Details
-
Bug
-
Resolution: Fixed
-
Major
-
COmanage Registry 4.0.0 (Purple Jade)
Description
This commit:
https://github.com/Internet2/comanage-registry/commit/517369fbfa77bf41bb0a96ed8ec91f6a5a23f7af
broke logout when used with an identity linking flow and the Shibboleth SP. Specifically the file app/webroot/auth/logout/index.php has a change that substitutes $_SERVER["REQUEST_URI"] for the string 'auth/logout' before trying to create the Location header value.
The problem is that $_SERVER["REQUEST_URI"] can contain a query string or a query fragment. It cannot be treated just as a simple string and needs to be parsed more carefully, or some other approach needs to be taken to compute the Location: header value.
The reason this breaks identity linking flows with the Shibboleth SP is that Apache is usually configured with a stanza like
RewriteEngine On
RewriteCond %{QUERY_STRING} !after_redirect
RewriteRule ^/registry/auth/logout.* https://%\{HTTP_HOST}/Shibboleth.sso/Logout?return=https://%\{HTTP_HOST}/registry/auth/logout/?after_redirect [L,R]
The query string is used to detect that the Shibboleth session has been ended and the browser is returning from that action to complete the COmanage Registry/PHP logout.
With the current (broken) code, the Location: header value returned is
/registry/?after_redirectusers/logout
It should be
/registry/users/logout/?after_redirect