Spring Security Saml2LogoutResponseFilter sometimes fails to find associated LogoutRequest

Describe the bug Logging out by sending a POST request to /logout sometimes fails, because the Saml2LogoutResponseFilter fails to find the associated LogoutRequest.

Why sometimes? It looks like a timing issue. If I debug into Saml2RelyingPartyInitiatedLogoutSuccessHandler just before the redirect, everything works as expected every time.

If I run into the error case in Saml2LogoutResponseFilter, there are two sessions, one without the logout request (the current one) and a different one with the logout request.

So my expectation is, that there is something going on in the background doing something with the session state. If that is not finished before the redirect, it fails. (Note: It's a Vaadin/GWT application, so a lot of back and force is going on in the background).

To Reproduce Integrate a SAML2 povider and send a POST request to /logout.

Expected behavior I expect this to succeed every time I logout.

Sample I don't have a sample yet, if that is required to better understand the issue, I can provide one.

Comment From: marcusdacoregio

Hi @scho, thanks for reaching out.

If you can isolate the problem and provide a sample it would be awesome. With the description, there isn't much we can simulate here to find the root cause.

Thank you.

Comment From: scho

I could isolate the issue and confirm my assumption. When the POST request is sent to the /logout endpoint, Vaadin does some XHR requests in the background. This sometimes, depending on the timing, leads to the request being stored in the wrong session.

I could reproduce this behaviour in a minimal project, by sending XHR requests in the background while submitting the logout form.

To solve my issue, I ended up doing the logout in two steps:

1. Go to logout.html which only contains the logout-form
2. Automatically submit the form via JavaScript.

This way, the logout process is isolated and Vaadin can not send any requests in the background.

In my opinion, this is not a bug in Spring Security, but rather a consequence of how browsers work. @marcusdacoregio: Feel free to close this issue.

Comment From: marcusdacoregio

Great. I'm glad that you could solve it. Feel free to reach out if you think Spring Security should behave differently.

Have a nice week.