Reputation: 11
Getting ID Token for Logout
My project overrides the built-in OidcLogoutActionBuilder with a custom implementation. Specifically, we override the getLogoutAction method for getting a RedirectionAction.
In the base method, the idToken JWT is retrieved in this line. It checks that currentProfile is an instance of OidcProfile before casting it.
val idToken = ((OidcProfile) currentProfile).getIdToken();
In our implementation, currentProfile is a CiviFormProfileData, which does not contain an ID token. We would now like to add the ID token to the LogoutRequest's params.
To do so, I tried using ProfileManager.getProfile(OidcProfile.class), but that turns out to return an empty Optional. I believe this indicates that the user isn't logged in.
Questions:
Is it really possible that the user isn't logged in at the moment that
OidcLogoutActionBuilder.getLogoutActionbegins executing? If so, how? That method appears to be initiating a logout, not called after a logout, though I might have misunderstood.Where is the currentProfile parameter coming from in
getLogoutAction? I alluded to the fact we useCiviFormProfileDataoverOidcProfilein our codebase, but I don't know how the framework is deciding what exactly to pass to this method.Is there a better, more robust way to get the ID token in our case than what I suggested earlier with
ProfileManager.getProfile?
Upvotes: 1
Views: 263
Answers (1)
Reputation: 2699
General considerations:
If you use the OIDC protocol, your custom profile should inherit from the OidcProfile. Though, seeing the name for your custom profile: CivFormProfileData, I guess you also use it for form authentication. Maybe two different profiles here: one inheriting from CommonProfile and the other one inheriting from OidcProfile are the solution if one does not work.
And maybe in the future pac4j v6, we should turn the OidcProfile class into an OidcProfile interface to make things easier.
To reply your questions:
- In regular use cases (through the
DefaultLogoutLogic), theOidcLogoutActionBuilder.getLogoutActionmethod cannot be called without an ODIC profile. Though, you can manually called this method if you want and this must be handled - In regular use cases, the logout endpoint triggers the
DefaultLogoutLogicwhich loops through the profiles if thecentralLogoutproperty istrue: https://github.com/pac4j/pac4j/blob/pac4j-parent-5.7.0/pac4j-core/src/main/java/org/pac4j/core/engine/DefaultLogoutLogic.java#L106 These are the current authenticated user profiles - You should not call the
manager.getProfile, nor override theOidcLogoutActionBuilder, your custom profile should certainly inherit fromOidcProfile: everything would work out-of-the-box this way.
Upvotes: 1
Related Questions
- Using pac4j token request for login.gov fails using default callback filter class during OidcAuthenticator.executeTokenRequest
- Looking for resolution to error "SAMLException: Unable to generate metadata for service provider"
- Using pac4j token request for login.gov fails because client_assertion includes null iat claim
- Central logout behavior when upgrading to pac4j v5
- Proxy support for OidcProfileCreator and OidcAuthenticator
- Unable to renew the user profile for key: KeycloakOidcClient: Bad token response, error=invalid_grant, description=Token is not active
- Pac4j Customizing Token Endpoint call which is added in the configuration
- JEE pac4j. Exception in TokenValidator. BadJWTException: Signed ID token expected
- ID token is cleared during storage to session