Describe the bug
If user was previously logged in multiple RPs during some OIDC sessions, when user does logout from current OIDC session, it gets frontChannel logout script with all of RP's URLs, even it was logged to only one RP during current OIDC session.
While doing session logout, when preparing frontChannelUris, sql query uses only subject, but doesn't use sid.
func (s *DefaultStrategy) generateFrontChannelLogoutURLs(ctx context.Context, subject, sid string) ([]string, error) {
clients, err := s.r.ConsentManager().ListUserAuthenticatedClientsWithFrontChannelLogout(ctx, subject)
Reproducing the bug
Login to several RP's (RP1, RP2) during one OIDC session (remember=true).
Logout this OIDC session.
Login to one RP1 during new OIDC session (remember=true).
Logout this OIDC session.
frontChannel logout script will contain frontChannelLogout URLs list for RP1 and RP2
Expected behavior
frontChannel logout script should contain frontChannelLogout URLs only for RP1
Describe the bug
If user was previously logged in multiple RPs during some OIDC sessions, when user does logout from current OIDC session, it gets frontChannel logout script with all of RP's URLs, even it was logged to only one RP during current OIDC session.
While doing session logout, when preparing frontChannelUris, sql query uses only subject, but doesn't use sid.
func (s *DefaultStrategy) generateFrontChannelLogoutURLs(ctx context.Context, subject, sid string) ([]string, error) {
clients, err := s.r.ConsentManager().ListUserAuthenticatedClientsWithFrontChannelLogout(ctx, subject)
Reproducing the bug
Login to several RP's (RP1, RP2) during one OIDC session (remember=true).
Logout this OIDC session.
Login to one RP1 during new OIDC session (remember=true).
Logout this OIDC session.
frontChannel logout script will contain frontChannelLogout URLs list for RP1 and RP2
Expected behavior
frontChannel logout script should contain frontChannelLogout URLs only for RP1