Thomas,
Avoid trouble: If you are running in a cluster environment, the OpenID Connect Relying Party (RP) Trust Association Interceptor (TAI) requires session affinity.
If you are running in a cluster, be sure to add the provider_<id>.createSession=true property.
alwaysInvalidateAccessTokenOnLogout
You can specify one of the following values:
true
false (the default)
By default, if an OIDC session cookie is present on a request during logout, the logout uses only the information that is associated with the OIDC session cookie. If no OIDC session cookie exists, then the logout uses the access token in the Authorization header of the request.
If this property is set to true, the logout uses information from both the OIDC session cookie and the Authorization header of the request, if they exist.
[9.0.5.6 or later]provider_<id>.endSessionEndpoint
This property does not have a default value. Set this property to the value of the session endpoint for the Open ID provider. The value for the end session endpoint of the Open ID provider can then be accessed with an API. If the provider_<id>. discoveryEndpointUrl property is specified, the value for this property is overridden.
I would recommend checking some of the session-related property here.
https://www.ibm.com/docs/en/was-nd/9.0.5?topic=party-openid-connect-relying-custom-properties
You can enable programmatic logout for an application that is secured by the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI). When programmatic logout is enabled, logging out of the application clears any Open ID Connect cookies and Lightweight Third Party Authentication (LTPA) cookies.
https://www.ibm.com/docs/en/was-nd/9.0.5?topic=party-enabling-programmatic-logout-oidc-relying
------------------------------
Ajit Jariwala
------------------------------
Original Message:
Sent: Wed July 13, 2022 07:35 AM
From: Thomas Mayr
Subject: OpenID RP doesn't recognize session expiration on OP
Hello IBM Folks,
we have an OpenID Connect scenario with an RP configured on a traditional WebSphere and ForgeRock OpenAM as OP. We have two applications participation in thes SSO scenario, one is deployed on the WebSphere the other on a SAP WAS.
When I terminate the OpenID session of a user on OpenAM (OP), the WebSpher RP doesn't recognize, that the session is terminated and I am able to navigate to protected pages of the WebSphere application without new login. The session may be terminated by a logount of the other application, a sesssion timeout or a manual termination.
So my question is if this is an intendend behavoiur? IMHO, the RP should recognize, that the session is terminated and redirect the user agent to the authorize endpoint in this case. If this is not the case, should the application check in every request if the session is still valid?
Kind regards
Thomas
------------------------------
Thomas Mayr
------------------------------