WebSphere Application Server & Liberty

 View Only
  • 1.  OpenID RP doesn't recognize session expiration on OP

    Posted Wed July 13, 2022 07:35 AM
    Hello IBM Folks,

    we have an OpenID Connect scenario with an RP configured on a traditional WebSphere and ForgeRock OpenAM as OP. We have two applications participation in thes SSO scenario, one is deployed on the WebSphere the other on a SAP WAS.

    When I terminate the OpenID session of a user on OpenAM (OP), the WebSpher RP doesn't recognize, that the session is terminated and I am able to navigate to protected pages of the WebSphere application without new login. The session may be terminated by a logount of the other application, a sesssion timeout or a manual termination.

    So my question is if this is an intendend behavoiur? IMHO, the RP should recognize, that the session is terminated and redirect the user agent to the authorize endpoint in this case. If this is not the case, should the application check in every request if the session is still valid?

    Kind regards
    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------


  • 2.  RE: OpenID RP doesn't recognize session expiration on OP

    Posted Thu July 14, 2022 02:50 PM
    Thomas, 

    Avoid trouble: If you are running in a cluster environment, the OpenID Connect Relying Party (RP) Trust Association Interceptor (TAI) requires session affinity. 
    If you are running in a cluster, be sure to add the provider_<id>.createSession=true property.
    alwaysInvalidateAccessTokenOnLogout
    You can specify one of the following values:
        true
        false (the default)
    By default, if an OIDC session cookie is present on a request during logout, the logout uses only the information that is associated with the OIDC session cookie. If no OIDC session cookie exists, then the logout uses the access token in the Authorization header of the request.
    If this property is set to true, the logout uses information from both the OIDC session cookie and the Authorization header of the request, if they exist.
    [9.0.5.6 or later]provider_<id>.endSessionEndpoint
    This property does not have a default value. Set this property to the value of the session endpoint for the Open ID provider. The value for the end session endpoint of the Open ID provider can then be accessed with an API. If the provider_<id>. discoveryEndpointUrl property is specified, the value for this property is overridden.
    I would recommend checking some of the session-related property here. 
    https://www.ibm.com/docs/en/was-nd/9.0.5?topic=party-openid-connect-relying-custom-properties
    You can enable programmatic logout for an application that is secured by the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI). When programmatic logout is enabled, logging out of the application clears any Open ID Connect cookies and Lightweight Third Party Authentication (LTPA) cookies.
    https://www.ibm.com/docs/en/was-nd/9.0.5?topic=party-enabling-programmatic-logout-oidc-relying


    ------------------------------
    Ajit Jariwala
    ------------------------------



  • 3.  RE: OpenID RP doesn't recognize session expiration on OP

    Posted Thu July 14, 2022 08:53 PM
    Hi Thomas, what you are asking for is a feature that WebSphere traditional doesn't have.  We have it in Liberty:  https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-invoking-session-management-endpoint-openid-connect

    I put a request out to a colleague to see if this is something that we would consider implementing in WebSphere traditional.

    ------------------------------
    Barbara Jensen
    ------------------------------



  • 4.  RE: OpenID RP doesn't recognize session expiration on OP

    Posted Mon July 18, 2022 08:08 AM
    Hi Barbara, Ajit,

    when the logout is initiated by the application on the WebSphere, we don't have a problem. The RO recognizes, that the user is logged out and the OP session is terminated.

    But when the other application (not deployed on the WebSphere) initiates the logout, only the OP session is terminated, but the RP doesn't recognize this. If OpenID session management is not implemented on a traditional WebSphere (as Barabara said) it explains this behaviour. So I have to manage this in our application, which causes a lot of network traffic. We will probably not get a quick implementation for this feature on traditional WebSphere (if at all)?

    I assume, the same is the case with session timeout. Our requirement is, that the OP sessioon should be terminated if the user is inactive in any of our applications. In this case the applications have to reset the OP timeout on any user action (click) in the applications.  Probably we have to reset the OP session timout in the applications?

    Kind regards
    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------



  • 5.  RE: OpenID RP doesn't recognize session expiration on OP

    Posted Mon July 18, 2022 12:56 PM
    Hi Thomas,
    To fix the session timeout issue, whatever page you redirect to can invoke httpServeletRequest.logout().  We're working on that for the admin console now.

    If you want the OIDC session management feature added to WebSphere traditional, you can open an AHA idea at https://www.ibm.com/support/pages/welcome-ibm-ideas-portal

    ------------------------------
    Barbara Jensen
    ------------------------------



  • 6.  RE: OpenID RP doesn't recognize session expiration on OP

    Posted Mon July 18, 2022 01:08 PM
    Thanks, Barbara, 

    when you go there https://www.ibm.com/support/pages/welcome-ibm-ideas-portal , there is
    Visit ideas.ibm.com to get started

    Hopefully, this should also allow you to open a feature request. 
    https://cloud-platform.ideas.ibm.com/?sort=popular&project=TWAS


    ------------------------------
    Ajit Jariwala
    ------------------------------