Error when logging out via API
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To

Authored By

	Osnard
	Mar 30 2022, 8:46 AM

Description

List of steps to reproduce (step by step, including full links if applicable):

Log in with Extension:SimpleSAMLphp
Click the log out button in Vector-skin

What happens?:
An error message is displayed:

Could not connect to the server. Make sure you have a working internet connection and try again.

What should have happened instead?:
The logout should be performed without a confusing error message.

Software version:

MW Core 1.35+
Extension:PluggableAuth 5.x
Extension:SimpleSAMLphp 4.x

For details see https://www.mediawiki.org/w/index.php?title=Topic:W5nyw48nx1pc2lsy&topic_showPostId=wkwa2kvt9jqo7u3u#flow-post-wkwa2kvt9jqo7u3u

Details

Subject	Repo	Branch	Lines +/-
Add support for overriding default logout	mediawiki/extensions/SimpleSAMLphp	REL1_40	+7 -32
Add support for overriding default logout	mediawiki/extensions/SimpleSAMLphp	REL1_39	+7 -32
Add support for overriding default logout	mediawiki/extensions/OpenIDConnect	REL1_40	+8 -0
Add support for overriding default logout	mediawiki/extensions/OpenIDConnect	REL1_39	+8 -0
Add special "logout" page to avoid API logout issues	mediawiki/extensions/PluggableAuth	REL1_40	+351 -3
Add special "logout" page to avoid API logout issues	mediawiki/extensions/PluggableAuth	REL1_39	+351 -3
Fix SAML logout flow	mediawiki/extensions/SimpleSAMLphp	REL1_40	+29 -1
Add support for overriding default logout	mediawiki/extensions/OpenIDConnect	master	+8 -0
Add support for overriding default logout	mediawiki/extensions/SimpleSAMLphp	master	+7 -32
Add special "logout" page to avoid API logout issues	mediawiki/extensions/PluggableAuth	master	+351 -3
Fix SAML logout flow	mediawiki/extensions/SimpleSAMLphp	REL1_39	+29 -1
Fix SAML logout flow	mediawiki/extensions/SimpleSAMLphp	master	+29 -1

Related Objects

Mentioned In: T331294: Logout result only in an "Invalid response from server." message
Mentioned Here: T246350: SAML logout does not work both ways
T222626: Turn logout link into a POST API call with refresh

Event Timeline

Osnard created this task.Mar 30 2022, 8:46 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 30 2022, 8:46 AM

From https://www.mediawiki.org/w/index.php?title=Topic:W5nyw48nx1pc2lsy&topic_showPostId=wkwa2kvt9jqo7u3u#flow-post-wkwa2kvt9jqo7u3u

I can confirm this issue also occurs with other IdPs and that it is actually related to T222626, which performs logout via an XHR to the "logout" action API. SAML is not build to work with XHRs at all. It relies on a regular HTTP redirect workflow, which doesn't go well with XHR calls. If you access "Special:UserLogout" manually and submit the form, everything will work just fine.

A quick workaround could be to knock out the code at /resources/src/mediawiki.page.ready/ready.js#L71-L93, e.g. by JavaScript like $( '#pt-logout a[data-mw="interface"]' ).off( 'click' ); in "MediaWiki:Common.js".

Of course this is not a good solution, as the user will also be asked to confirm the logout on "Special:UserLogout".

Hm,

When you disable the XHR call you won‘t be logged out from the IDP…
On the Special Logout Page you only log out from MediaWiki.
This generate a possible security problem.
It is necessary to call the SLO URL from the Browser for a complete logout from all IDPs and that‘s the problem.

Btw: The most IDPs doesn‘t have implementend the ‚http-post‘ SLO :/

Best regards,
Christian

Thanks for this hint. Actually this is an issue, that is probably similar to / the same as T246350.

Thing is, we actually invoke the "deauthenticate" method of the SimpleSAMLphp SP endpoint [1][2], which - theoretically - should execute the SLO as defined by the IdP metadata.
I didn't have time to properly debug this.

[1] https://github.com/wikimedia/mediawiki-extensions-SimpleSAMLphp/blob/4.5.2/includes/SimpleSAMLphp.php#L141-L153
[2] https://github.com/simplesamlphp/simplesamlphp/blob/v1.19.5/lib/SimpleSAML/Auth/Simple.php#L174-L190

@Osnard no it is not the same problem, in that case we can not logout from SAML IDP and in the other case we can not logout from Wiki ;)
We are doing all right, but because in most cases the SLO Url from SimpleSAMLphp SP Endpoint has mostly implemented the "redirect" method, thats a problem.
To work correctly a "Http-Post" method has to be implemented by the IDP, which is not done in most cases .
So we call an Endpoint which do a lot of redirects, and you know a XHR Call has massive troubles to follow redirects. In most cases there is also content which needs to be executed in the browser in the different redirect stages.
The only thing we can make this beast work is to disable the XHR Call to the API and call the Endpoint with an ordinary html link, so we can eat some popcorn and endy the redirects until an exodus and viola we are logged out ;)

Could this be related to the issue identified in https://gerrit.wikimedia.org/r/c/mediawiki/core/+/787907?

Probably not. As @Yomagntho describes, the issue is that the new XHR based logout does not got well with the SAML SLO in general. As the XHR will not properly handle the "reditect-workflow" of SAML SLO.

I believe the only proper solution will be to create a dedicated Special:SimpleSAMLphpLogout page that works like Special:Logout, but does not require the explicit click of a "Logout" button. And then we need to modify the logout link in personal_ulrs.

Change 791044 had a related patch set uploaded (by Robert Vogel; author: Robert Vogel):

[mediawiki/extensions/PluggableAuth@master] Add special "logout" page to avoid API logout issues

https://gerrit.wikimedia.org/r/791044

gerritbot added a project: Patch-For-Review.May 11 2022, 3:13 PM

@cicalese I have added a Patchset for PluggableAuth, as i believe this may be an issue to other auth plugins too. I am not really happy about the new method addCustomLogoutLink. Should I just rename removeLogoutLink to modifyLogoutLink?

Yes, that sounds like a good idea.

I added some additional feedback on the patch. I think it needs some work, but it is a necessary addition to PluggableAuth. Thanks for the patch!

I will amend the patch ASAP.

kwisatz subscribed.Jun 3 2022, 9:12 AM

Hi @Osnard, did you get around to summit a patch on this? We've come across this issue in our Wikibase instance.

What is the status of this issue?

I am about to continue my work on https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PluggableAuth/+/791044/
Unfortunately I can not give a time frame for its completion

Thanks for the update Osnard, very much appreciated!

Added workaround to docs until patch is done: https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp#Logout_error_message

In T305031#8324839, @Osnard wrote:

Added workaround to docs until patch is done: https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp#Logout_error_message

@Osnard I tested this on our instance (same as @Maarten) and it doesn't work for us. $links['user-menu']['logout'] doesn't seem to be set in the $links array passed to that hook. There is not even a key named user-menu.
The keys that $links has are: namespaces, views, actions and variants and none of the links is a logout link. Could that be related to the skin that we're using, which is Vector in our case.

In Vector, the log-out link is part of the personal toolbar, resp. Personal Tools ($personalTools), but I haven't been able to fully retrace how this all works and if there may be another hook which is passed the URLs from of type personal_urls.

What is the goal of that hook you're suggesting? To change some class in the HTML so that a javascript queryselector doesn't find the element it's looking for to bind a click event to it? If that's the case then maybe we can find another solution, e.g. using gadgets?

Edit: I have been able to make this work using a simple gadget. Although I'm not 100% happy with it since I had to use a timeout.

Yes, the change is about changing the ID of the link, so the MediaWiki Core JS will not bind to it and make it an XHR logout. If the hook does not work for you, maybe have a look at https://www.mediawiki.org/wiki/Manual:Hooks/PersonalUrls

Change 903593 had a related patch set uploaded (by Robert Vogel; author: Robert Vogel):

[mediawiki/extensions/SimpleSAMLphp@master] Fix SAML logout flow

https://gerrit.wikimedia.org/r/903593

Osnard moved this task from Backlog to Waiting for Merge on the MediaWiki-extensions-SimpleSAMLphp board.Mar 28 2023, 7:55 AM

Osnard changed the task status from Open to In Progress.Mar 28 2023, 8:54 AM

Change 903559 had a related patch set uploaded (by ItSpiderman; author: Robert Vogel):

[mediawiki/extensions/SimpleSAMLphp@REL1_39] Fix SAML logout flow

https://gerrit.wikimedia.org/r/903559

Change 903593 merged by jenkins-bot:

[mediawiki/extensions/SimpleSAMLphp@master] Fix SAML logout flow

https://gerrit.wikimedia.org/r/903593

Change 903559 merged by jenkins-bot:

[mediawiki/extensions/SimpleSAMLphp@REL1_39] Fix SAML logout flow

https://gerrit.wikimedia.org/r/903559

cicalese mentioned this in T331294: Logout result only in an "Invalid response from server." message.Apr 10 2023, 11:38 AM

Change 925841 had a related patch set uploaded (by Cicalese; author: Cicalese):

[mediawiki/extensions/OpenIDConnect@master] Add support for overriding default logout

https://gerrit.wikimedia.org/r/925841

Change 925843 had a related patch set uploaded (by Cicalese; author: Cicalese):

[mediawiki/extensions/SimpleSAMLphp@master] Add support for overriding default logout

https://gerrit.wikimedia.org/r/925843

cicalese added projects: MediaWiki-extensions-Pluggable-Auth, MediaWiki-extensions-OpenID-Connect.Jun 3 2023, 2:29 PM

cicalese merged a task: T331294: Logout result only in an "Invalid response from server." message.Jun 3 2023, 2:33 PM

cicalese added a subscriber: Mdc-system.

Change 791044 merged by jenkins-bot:

[mediawiki/extensions/PluggableAuth@master] Add special "logout" page to avoid API logout issues

https://gerrit.wikimedia.org/r/791044

Change 925843 merged by jenkins-bot:

[mediawiki/extensions/SimpleSAMLphp@master] Add support for overriding default logout

https://gerrit.wikimedia.org/r/925843

Change 925841 merged by jenkins-bot:

[mediawiki/extensions/OpenIDConnect@master] Add support for overriding default logout

https://gerrit.wikimedia.org/r/925841

Maintenance_bot removed a project: Patch-For-Review.Jun 3 2023, 5:10 PM

Change 926720 had a related patch set uploaded (by Cicalese; author: Robert Vogel):

[mediawiki/extensions/SimpleSAMLphp@REL1_40] Fix SAML logout flow

https://gerrit.wikimedia.org/r/926720

gerritbot added a project: Patch-For-Review.Jun 4 2023, 12:29 PM

Change 926720 merged by jenkins-bot:

[mediawiki/extensions/SimpleSAMLphp@REL1_40] Fix SAML logout flow

https://gerrit.wikimedia.org/r/926720

Change 926763 had a related patch set uploaded (by Cicalese; author: Robert Vogel):

[mediawiki/extensions/PluggableAuth@REL1_39] Add special "logout" page to avoid API logout issues

https://gerrit.wikimedia.org/r/926763

Change 926764 had a related patch set uploaded (by Cicalese; author: Robert Vogel):

[mediawiki/extensions/PluggableAuth@REL1_40] Add special "logout" page to avoid API logout issues

https://gerrit.wikimedia.org/r/926764

Change 926763 merged by jenkins-bot:

[mediawiki/extensions/PluggableAuth@REL1_39] Add special "logout" page to avoid API logout issues

https://gerrit.wikimedia.org/r/926763

Change 926764 merged by jenkins-bot:

[mediawiki/extensions/PluggableAuth@REL1_40] Add special "logout" page to avoid API logout issues

https://gerrit.wikimedia.org/r/926764

Change 926767 had a related patch set uploaded (by Cicalese; author: Cicalese):

[mediawiki/extensions/OpenIDConnect@REL1_39] Add support for overriding default logout

https://gerrit.wikimedia.org/r/926767

Change 926768 had a related patch set uploaded (by Cicalese; author: Cicalese):

[mediawiki/extensions/OpenIDConnect@REL1_40] Add support for overriding default logout

https://gerrit.wikimedia.org/r/926768

kwisatz unsubscribed.Jun 4 2023, 1:19 PM

Change 926767 merged by jenkins-bot:

[mediawiki/extensions/OpenIDConnect@REL1_39] Add support for overriding default logout

https://gerrit.wikimedia.org/r/926767

Change 926768 merged by jenkins-bot:

[mediawiki/extensions/OpenIDConnect@REL1_40] Add support for overriding default logout

https://gerrit.wikimedia.org/r/926768

Maintenance_bot removed a project: Patch-For-Review.Jun 4 2023, 1:30 PM

Change 926781 had a related patch set uploaded (by Cicalese; author: Cicalese):

[mediawiki/extensions/SimpleSAMLphp@REL1_39] Add support for overriding default logout

https://gerrit.wikimedia.org/r/926781

Change 926782 had a related patch set uploaded (by Cicalese; author: Cicalese):

[mediawiki/extensions/SimpleSAMLphp@REL1_40] Add support for overriding default logout

https://gerrit.wikimedia.org/r/926782

Change 926781 merged by jenkins-bot:

[mediawiki/extensions/SimpleSAMLphp@REL1_39] Add support for overriding default logout

https://gerrit.wikimedia.org/r/926781

Change 926782 merged by jenkins-bot:

[mediawiki/extensions/SimpleSAMLphp@REL1_40] Add support for overriding default logout

https://gerrit.wikimedia.org/r/926782

Maintenance_bot removed a project: Patch-For-Review.Jun 4 2023, 2:30 PM

Fixed in PluggableAuth version 7.0.0.

cicalese moved this task from Backlog to Closed on the MediaWiki-extensions-Pluggable-Auth board.Jun 12 2023, 4:44 PM

cicalese moved this task from Backlog to Closed on the MediaWiki-extensions-OpenID-Connect board.

cicalese moved this task from Waiting for Merge to Closed on the MediaWiki-extensions-SimpleSAMLphp board.Jun 12 2023, 4:46 PM

Error when logging out via APIClosed, ResolvedPublicBUG REPORTActions

Description

Details

Related Objects

Event Timeline

Error when logging out via API
Closed, ResolvedPublicBUG REPORT
Actions