9rXXCc2sq0wFqxo0g:-1; Path=/; HttpOnly
Set-Cookie: LtpaToken2=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/; HttpOnly
Set-Cookie: OIDCSESSIONID_SSOSAMPLE_RP=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/

In the non working scenario i can see, that the JSESSIONID is not cleared and remains the same when I try to access the application after the logout:

Request header:
Cookie: JSESSIONID=0000-TKbpDMUljIkKWvfZcwNAyc:-1; OIDCSTATE_KISS_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD9odHRwOi8vbG9jYWxob3N0OjkwODAvZnVuZGluZ3BpbG90L3Jlc3RyaWN0ZWQvT3JkZXJPdmVydmlldy5qc3B0AAZtZXRob2R0AANHRVR0AAdzdGF0ZUlkdAA3Q0ZxOElvS3pZYnNqdVRBaEJLN0l4bnhkY0xKSmkwaFduT3gyMWV2TjRfMTY1MjY5OTc3NjYxMng=_B8YHCq3AKBHwtAzv4y9uRVcaE7VWtnw9+iNcBtdiCKI=; OIDCSESSIONID_KISS_RP=cycC3QHueV1WI4dBUxylqD1lx8XwMBw8gOEZLzAwA; LtpaToken2=xxwbw6VkjUQzE0imssvlS9EXA62E3KwAf+uxwzY3hxXJK1jhLusUXlgHVu4/U3UzATVCrZd7Vnzdwo1ulS60ah5qctWUIBlE3CcjQley8qIsPn7YXnpg6eawDkEkLmLTkkFmbXeJxJwQJChT4sJNdoVa/KlNAUKhEnlAGXeSByKS3R5REa8Y79CWea8Yyc3qJT62hgLjwWsmbNkd7FJYUoKUxHCbKcd30mZr8gVKPtZGMDPLwfdn5jjcwRH24ci+m3ijftW1aN4Qa34eaG0Vzu10gzv8hHME87o1OIJh3P3v2CoyazT4KR/20doYyNsR2ds4SpM+hNXCZAsI87mS1Ts8TrtPSuw1MU0eN+5CfDcNmQZ85gSyCx0Fd403rJnip6m3u9lCNhTVdoL0TsEXlNVQ0Mha5+0Udo+x+WNqV6G8Du1aae7Gb6SF1rVYIlHq78h1Rq06mO2Qs06tkhUxjWW0WhcXCgBlTL68GnfJqsnvWysZCWUsMtYD1K0jFujXYptPN2CJAJ4j19AUad9lK1KRQRe/Xm3oQwiCIFda9g2EYXhi0Kjrx6Kb3vOXXvON6JHrN7/lVkagbwIbvGj2PupKR7gWBUq6NHRWihUIaWIVI6lEQwOxMJafbejPAzO43r9hRmY0kxkLCkZThPVo6Qq+I+wp+ME6QofiP4c37BGzYw2IBJ1Nu89ZKKb5t7H6ehpFaOrBLBnt+8gv9xdqPYnRMqbrm2vsUHmRGNiuu7A=

Response header:
Set-Cookie: LtpaToken2=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/; HttpOnly
Set-Cookie: OIDCSESSIONID_KISS_RP=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/

Access welcome page after logout:
Request header:
Cookie: JSESSIONID=0000-TKbpDMUljIkKWvfZcwNAyc:-1; OIDCSTATE_KISS_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD9odHRwOi8vbG9jYWxob3N0OjkwODAvZnVuZGluZ3BpbG90L3Jlc3RyaWN0ZWQvT3JkZXJPdmVydmlldy5qc3B0AAZtZXRob2R0AANHRVR0AAdzdGF0ZUlkdAA3Q0ZxOElvS3pZYnNqdVRBaEJLN0l4bnhkY0xKSmkwaFduT3gyMWV2TjRfMTY1MjY5OTc3NjYxMng=_B8YHCq3AKBHwtAzv4y9uRVcaE7VWtnw9+iNcBtdiCKI=

I'm not sure if this is causing the error? Futher I can see, that the cookie OIDCSTATE_KISS_RP is not deleted by the logout. But this is the same in the working and non working scenario.

I tried to define the property provider_<id>.revokeAccessToken property=true, but this had no effect!

I'm struggeling for a while with this issue and have no idea anymore what I should look for. Perhaps you can help me out.

Thank you and kind regards
Thomas Mayr



------------------------------
Thomas Mayr
------------------------------

Hello Brian,

thank you! This takes me one step further. Scenario 4 is working now!

But when I logout from application B (scenario 3) I cannot navigate to application A -> SESN0008E

Should I configure application A in the same way?

Kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Original Message:
Sent: Tue May 17, 2022 02:17 AM
From: Brian S Paskin
Subject: SESN0008E with OpenID Connect

Ok, what you will probably have to do is have AppB use a different JSESSIONID maybe JSESSIONIDB since they are on the same server.

Enterprise Applications > Application name > Session Management > Enable Cookies. Check Override session management.  Change the name here too.

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering

Original Message:
Sent: Tue May 17, 2022 02:08 AM
From: Thomas Mayr
Subject: SESN0008E with OpenID Connect

Hello Brian,

yes, all applications are deployed on the same application server. What I forgt to mention is, that if I delete the browser cookies I am able to acccess the applications again.

Further the following scenarios work, too:

Scenario 1: Login at application A (which has the login form) -> navigate to application B (no login required because already authorized) -> navigate back to application A -> logout from application A -> navigate to/login again at application A -> and so on
Scenario 2: Navigate to protected page of application B -> RP redirects the browser to application A (defined as authorization endpoint) -> login at application A (which has the login form) -> RP redirects the browser to the protected page of application B -> navigate to application A -> logout from application A -> navigate to/login again at application A

The following scenarios do not work (SESN0008E):
Scenario 3: Login at application A (which has the login form) -> navigate to application B (no login required because already authorized) -> logout from application B -> navigate to application A -> SESN0008E
Scenario 4: Login at application A (which has the login form) -> navigate to application B (no login required because already authorized) -> navigate back to application A -> logout from application A -> navigate to application B -> SESN0008E

Du to the fact that i am able to access the application after deleteing the browser cookies, I assume somthing is not cleaned up at logout. I additionally tried a HttpSession.invalidate() after the HttpServletRequest.logout() but this leads to a HTTP error 500.

Kind regards
Thomas


------------------------------
Thomas Mayr

Original Message:
Sent: Tue May 17, 2022 01:44 AM
From: Brian S Paskin
Subject: SESN0008E with OpenID Connect

Hi, The apps are running in the same App Server or different App Servers?

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering

Original Message:
Sent: Mon May 16, 2022 10:24 AM
From: Thomas Mayr
Subject: SESN0008E with OpenID Connect

Hello IBM Folks,

I get the following error when I try to login to an application, which is using OpenID Connect together with another application in an SSO scenario, after a previous logout:

WASSessionCor E SessionContext checkSecurity SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:https://openam.test-server.ag:8443/openam/oauth2/KissRealm/a@b.de.

The involved applications are calling HttpServletRequest.logout() from a logout page located in the protected area as described in Enabling programmatic logout for an OpenID Connect Relying Party.

The applications are deployed on a traditional WebSphere Version 9 and the OpenID provider is ForgeRock OpenAM. On the WebSphere an OIDC Relying party is configured as described in Configuring an OpenID Connect Relying Party. I have other two applications where this scenario works. The diffence ist, that in the working scenarion I can see that the JSESSIONID cookie is set to another value by the logout page and the cookies LtpaToken2 and OIDCSESSIONID_SSOSAMPLE_RP are cleared:

Request header:
Cookie: JSESSIONID=0000XECKdQ-tkudkP449szs0z3T:-1; OIDCSTATE_SSOSAMPLE_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD1odHRwOi8vbG9jYWxob3N0OjkwODAvU1NPSURQL3Jlc3RyaWN0ZWQvaWRwUmVzdHJpY3RlZFBhZ2UuanNwdAAGbWV0aG9kdAADR0VUdAAHc3RhdGVJZHQANk1telMyT2RHODFHaDIxamhKM0xkVWlUbWk4VHpMSklBZVB1VUx4MjRfMTY1MjcwNzI5NzM4Nng=_a+Z4FOdLua6QmC440r5+LP/eQBNQkDRvxxixSw5X/mo=; OIDCSESSIONID_SSOSAMPLE_RP=itsF58KcHGQ77oYphCcmDPCz0OWYkRiK6jONfUT1ik; LtpaToken2=zjC2J1QkFb2NioQnjZG0kRTTZfXopJLp0S81ldvtrWJjm4uBFCylEmFrOBmrQo23c+Z7Ppdo6hmZaTIMDYZhcKShoxz/Cvu+hyyDJFdQqU+GNhht791nQvE86hpq0h6bx2/B/MLHlAK0zJfhV7GXaGmCXixTD+WsfcOGbdJY7pp6qvL/uY7HZnFlmTIljf/65DDLhcUGTGtKFNyUYQNJ6rTU8/wnpgipJMk8/DDPx37SeW0T41qL5EZWArUI18yRjSjYFAn9rldSbDLCyZIHdMltgIA/7y02l2FcyhUvHVdjxYhvXCBKTI6ca6Gz5cU86J0CDrLKPffsE1xgZRDFUTxoMEIV9+XbBZQztexRi2Th5mRBNcbEMsTWNXOUAxjn7+ONg8BeZ10Qek+n14N7A9f9Ijrzayirdgdw2Z/cHigD06PJFUeWKvdWCWPCc2NjRAEuGAsROqLortCbW7HtQHejhSxHU4rseROlV337pZwvnxoq3UCLIrhuLN2+HJozsXbOPRqW4n2SUXFaLjCexuqOiJxb05r5YBal+JvKhGT3aMUMp1qaB872xbbBrVR/2ZkpaTobbCYQKNsx4hpcJt3Ua8MBxyJZpHE1JkBg+iX8CfF9GtjqCGHJLSPPUzFTiH4cvj0EZWmiTZChquvtohjpjJE/v71Msm6L1csldSKshfZPKBXgCySo7srspSC40yVzOrHUMap/Vz3W5Y1gPFCBfrpOGcPpLlMJa9hydbk=

Response header:
Set-Cookie: JSESSIONID=000052lTzI9rXXCc2sq0wFqxo0g:-1; Path=/; HttpOnly
Set-Cookie: LtpaToken2=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/; HttpOnly
Set-Cookie: OIDCSESSIONID_SSOSAMPLE_RP=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/

In the non working scenario i can see, that the JSESSIONID is not cleared and remains the same when I try to access the application after the logout:

Request header:
Cookie: JSESSIONID=0000-TKbpDMUljIkKWvfZcwNAyc:-1; OIDCSTATE_KISS_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD9odHRwOi8vbG9jYWxob3N0OjkwODAvZnVuZGluZ3BpbG90L3Jlc3RyaWN0ZWQvT3JkZXJPdmVydmlldy5qc3B0AAZtZXRob2R0AANHRVR0AAdzdGF0ZUlkdAA3Q0ZxOElvS3pZYnNqdVRBaEJLN0l4bnhkY0xKSmkwaFduT3gyMWV2TjRfMTY1MjY5OTc3NjYxMng=_B8YHCq3AKBHwtAzv4y9uRVcaE7VWtnw9+iNcBtdiCKI=; OIDCSESSIONID_KISS_RP=cycC3QHueV1WI4dBUxylqD1lx8XwMBw8gOEZLzAwA; LtpaToken2=xxwbw6VkjUQzE0imssvlS9EXA62E3KwAf+uxwzY3hxXJK1jhLusUXlgHVu4/U3UzATVCrZd7Vnzdwo1ulS60ah5qctWUIBlE3CcjQley8qIsPn7YXnpg6eawDkEkLmLTkkFmbXeJxJwQJChT4sJNdoVa/KlNAUKhEnlAGXeSByKS3R5REa8Y79CWea8Yyc3qJT62hgLjwWsmbNkd7FJYUoKUxHCbKcd30mZr8gVKPtZGMDPLwfdn5jjcwRH24ci+m3ijftW1aN4Qa34eaG0Vzu10gzv8hHME87o1OIJh3P3v2CoyazT4KR/20doYyNsR2ds4SpM+hNXCZAsI87mS1Ts8TrtPSuw1MU0eN+5CfDcNmQZ85gSyCx0Fd403rJnip6m3u9lCNhTVdoL0TsEXlNVQ0Mha5+0Udo+x+WNqV6G8Du1aae7Gb6SF1rVYIlHq78h1Rq06mO2Qs06tkhUxjWW0WhcXCgBlTL68GnfJqsnvWysZCWUsMtYD1K0jFujXYptPN2CJAJ4j19AUad9lK1KRQRe/Xm3oQwiCIFda9g2EYXhi0Kjrx6Kb3vOXXvON6JHrN7/lVkagbwIbvGj2PupKR7gWBUq6NHRWihUIaWIVI6lEQwOxMJafbejPAzO43r9hRmY0kxkLCkZThPVo6Qq+I+wp+ME6QofiP4c37BGzYw2IBJ1Nu89ZKKb5t7H6ehpFaOrBLBnt+8gv9xdqPYnRMqbrm2vsUHmRGNiuu7A=

Response header:
Set-Cookie: LtpaToken2=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/; HttpOnly
Set-Cookie: OIDCSESSIONID_KISS_RP=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/

Access welcome page after logout:
Request header:
Cookie: JSESSIONID=0000-TKbpDMUljIkKWvfZcwNAyc:-1; OIDCSTATE_KISS_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD9odHRwOi8vbG9jYWxob3N0OjkwODAvZnVuZGluZ3BpbG90L3Jlc3RyaWN0ZWQvT3JkZXJPdmVydmlldy5qc3B0AAZtZXRob2R0AANHRVR0AAdzdGF0ZUlkdAA3Q0ZxOElvS3pZYnNqdVRBaEJLN0l4bnhkY0xKSmkwaFduT3gyMWV2TjRfMTY1MjY5OTc3NjYxMng=_B8YHCq3AKBHwtAzv4y9uRVcaE7VWtnw9+iNcBtdiCKI=

I'm not sure if this is causing the error? Futher I can see, that the cookie OIDCSTATE_KISS_RP is not deleted by the logout. But this is the same in the working and non working scenario.

I tried to define the property provider_<id>.revokeAccessToken property=true, but this had no effect!

I'm struggeling for a while with this issue and have no idea anymore what I should look for. Perhaps you can help me out.

Thank you and kind regards
Thomas Mayr



------------------------------
Thomas Mayr
------------------------------

Hi, what you can try is to set an invalidation when this error occurs.  SEE: https://www.ibm.com/docs/en/was-nd/9.0.5?topic=tracking-session-management-custom-properties#invalidateonunauthorizedsessionrequestexception

Set InvalidateOnUnauthorizedSessionRequestException=true in the Session custom properties.

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering
------------------------------

Original Message:
Sent: Tue May 17, 2022 02:44 AM
From: Thomas Mayr
Subject: SESN0008E with OpenID Connect

Hello Brian,

thank you! This takes me one step further. Scenario 4 is working now!

But when I logout from application B (scenario 3) I cannot navigate to application A -> SESN0008E

Should I configure application A in the same way?

Kind regards
Thomas

------------------------------
Thomas Mayr

Original Message:
Sent: Tue May 17, 2022 02:17 AM
From: Brian S Paskin
Subject: SESN0008E with OpenID Connect

Ok, what you will probably have to do is have AppB use a different JSESSIONID maybe JSESSIONIDB since they are on the same server.

Enterprise Applications > Application name > Session Management > Enable Cookies. Check Override session management.  Change the name here too.

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering

Original Message:
Sent: Tue May 17, 2022 02:08 AM
From: Thomas Mayr
Subject: SESN0008E with OpenID Connect

Hello Brian,

yes, all applications are deployed on the same application server. What I forgt to mention is, that if I delete the browser cookies I am able to acccess the applications again.

Further the following scenarios work, too:

Scenario 1: Login at application A (which has the login form) -> navigate to application B (no login required because already authorized) -> navigate back to application A -> logout from application A -> navigate to/login again at application A -> and so on
Scenario 2: Navigate to protected page of application B -> RP redirects the browser to application A (defined as authorization endpoint) -> login at application A (which has the login form) -> RP redirects the browser to the protected page of application B -> navigate to application A -> logout from application A -> navigate to/login again at application A

The following scenarios do not work (SESN0008E):
Scenario 3: Login at application A (which has the login form) -> navigate to application B (no login required because already authorized) -> logout from application B -> navigate to application A -> SESN0008E
Scenario 4: Login at application A (which has the login form) -> navigate to application B (no login required because already authorized) -> navigate back to application A -> logout from application A -> navigate to application B -> SESN0008E

Du to the fact that i am able to access the application after deleteing the browser cookies, I assume somthing is not cleaned up at logout. I additionally tried a HttpSession.invalidate() after the HttpServletRequest.logout() but this leads to a HTTP error 500.

Kind regards
Thomas


------------------------------
Thomas Mayr

Original Message:
Sent: Tue May 17, 2022 01:44 AM
From: Brian S Paskin
Subject: SESN0008E with OpenID Connect

Hi, The apps are running in the same App Server or different App Servers?

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering

Original Message:
Sent: Mon May 16, 2022 10:24 AM
From: Thomas Mayr
Subject: SESN0008E with OpenID Connect

Hello IBM Folks,

I get the following error when I try to login to an application, which is using OpenID Connect together with another application in an SSO scenario, after a previous logout:

WASSessionCor E SessionContext checkSecurity SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:https://openam.test-server.ag:8443/openam/oauth2/KissRealm/a@b.de.

The involved applications are calling HttpServletRequest.logout() from a logout page located in the protected area as described in Enabling programmatic logout for an OpenID Connect Relying Party.

The applications are deployed on a traditional WebSphere Version 9 and the OpenID provider is ForgeRock OpenAM. On the WebSphere an OIDC Relying party is configured as described in Configuring an OpenID Connect Relying Party. I have other two applications where this scenario works. The diffence ist, that in the working scenarion I can see that the JSESSIONID cookie is set to another value by the logout page and the cookies LtpaToken2 and OIDCSESSIONID_SSOSAMPLE_RP are cleared:

Request header:
Cookie: JSESSIONID=0000XECKdQ-tkudkP449szs0z3T:-1; OIDCSTATE_SSOSAMPLE_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD1odHRwOi8vbG9jYWxob3N0OjkwODAvU1NPSURQL3Jlc3RyaWN0ZWQvaWRwUmVzdHJpY3RlZFBhZ2UuanNwdAAGbWV0aG9kdAADR0VUdAAHc3RhdGVJZHQANk1telMyT2RHODFHaDIxamhKM0xkVWlUbWk4VHpMSklBZVB1VUx4MjRfMTY1MjcwNzI5NzM4Nng=_a+Z4FOdLua6QmC440r5+LP/eQBNQkDRvxxixSw5X/mo=; OIDCSESSIONID_SSOSAMPLE_RP=itsF58KcHGQ77oYphCcmDPCz0OWYkRiK6jONfUT1ik; LtpaToken2=zjC2J1QkFb2NioQnjZG0kRTTZfXopJLp0S81ldvtrWJjm4uBFCylEmFrOBmrQo23c+Z7Ppdo6hmZaTIMDYZhcKShoxz/Cvu+hyyDJFdQqU+GNhht791nQvE86hpq0h6bx2/B/MLHlAK0zJfhV7GXaGmCXixTD+WsfcOGbdJY7pp6qvL/uY7HZnFlmTIljf/65DDLhcUGTGtKFNyUYQNJ6rTU8/wnpgipJMk8/DDPx37SeW0T41qL5EZWArUI18yRjSjYFAn9rldSbDLCyZIHdMltgIA/7y02l2FcyhUvHVdjxYhvXCBKTI6ca6Gz5cU86J0CDrLKPffsE1xgZRDFUTxoMEIV9+XbBZQztexRi2Th5mRBNcbEMsTWNXOUAxjn7+ONg8BeZ10Qek+n14N7A9f9Ijrzayirdgdw2Z/cHigD06PJFUeWKvdWCWPCc2NjRAEuGAsROqLortCbW7HtQHejhSxHU4rseROlV337pZwvnxoq3UCLIrhuLN2+HJozsXbOPRqW4n2SUXFaLjCexuqOiJxb05r5YBal+JvKhGT3aMUMp1qaB872xbbBrVR/2ZkpaTobbCYQKNsx4hpcJt3Ua8MBxyJZpHE1JkBg+iX8CfF9GtjqCGHJLSPPUzFTiH4cvj0EZWmiTZChquvtohjpjJE/v71Msm6L1csldSKshfZPKBXgCySo7srspSC40yVzOrHUMap/Vz3W5Y1gPFCBfrpOGcPpLlMJa9hydbk=

Response header:
Set-Cookie: JSESSIONID=000052lTzI9rXXCc2sq0wFqxo0g:-1; Path=/; HttpOnly
Set-Cookie: LtpaToken2=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/; HttpOnly
Set-Cookie: OIDCSESSIONID_SSOSAMPLE_RP=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/

In the non working scenario i can see, that the JSESSIONID is not cleared and remains the same when I try to access the application after the logout:

Request header:
Cookie: JSESSIONID=0000-TKbpDMUljIkKWvfZcwNAyc:-1; OIDCSTATE_KISS_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD9odHRwOi8vbG9jYWxob3N0OjkwODAvZnVuZGluZ3BpbG90L3Jlc3RyaWN0ZWQvT3JkZXJPdmVydmlldy5qc3B0AAZtZXRob2R0AANHRVR0AAdzdGF0ZUlkdAA3Q0ZxOElvS3pZYnNqdVRBaEJLN0l4bnhkY0xKSmkwaFduT3gyMWV2TjRfMTY1MjY5OTc3NjYxMng=_B8YHCq3AKBHwtAzv4y9uRVcaE7VWtnw9+iNcBtdiCKI=; OIDCSESSIONID_KISS_RP=cycC3QHueV1WI4dBUxylqD1lx8XwMBw8gOEZLzAwA; LtpaToken2=xxwbw6VkjUQzE0imssvlS9EXA62E3KwAf+uxwzY3hxXJK1jhLusUXlgHVu4/U3UzATVCrZd7Vnzdwo1ulS60ah5qctWUIBlE3CcjQley8qIsPn7YXnpg6eawDkEkLmLTkkFmbXeJxJwQJChT4sJNdoVa/KlNAUKhEnlAGXeSByKS3R5REa8Y79CWea8Yyc3qJT62hgLjwWsmbNkd7FJYUoKUxHCbKcd30mZr8gVKPtZGMDPLwfdn5jjcwRH24ci+m3ijftW1aN4Qa34eaG0Vzu10gzv8hHME87o1OIJh3P3v2CoyazT4KR/20doYyNsR2ds4SpM+hNXCZAsI87mS1Ts8TrtPSuw1MU0eN+5CfDcNmQZ85gSyCx0Fd403rJnip6m3u9lCNhTVdoL0TsEXlNVQ0Mha5+0Udo+x+WNqV6G8Du1aae7Gb6SF1rVYIlHq78h1Rq06mO2Qs06tkhUxjWW0WhcXCgBlTL68GnfJqsnvWysZCWUsMtYD1K0jFujXYptPN2CJAJ4j19AUad9lK1KRQRe/Xm3oQwiCIFda9g2EYXhi0Kjrx6Kb3vOXXvON6JHrN7/lVkagbwIbvGj2PupKR7gWBUq6NHRWihUIaWIVI6lEQwOxMJafbejPAzO43r9hRmY0kxkLCkZThPVo6Qq+I+wp+ME6QofiP4c37BGzYw2IBJ1Nu89ZKKb5t7H6ehpFaOrBLBnt+8gv9xdqPYnRMqbrm2vsUHmRGNiuu7A=

Response header:
Set-Cookie: LtpaToken2=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/; HttpOnly
Set-Cookie: OIDCSESSIONID_KISS_RP=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/

Access welcome page after logout:
Request header:
Cookie: JSESSIONID=0000-TKbpDMUljIkKWvfZcwNAyc:-1; OIDCSTATE_KISS_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD9odHRwOi8vbG9jYWxob3N0OjkwODAvZnVuZGluZ3BpbG90L3Jlc3RyaWN0ZWQvT3JkZXJPdmVydmlldy5qc3B0AAZtZXRob2R0AANHRVR0AAdzdGF0ZUlkdAA3Q0ZxOElvS3pZYnNqdVRBaEJLN0l4bnhkY0xKSmkwaFduT3gyMWV2TjRfMTY1MjY5OTc3NjYxMng=_B8YHCq3AKBHwtAzv4y9uRVcaE7VWtnw9+iNcBtdiCKI=

I'm not sure if this is causing the error? Futher I can see, that the cookie OIDCSTATE_KISS_RP is not deleted by the logout. But this is the same in the working and non working scenario.

I tried to define the property provider_<id>.revokeAccessToken property=true, but this had no effect!

I'm struggeling for a while with this issue and have no idea anymore what I should look for. Perhaps you can help me out.

Thank you and kind regards
Thomas Mayr



------------------------------
Thomas Mayr
------------------------------

Hello Brian,

configuring a session ID for application A solved the problem! Thank's a lot for your help! This saved me many hours of analyzing.

Kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Original Message:
Sent: Tue May 17, 2022 05:02 AM
From: Brian S Paskin
Subject: SESN0008E with OpenID Connect

Hi, what you can try is to set an invalidation when this error occurs.  SEE: https://www.ibm.com/docs/en/was-nd/9.0.5?topic=tracking-session-management-custom-properties#invalidateonunauthorizedsessionrequestexception

Set InvalidateOnUnauthorizedSessionRequestException=true in the Session custom properties.

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering

Original Message:
Sent: Tue May 17, 2022 02:44 AM
From: Thomas Mayr
Subject: SESN0008E with OpenID Connect

Hello Brian,

thank you! This takes me one step further. Scenario 4 is working now!

But when I logout from application B (scenario 3) I cannot navigate to application A -> SESN0008E

Should I configure application A in the same way?

Kind regards
Thomas

------------------------------
Thomas Mayr

Original Message:
Sent: Tue May 17, 2022 02:17 AM
From: Brian S Paskin
Subject: SESN0008E with OpenID Connect

Ok, what you will probably have to do is have AppB use a different JSESSIONID maybe JSESSIONIDB since they are on the same server.

Enterprise Applications > Application name > Session Management > Enable Cookies. Check Override session management.  Change the name here too.

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering

Original Message:
Sent: Tue May 17, 2022 02:08 AM
From: Thomas Mayr
Subject: SESN0008E with OpenID Connect

Hello Brian,

yes, all applications are deployed on the same application server. What I forgt to mention is, that if I delete the browser cookies I am able to acccess the applications again.

Further the following scenarios work, too:

Scenario 1: Login at application A (which has the login form) -> navigate to application B (no login required because already authorized) -> navigate back to application A -> logout from application A -> navigate to/login again at application A -> and so on
Scenario 2: Navigate to protected page of application B -> RP redirects the browser to application A (defined as authorization endpoint) -> login at application A (which has the login form) -> RP redirects the browser to the protected page of application B -> navigate to application A -> logout from application A -> navigate to/login again at application A

The following scenarios do not work (SESN0008E):
Scenario 3: Login at application A (which has the login form) -> navigate to application B (no login required because already authorized) -> logout from application B -> navigate to application A -> SESN0008E
Scenario 4: Login at application A (which has the login form) -> navigate to application B (no login required because already authorized) -> navigate back to application A -> logout from application A -> navigate to application B -> SESN0008E

Du to the fact that i am able to access the application after deleteing the browser cookies, I assume somthing is not cleaned up at logout. I additionally tried a HttpSession.invalidate() after the HttpServletRequest.logout() but this leads to a HTTP error 500.

Kind regards
Thomas


------------------------------
Thomas Mayr

Original Message:
Sent: Tue May 17, 2022 01:44 AM
From: Brian S Paskin
Subject: SESN0008E with OpenID Connect

Hi, The apps are running in the same App Server or different App Servers?

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering

Original Message:
Sent: Mon May 16, 2022 10:24 AM
From: Thomas Mayr
Subject: SESN0008E with OpenID Connect

Hello IBM Folks,

I get the following error when I try to login to an application, which is using OpenID Connect together with another application in an SSO scenario, after a previous logout:

WASSessionCor E SessionContext checkSecurity SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:https://openam.test-server.ag:8443/openam/oauth2/KissRealm/a@b.de.

The involved applications are calling HttpServletRequest.logout() from a logout page located in the protected area as described in Enabling programmatic logout for an OpenID Connect Relying Party.

The applications are deployed on a traditional WebSphere Version 9 and the OpenID provider is ForgeRock OpenAM. On the WebSphere an OIDC Relying party is configured as described in Configuring an OpenID Connect Relying Party. I have other two applications where this scenario works. The diffence ist, that in the working scenarion I can see that the JSESSIONID cookie is set to another value by the logout page and the cookies LtpaToken2 and OIDCSESSIONID_SSOSAMPLE_RP are cleared:

Request header:
Cookie: JSESSIONID=0000XECKdQ-tkudkP449szs0z3T:-1; OIDCSTATE_SSOSAMPLE_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD1odHRwOi8vbG9jYWxob3N0OjkwODAvU1NPSURQL3Jlc3RyaWN0ZWQvaWRwUmVzdHJpY3RlZFBhZ2UuanNwdAAGbWV0aG9kdAADR0VUdAAHc3RhdGVJZHQANk1telMyT2RHODFHaDIxamhKM0xkVWlUbWk4VHpMSklBZVB1VUx4MjRfMTY1MjcwNzI5NzM4Nng=_a+Z4FOdLua6QmC440r5+LP/eQBNQkDRvxxixSw5X/mo=; OIDCSESSIONID_SSOSAMPLE_RP=itsF58KcHGQ77oYphCcmDPCz0OWYkRiK6jONfUT1ik; LtpaToken2=zjC2J1QkFb2NioQnjZG0kRTTZfXopJLp0S81ldvtrWJjm4uBFCylEmFrOBmrQo23c+Z7Ppdo6hmZaTIMDYZhcKShoxz/Cvu+hyyDJFdQqU+GNhht791nQvE86hpq0h6bx2/B/MLHlAK0zJfhV7GXaGmCXixTD+WsfcOGbdJY7pp6qvL/uY7HZnFlmTIljf/65DDLhcUGTGtKFNyUYQNJ6rTU8/wnpgipJMk8/DDPx37SeW0T41qL5EZWArUI18yRjSjYFAn9rldSbDLCyZIHdMltgIA/7y02l2FcyhUvHVdjxYhvXCBKTI6ca6Gz5cU86J0CDrLKPffsE1xgZRDFUTxoMEIV9+XbBZQztexRi2Th5mRBNcbEMsTWNXOUAxjn7+ONg8BeZ10Qek+n14N7A9f9Ijrzayirdgdw2Z/cHigD06PJFUeWKvdWCWPCc2NjRAEuGAsROqLortCbW7HtQHejhSxHU4rseROlV337pZwvnxoq3UCLIrhuLN2+HJozsXbOPRqW4n2SUXFaLjCexuqOiJxb05r5YBal+JvKhGT3aMUMp1qaB872xbbBrVR/2ZkpaTobbCYQKNsx4hpcJt3Ua8MBxyJZpHE1JkBg+iX8CfF9GtjqCGHJLSPPUzFTiH4cvj0EZWmiTZChquvtohjpjJE/v71Msm6L1csldSKshfZPKBXgCySo7srspSC40yVzOrHUMap/Vz3W5Y1gPFCBfrpOGcPpLlMJa9hydbk=

Response header:
Set-Cookie: JSESSIONID=000052lTzI9rXXCc2sq0wFqxo0g:-1; Path=/; HttpOnly
Set-Cookie: LtpaToken2=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/; HttpOnly
Set-Cookie: OIDCSESSIONID_SSOSAMPLE_RP=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/

In the non working scenario i can see, that the JSESSIONID is not cleared and remains the same when I try to access the application after the logout:

Request header:
Cookie: JSESSIONID=0000-TKbpDMUljIkKWvfZcwNAyc:-1; OIDCSTATE_KISS_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD9odHRwOi8vbG9jYWxob3N0OjkwODAvZnVuZGluZ3BpbG90L3Jlc3RyaWN0ZWQvT3JkZXJPdmVydmlldy5qc3B0AAZtZXRob2R0AANHRVR0AAdzdGF0ZUlkdAA3Q0ZxOElvS3pZYnNqdVRBaEJLN0l4bnhkY0xKSmkwaFduT3gyMWV2TjRfMTY1MjY5OTc3NjYxMng=_B8YHCq3AKBHwtAzv4y9uRVcaE7VWtnw9+iNcBtdiCKI=; OIDCSESSIONID_KISS_RP=cycC3QHueV1WI4dBUxylqD1lx8XwMBw8gOEZLzAwA; LtpaToken2=xxwbw6VkjUQzE0imssvlS9EXA62E3KwAf+uxwzY3hxXJK1jhLusUXlgHVu4/U3UzATVCrZd7Vnzdwo1ulS60ah5qctWUIBlE3CcjQley8qIsPn7YXnpg6eawDkEkLmLTkkFmbXeJxJwQJChT4sJNdoVa/KlNAUKhEnlAGXeSByKS3R5REa8Y79CWea8Yyc3qJT62hgLjwWsmbNkd7FJYUoKUxHCbKcd30mZr8gVKPtZGMDPLwfdn5jjcwRH24ci+m3ijftW1aN4Qa34eaG0Vzu10gzv8hHME87o1OIJh3P3v2CoyazT4KR/20doYyNsR2ds4SpM+hNXCZAsI87mS1Ts8TrtPSuw1MU0eN+5CfDcNmQZ85gSyCx0Fd403rJnip6m3u9lCNhTVdoL0TsEXlNVQ0Mha5+0Udo+x+WNqV6G8Du1aae7Gb6SF1rVYIlHq78h1Rq06mO2Qs06tkhUxjWW0WhcXCgBlTL68GnfJqsnvWysZCWUsMtYD1K0jFujXYptPN2CJAJ4j19AUad9lK1KRQRe/Xm3oQwiCIFda9g2EYXhi0Kjrx6Kb3vOXXvON6JHrN7/lVkagbwIbvGj2PupKR7gWBUq6NHRWihUIaWIVI6lEQwOxMJafbejPAzO43r9hRmY0kxkLCkZThPVo6Qq+I+wp+ME6QofiP4c37BGzYw2IBJ1Nu89ZKKb5t7H6ehpFaOrBLBnt+8gv9xdqPYnRMqbrm2vsUHmRGNiuu7A=

Response header:
Set-Cookie: LtpaToken2=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/; HttpOnly
Set-Cookie: OIDCSESSIONID_KISS_RP=""; Expires=Thu, 01-Dec-94 16:00:00 GMT; Path=/

Access welcome page after logout:
Request header:
Cookie: JSESSIONID=0000-TKbpDMUljIkKWvfZcwNAyc:-1; OIDCSTATE_KISS_RP=rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAN0AAZyZXFVcmx0AD9odHRwOi8vbG9jYWxob3N0OjkwODAvZnVuZGluZ3BpbG90L3Jlc3RyaWN0ZWQvT3JkZXJPdmVydmlldy5qc3B0AAZtZXRob2R0AANHRVR0AAdzdGF0ZUlkdAA3Q0ZxOElvS3pZYnNqdVRBaEJLN0l4bnhkY0xKSmkwaFduT3gyMWV2TjRfMTY1MjY5OTc3NjYxMng=_B8YHCq3AKBHwtAzv4y9uRVcaE7VWtnw9+iNcBtdiCKI=

I'm not sure if this is causing the error? Futher I can see, that the cookie OIDCSTATE_KISS_RP is not deleted by the logout. But this is the same in the working and non working scenario.

I tried to define the property provider_<id>.revokeAccessToken property=true, but this had no effect!

I'm struggeling for a while with this issue and have no idea anymore what I should look for. Perhaps you can help me out.

Thank you and kind regards
Thomas Mayr



------------------------------
Thomas Mayr
------------------------------