403 Forbidden in user logout on XP7

Enonic version: 7.2.0
OS: Linux

Vhost mapping:

mapping.admin.host = localhost
mapping.admin.source = /admin
mapping.admin.target = /admin
mapping.admin.idProvider.system = default

mapping.b.host = localhost
mapping.b.source = /
mapping.b.target = /site/default/master/Site
mapping.b.idProvider.membercare = default

I’m working on upgrading an app from Enonic XP 6.11.1 to XP 7.2.0. Users from a custom idProvider called ‘membercare’ can login in the system and access the Content Studio interface.

The problem is when user tries to logout. After clicking in the default logout button in the bottom right corner in the Enonic panel, a ‘403 Forbidden’ page is rendered with the message “‘membercare’ id provider is forbidden” and URL “http://localhost:8080/admin/tool/com.enonic.xp.app.main/launcher/_/idprovider/membercare/logout?redirect=http%3A%2F%2Flocalhost%3A8080%2Fadmin%2Ftool&_ticket=5336da81d600a91d753e856c531155164571285d”, and the user logout isn’t done.

I think that this can be a bug in the logout implementation, since that the logout button URL is managed by Enonic. The logout method in the idprovider from my app is not requested in this case. In the XP 6.11.1 version the logout button requests the URL “/admin/tool/com.enonic.xp.admin.ui/launcher/_/idprovider/membercare/logout?redirect=http%3A%2F%2Freview.sp.conductor.seeds.no%2Fadmin%2Ftool&_ticket=60206d63335640a9cb8cc5a31941e025ae0940b9” and it works fine.

Has anybody experienced something like this?

Hmm. Sees to me you have configured the “standard” idProvider to be active for /admin, not “membercare”? This would explain the 403, but not why you are redirected to it’s login. Maybe you logged in using membercare on the site first?

Yes, the “standard” idProvider is set for /admin, in order to allow admin users to login in the Enonic.

The problem with logout occurs when the user from “membercare” idProvider is logged in the Enonic system and tries to logout. “Membercare” users login in the system in specific page in the site (site.no/global-login) first.

For security reasons, you need to explicitly declare all available idProvider in XP7 per vhost. So simply add this line to support sign out from admin console as well.


I was tried to add the line “mapping.admin.idprovider.membercare” in the vhost config, but the same problem occurs. Maybe I need to assign something to the line instead of ‘default’ to declare along with the system idProvider ?

Ps.: When I replace “mapping.admin.idProvider.system = default” by “mapping.admin.idProvider.membercare = default”, the logout works, but the /admin page fails.

AFAIK, when you are logged in using a specific IDprovider, the “logoutUrl” will attempt to use the same IDprovider. The default setting indicates that this is the idProvider that will be given control when 401 error is handled.

Generally, I would recommend avoiding using two different idProviders for the same vhost, even if this is possible.

We’ve fixed this issue using the enable option.

For /admin vhost config:
mapping.admin.idProvider.membercare = enabled
mapping.admin.idProvider.system = default

For / vhost config in the same URL:
mapping.b.idProvider.membercare = default


1 Like