mod_auth_openidc and keycloak - cookie is valid after logout

[pokydad]

Hi,
We are using mod_auth_openidc together with keycloak.
During Penetration test we found a problem connecting to session management.
If you save the session cookie from the browser you can reuse it to reach any protected resource after logout.

What we see:
After logout the cookie is deleted from the browser
Keyclok session is invalidated - apache cannot refresh access token

log entries during logout:
Sun Jul 04 16:55:23.724576 2021] [auth_openidc:debug] [pid 10190] src/mod_auth_openidc.c(4000): [client 3.254.124.206:34002] oidc_check_user_id: incoming req
uest: "/redirect_uri?logout=https://10.97.226.139/landing", ap_is_initial_req(r)=1
[Sun Jul 04 16:55:23.724592 2021] [auth_openidc:debug] [pid 10190] src/util.c(2316): [client 3.254.124.206:34002] oidc_util_hdr_in_get: Host=10.97.226.139
[Sun Jul 04 16:55:23.724599 2021] [auth_openidc:debug] [pid 10190] src/util.c(2316): [client 3.254.124.206:34002] oidc_util_hdr_in_get: Host=10.97.226.139
[Sun Jul 04 16:55:23.724607 2021] [auth_openidc:debug] [pid 10190] src/util.c(537): [client 3.254.124.206:34002] oidc_get_redirect_uri: determined absolute re
direct uri: https://10.97.226.139/redirect_uri
[Sun Jul 04 16:55:23.724615 2021] [auth_openidc:debug] [pid 10190] src/util.c(2316): [client 3.254.124.206:34002] oidc_util_hdr_in_get: Cookie=mod_auth_openid
c_state_NEUUgJhfD6WPCBznowBbQgBkiaM=eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..-L3vuTMctsjcR9HW.SEaV-rbLTx_3AsAnolDXeH9_0UPkhZSJnuqS21wYC6O4O0Aa2awnu_FdgkMA
OiL5EyOR7Anvy168B9dvx11Uldh2q0nkDbSQKd_naELiUEaflUt-AsTO5BnFLo_kq5UXII8UBGJT51s1DBSBnJchE1Zr1EVpPz3icTB9C3c65BrVNAexmWeNYs_XbB7SjVwPLaZjhD45ovTGaG7zExEDHUcypR
h7-TsUap1Z6BFG8mJvr5YHdnLB8PLBMZVJSNX2cphmznsd4VKrHdrMLCVbMN2OYBaA5eN5aWgnRLvMkKm0g1c-XvCPbYQ13Q0Q7WdirKzBhPDachGf1R1p-Rd-CDKTMNabOoayacy60zs4pxjZJYRvxlV3i7oq
k1IAXqmR7g.u9NRxxEO9rFyt73-j_UlPA; mod_auth_openidc_session=f8de4c07-02ce-4e15-be47-d97b4d1a4e52
[Sun Jul 04 16:55:23.724647 2021] [auth_openidc:debug] [pid 10190] src/util.c(1055): [client 3.254.124.206:34002] oidc_util_get_cookie: returning "mod_auth_op
enidc_session" = "f8de4c07-02ce-4e15-be47-d97b4d1a4e52"
[Sun Jul 04 16:55:23.724655 2021] [auth_openidc:debug] [pid 10190] src/cache/common.c(581): [client 3.254.124.206:34002] oidc_cache_get: enter: f8de4c07-02ce-
4e15-be47-d97b4d1a4e52 (section=s, decrypt=1, type=file)
[Sun Jul 04 16:55:23.724828 2021] [auth_openidc:debug] [pid 10190] src/cache/common.c(615): [client 3.254.124.206:34002] oidc_cache_get: cache hit: return 427
8 bytes from file cache backend for encrypted key FLRUUfIbrRZZ0YdqZVx7Pg4LW2KwcK1ES0o_q1eCQSM

...

[Sun Jul 04 16:55:23.921928 2021] [auth_openidc:debug] [pid 10190] src/cache/common.c(640): [client 3.254.124.206:34002] oidc_cache_set: enter: f:690433b7-eb0a-4343-9b5b-8f49bdea5303:service@https://10.97.226.139/auth/realms/aws (section=d, len=0, encrypt=1, ttl(s)=-1625410523, type=file)
[Sun Jul 04 16:55:23.921995 2021] [auth_openidc:debug] [pid 10190] src/cache/file.c(287): [client 3.254.124.206:34002] oidc_cache_file_clean: last cleanup call was less than 60 seconds ago (next one as early as in 35 secs)
[Sun Jul 04 16:55:23.922105 2021] [auth_openidc:debug] [pid 10190] src/cache/common.c(668): [client 3.254.124.206:34002] oidc_cache_set: successfully stored 0 bytes in file cache backend for encrypted key fGBrO13_p-5wNYxLK3-iMnuKGwB_G2gug2SOLU12tEI
[Sun Jul 04 16:55:23.922137 2021] [auth_openidc:debug] [pid 10190] src/util.c(945): [client 3.254.124.206:34002] oidc_util_set_cookie_append_value: no cookie append environment variable OIDC_SET_COOKIE_APPEND found
[Sun Jul 04 16:55:23.922146 2021] [auth_openidc:debug] [pid 10190] src/util.c(2394): [client 3.254.124.206:34002] oidc_util_hdr_err_out_add: Set-Cookie: mod_auth_openidc_session=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=None
[Sun Jul 04 16:55:23.922154 2021] [auth_openidc:debug] [pid 10190] src/cache/common.c(640): [client 3.254.124.206:34002] oidc_cache_set: enter: (section=s, len=0, encrypt=1, ttl(s)=-1625410523, type=file)
[Sun Jul 04 16:55:23.922183 2021] [auth_openidc:debug] [pid 10190] src/cache/file.c(287): [client 3.254.124.206:34002] oidc_cache_file_clean: last cleanup call was less than 60 seconds ago (next one as early as in 35 secs)
[Sun Jul 04 16:55:23.922238 2021] [auth_openidc:error] [pid 10190] [client 3.254.124.206:34002] oidc_cache_file_set: could not delete cache file "/tmp/mod-auth-openidc-s-BSAoOMA7Ei_5o6xKTfoSEc_nTIlqbBEpNXfaADAbZtI" (No such file or directory)
[Sun Jul 04 16:55:23.922250 2021] [auth_openidc:debug] [pid 10190] src/cache/common.c(668): [client 3.254.124.206:34002] oidc_cache_set: successfully stored 0 bytes in file cache backend for encrypted key BSAoOMA7Ei_5o6xKTfoSEc_nTIlqbBEpNXfaADAbZtI

after logout reaching protected resource:
[Sun Jul 04 16:55:33.536065 2021] [auth_openidc:debug] [pid 30584] src/util.c(2316): [client 3.254.124.206:26642] oidc_util_hdr_in_get: Cookie=mod_auth_openidc_state_NEUUgJhfD6WPCBznowBbQgBkiaM=eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..-L3vuTMctsjcR9HW.SEaV-rbLTx_3AsAnolDXeH9_0UPkhZSJnuqS21wYC6O4O0Aa2awnu_FdgkMAOiL5EyOR7Anvy168B9dvx11Uldh2q0nkDbSQKd_naELiUEaflUt-AsTO5BnFLo_kq5UXII8UBGJT51s1DBSBnJchE1Zr1EVpPz3icTB9C3c65BrVNAexmWeNYs_XbB7SjVwPLaZjhD45ovTGaG7zExEDHUcypRh7-TsUap1Z6BFG8mJvr5YHdnLB8PLBMZVJSNX2cphmznsd4VKrHdrMLCVbMN2OYBaA5eN5aWgnRLvMkKm0g1c-XvCPbYQ13Q0Q7WdirKzBhPDachGf1R1p-Rd-CDKTMNabOoayacy60zs4pxjZJYRvxlV3i7oqk1IAXqmR7g.u9NRxxEO9rFyt73-j_UlPA; mod_auth_openidc_session=f8de4c07-02ce-4e15-be47-d97b4d1a4e52, referer: https://10.97.226.139/fav
[Sun Jul 04 16:55:33.536080 2021] [auth_openidc:debug] [pid 30584] src/util.c(1055): [client 3.254.124.206:26642] oidc_util_get_cookie: returning "mod_auth_openidc_session" = "f8de4c07-02ce-4e15-be47-d97b4d1a4e52", referer: https://10.97.226.139/fav
[Sun Jul 04 16:55:33.536089 2021] [auth_openidc:debug] [pid 30584] src/cache/common.c(581): [client 3.254.124.206:26642] oidc_cache_get: enter: f8de4c07-02ce-4e15-be47-d97b4d1a4e52 (section=s, decrypt=1, type=file), referer: https://10.97.226.139/fav
[Sun Jul 04 16:55:33.536220 2021] [auth_openidc:debug] [pid 30584] src/cache/common.c(615): [client 3.254.124.206:26642] oidc_cache_get: cache hit: return 4278 bytes from file cache backend for encrypted key FLRUUfIbrRZZ0YdqZVx7Pg4LW2KwcK1ES0o_q1eCQSM, referer: https://10.97.226.139/fav

Can you please check it!
Thanks in advance!

[zandbelt]

you probably need to upgrade to >= 2.4.7 as the release notes suggest; also see: #542