Token revocation on session expiry does not work for SAML SLO requests from Federated IDP #16280
Description
Describe the issue:
Token revocation on session expiry does not work for SAML SLO requests from Federated IDP. The flow breaks with the following NPE.
[2023-07-19 20:23:49,949] [28fe01fc-29e1-401f-9078-d796b2f8dbeb] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Exception in Authentication Framework java.lang.NullPointerException
at org.wso2.carbon.identity.oauth2.token.bindings.handlers.TokenBindingExpiryEventHandler.revokeTokensOfBindingRef(TokenBindingExpiryEventHandler.java:272)
at org.wso2.carbon.identity.oauth2.token.bindings.handlers.TokenBindingExpiryEventHandler.revokeTokensForCommonAuthCookie(TokenBindingExpiryEventHandler.java:188)
at org.wso2.carbon.identity.oauth2.token.bindings.handlers.TokenBindingExpiryEventHandler.handleEvent(TokenBindingExpiryEventHandler.java:109)
at org.wso2.carbon.identity.event.services.IdentityEventServiceImpl.handleEvent(IdentityEventServiceImpl.java:56)
at org.wso2.carbon.identity.data.publisher.application.authentication.AuthnDataPublisherProxy.doPublishEvent(AuthnDataPublisherProxy.java:245)
at org.wso2.carbon.identity.data.publisher.application.authentication.AuthnDataPublisherProxy.publishSessionTermination(AuthnDataPublisherProxy.java:211)
at org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils.publishSessionEvent(FrameworkUtils.java:1834)
at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultLogoutRequestHandler.handle(DefaultLogoutRequestHandler.java:106)
at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:252)
at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:53)
at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doGet(CommonAuthenticationServlet.java:43)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:655)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.wso2.carbon.identity.captcha.filter.CaptchaFilter.doFilter(CaptchaFilter.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:65)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:86)
at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:110)
at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:111)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:101)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:145)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:59)
at org.wso2.carbon.tomcat.ext.valves.RequestEncodingValve.invoke(RequestEncodingValve.java:49)
at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:124)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:829)
How to reproduce:
- Take two updated 5.10.0 Identity servers, one would act as the federated IDP hence set the hostname of that Identity server as idp.com and add a host entry for it. If you are running the federated IDP also in the same server offset the port by 1.
- Configure the SLO scenario mentioned in the document[1].
- primary IS(OIDC SP with "SSO Session Based" binding, "Revoke tokens when the IDP session terminates" options enabled + Federation to second IDP)
[identity_mgt.events.schemes.TokenBindingExpiryEventHandler.properties] enable = true
- second IS( SAML SP for primary IS with SLO URL + second SAML SP)
- primary IS(OIDC SP with "SSO Session Based" binding, "Revoke tokens when the IDP session terminates" options enabled + Federation to second IDP)
- Login to the federated IDP through the first Identity server's OIDC SP and thereafter SSO to the second SAML SP app configured in the federated IDP.
- Issue the logout request from the second SAML SP app configured in the federated IDP.
- The SLO request will get triggered to the first Identity server from the federated IDP.
- When trying to terminate the session and revoke the tokens issued to the OIDC app configured in the primary IS the above error occurs and the logout fails.
Expected behavior:
The SAML SLO requests from Federated IDP should successfully get processed and the tokens issued for the session should get revoked after the session is terminated.
The issue occurs because the context that gets returned from[2] does not have the last authenticated user details populated in it.
Environment information (Please complete the following information; remove any unnecessary fields) :
- Product Version: [IS 5.10.0]
[1]https://is.docs.wso2.com/en/5.10.0/learn/handling-saml-single-logout-requests-from-federated-identity-providers/
[2]https://github.com/wso2/carbon-identity-framework/blob/e99f5977d08e141f19e2b74b64317d410bfd7054/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/DefaultRequestCoordinator.java#L684