After 12.10.11, issues with logout when using redirect

Cracky5457 · January 17, 2022, 11:23am

Hello

We have an issue with our custom logout redirection with version 12.10.11. We are redirecting to keycloak logout then to xwiki main page. This code works perfectly with 12.10.4. The keycloak version didn’t change

So for org.xwiki.platform.topmenu.right we have a velocity code

{{velocity}}
#if ($xcontext.user != 'XWiki.XWikiGuest')
  #set($redirectUrl="https://keycloak-dev.ebrains.eu/auth/realms/hbp/protocol/openid-connect/logout?redirect_uri=https://wiki-dev.ebrains.eu/bin/view/Main/")
  #set($clbAuthUrl = $xwiki.getURL('XWiki.XWikiLogout', 'logout', "xredirect=$escapetool.url($redirectUrl)")) 
  #set($clbAuthText = $escapetool.xml($services.localization.render('logout')))
  #set($clbAuthIcon = $escapetool.xml('fa fa-sign-out'))
#else
  // login

But with 12.10.11 we are just redirected to a blank page, and the keycloak logout is not even performed.

Screenshot 2022-01-17 at 12.19.39

Maybe it’s reproducible with any double redirect.

Do you have any ideas of changes between 12.10.4 on 12.10.11 that could explain this behavior ?

tmortagne · January 17, 2022, 1:38pm

If you look at the log, you will probably find a warning telling you that this is not an allowed redirect. See https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Configuration/#HTrusteddomains for more details on this new protection.