Skip to content

Add additional logging to troubleshoot failed backchannel logout issu… #632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add additional logging to troubleshoot failed backchannel logout issu… #632

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
77eceaa
Add additional logging to troubleshoot failed backchannel logout issu…
shayaantx Oct 11, 2024
a537b2f
Merge branch 'master' into master
kushalshit27 Jul 18, 2025
c1fe376
Merge branch 'master' into master
kushalshit27 Jul 22, 2025
3585c38
Merge branch 'master' into master
kushalshit27 Aug 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion lib/context.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -454,6 +454,7 @@ class ResponseContext {
res.setHeader('cache-control', 'no-store');
const logoutToken = req.body.logout_token;
if (!logoutToken) {
debug('req.oidc.backchannelLogout() failed due to missing logout token', req.body);
Copy link

Copilot AI Jul 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logging the entire req.body could potentially expose sensitive information. Consider logging only non-sensitive fields or a sanitized version of the request body.

Suggested change
debug('req.oidc.backchannelLogout() failed due to missing logout token', req.body);
debug('req.oidc.backchannelLogout() failed due to missing logout token. logout_token present: %s', !!req.body.logout_token);

Copilot uses AI. Check for mistakes.
Copy link

@github-actions github-actions bot Oct 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logging the entire req.body exposes sensitive information that may be present in the request. The logout token itself could contain sensitive claims, and other fields in the body might contain secrets.

Suggested change
debug('req.oidc.backchannelLogout() failed due to missing logout token', req.body);
debug('req.oidc.backchannelLogout() failed due to missing logout token. logout_token present: %s', !!req.body.logout_token);

res.status(400).json({
error: 'invalid_request',
error_description: 'Missing logout_token',
Expand All @@ -474,6 +475,7 @@ class ResponseContext {
algorithms: [config.idTokenSigningAlg],
});
} catch (e) {
debug('req.oidc.backchannelLogout() failed verifying jwt with: %s', e.message);
res.status(400).json({
error: 'invalid_request',
error_description: e.message,
Expand All @@ -483,7 +485,7 @@ class ResponseContext {
try {
await onToken(token, config);
} catch (e) {
debug('req.oidc.backchannelLogout() failed with: %s', e.message);
debug('req.oidc.backchannelLogout() failed logging out the token with: %s', e.message);
res.status(400).json({
error: 'application_error',
error_description: `The application failed to invalidate the session.`,
Expand Down
2 changes: 1 addition & 1 deletion middleware/auth.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ const enforceLeadingSlash = (path) => {
*/
const auth = function (params) {
const config = getConfig(params);
debug('configuration object processed, resulting configuration: %O', config);
debug('configuration object processed, resulting configuration: %O', {...config, clientSecret: "REDACTED", secret: "REDACTED"});
Copy link

Copilot AI Jul 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The spread operator approach may not handle nested objects containing sensitive data. Consider using a dedicated function to recursively redact sensitive fields or ensure no nested sensitive data exists in the config object.

Suggested change
debug('configuration object processed, resulting configuration: %O', {...config, clientSecret: "REDACTED", secret: "REDACTED"});
const redactSensitiveFields = (obj, fieldsToRedact) => {
if (obj && typeof obj === 'object') {
return Object.keys(obj).reduce((acc, key) => {
acc[key] = fieldsToRedact.includes(key)
? "REDACTED"
: redactSensitiveFields(obj[key], fieldsToRedact);
return acc;
}, Array.isArray(obj) ? [] : {});
}
return obj;
};
const redactedConfig = redactSensitiveFields(config, ['clientSecret', 'secret']);
debug('configuration object processed, resulting configuration: %O', redactedConfig);

Copilot uses AI. Check for mistakes.
Copy link

@github-actions github-actions bot Oct 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The spread operator approach only handles top-level properties. If the config object contains nested objects with sensitive fields, they won't be redacted. Consider using a recursive redaction function to handle nested sensitive data.

Suggested change
debug('configuration object processed, resulting configuration: %O', {...config, clientSecret: "REDACTED", secret: "REDACTED"});
const redactSensitiveFields = (obj) => {
if (!obj || typeof obj !== 'object') return obj;
const result = Array.isArray(obj) ? [...obj] : { ...obj };
Object.keys(result).forEach(key => {
if (['clientSecret', 'secret'].includes(key)) {
result[key] = 'REDACTED';
} else if (typeof result[key] === 'object') {
result[key] = redactSensitiveFields(result[key]);
}
});
return result;
};
debug('configuration object processed, resulting configuration: %O', redactSensitiveFields(config));

const router = new express.Router();
const transient = new TransientCookieHandler(config);

Expand Down