Bug #16913

[controller] logout error in federation configuration with login controller

Added by Ward Vandewege about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
09/28/2020
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-
Release relationship:
Auto

Description

Logged in as activated (admin) user on Tordo. Click "log out" on tordo:

https://tordo.arvadosapi.com/logout?return_to=https%3A%2F%2Fworkbench.tordo.arvadosapi.com%2F

{"errors":["configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, and Login.Test must be enabled"]}


Subtasks

Task #16917: Review 16913-logoutResolvedWard Vandewege

Associated revisions

Revision c9c0706a
Added by Peter Amstutz about 1 year ago

Merge branch '16913-logout' closes #16913

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <>

History

#1 Updated by Ward Vandewege about 1 year ago

  • Description updated (diff)

#2 Updated by Peter Amstutz about 1 year ago

  • Assigned To set to Peter Amstutz

#3 Updated by Peter Amstutz about 1 year ago

  1. Logout from workbench1 only clears cookies, it doesn't revoke the token.
  2. The Logout route in controller only sends you to the remote cluster if you provided a v2 token to be revoked
  3. Because no token is provided, it uses the "local" Connection which invokes errorLoginController.

As it happens, workbench never provides an API token to be revoked on log out. This makes the "logging out doesn't revoke tokens" long-standing behavior possible which enables users to copy their web session token into a shell.

We will tighten up this behavior. This is covered in #16520.

For the time being, the immediate solution is to include the case where LoginCluster is set, and provide a controller that returns noopLogout.

#4 Updated by Peter Amstutz about 1 year ago

16913-logout @ arvados|7d91fe636e1ce09697fdff28b43e4020df041f17

https://ci.arvados.org/view/Developer/job/developer-run-tests/2123/

  • Treat Login.LoginCluster as a distinct login method
  • federatedLoginController performs noopLogout() like most of the other methods (this fixes the original bug)
  • As a side effect, the configuration behavior has changed from "error if another method is not set" to "error if another method is set". Added a note in the upgrade notes.

#5 Updated by Peter Amstutz about 1 year ago

  • Status changed from New to In Progress

#6 Updated by Ward Vandewege about 1 year ago

LGTM thanks

#7 Updated by Peter Amstutz about 1 year ago

  • Status changed from In Progress to Resolved

#8 Updated by Peter Amstutz about 1 year ago

  • Release set to 25

Also available in: Atom PDF