[keycloak-user] Logout error ("Success" + HTTP 500!?)

Pieter Lukasse pieter at thehyve.nl
Wed Sep 13 07:32:24 EDT 2017


Hi,

I am currently getting a strange error when trying logout from my
application. The logout request is as follows (HTTP 200 code):

<*saml2p:LogoutRequest* xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"

Destination="http://localhost:8081/auth/realms/test/protocol/saml"
                      ID="a370b54ee2i7g6j9275jbg40185b154"
                      IssueInstant="2017-09-13T11:22:04.100Z"
                      Version="2.0"
                      >
    <saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">cbioportal</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#a370b54ee2i7g6j9275jbg40185b154">
                <ds:Transforms>
                    <ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>nKZrPGrsLZeR6xSgg0+xQ3dCg90=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>....</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>....</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"

Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                  >pieter at thehyve.nl</saml2:NameID>
    <saml2p:SessionIndex>2ce54b83-67c1-40fd-850d-947b29c721be</saml2p:SessionIndex>
</saml2p:LogoutRequest>


Which is replied with (HTTP 500 code!?):

<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

                      xmlns="urn:oasis:names:tc:SAML:2.0:assertion"

Destination="http://localhost:8081/auth/realms/test/protocol/saml"
                      ID="ID_1a5b931f-05b2-4b69-a32b-93cb7631fc98"
                      InResponseTo="a370b54ee2i7g6j9275jbg40185b154"
                      IssueInstant="2017-09-13T11:22:04.156Z"
                      Version="2.0"
                      >
    <saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8081/auth/realms/test</saml:Issuer>
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <dsig:SignedInfo>
            <dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <dsig:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <dsig:Reference URI="#ID_1a5b931f-05b2-4b69-a32b-93cb7631fc98">
                <dsig:Transforms>
                    <dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <dsig:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </dsig:Transforms>
                <dsig:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />

<dsig:DigestValue>HMgEFe5f6mGdIlCwg8BRHif4JW8k7MLs+5V8j9BUwuE=</dsig:DigestValue>
            </dsig:Reference>
        </dsig:SignedInfo>
        <dsig:SignatureValue>...</dsig:SignatureValue>
        <dsig:KeyInfo>
            <dsig:KeyName>Yp3AF_Lz-EdxjwDdCJGk3dmvU9ZsWQE3SfV8pdT9OOQ</dsig:KeyName>
            <dsig:X509Data>
                <dsig:X509Certificate>...</dsig:X509Certificate>
            </dsig:X509Data>
            <dsig:KeyValue>
                <dsig:RSAKeyValue>
                    <dsig:Modulus>...</dsig:Modulus>
                    <dsig:Exponent>...</dsig:Exponent>
                </dsig:RSAKeyValue>
            </dsig:KeyValue>
        </dsig:KeyInfo>
    </dsig:Signature>
    <samlp:Status>        <samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
</samlp:LogoutResponse>


So the reply states "Success" while at the same time it returns HTTP
500 (Internal Server Error). Is this a known bug? Or am I doing
something wrong?

This is the log on the server side:


13:21:19,378 WARN  [org.keycloak.protocol.saml.SamlService] (default
task-13) Unknown saml response.
13:21:19,380 WARN  [org.keycloak.events] (default task-13)
type=LOGOUT_ERROR, realmId=test, clientId=null, userId=null,
ipAddress=127.0.0.1, error=invalid_token
13:22:04,205 WARN  [org.keycloak.protocol.saml.SamlService] (default
task-20) Unknown saml response.
13:22:04,206 WARN  [org.keycloak.events] (default task-20)
type=LOGOUT_ERROR, realmId=test, clientId=null, userId=null,
ipAddress=127.0.0.1, error=invalid_token


Thanks,

PIeter

www.thehyve.nl



We empower scientists by building on open source software


More information about the keycloak-user mailing list