ckanext-oauth2 icon indicating copy to clipboard operation
ckanext-oauth2 copied to clipboard

Published 20 hours ago verified publisher icon conwetlab

No Logout Configuration

Open SamuelBradley opened this issue 5 years ago • 5 comments

There doesn't seem to be any way to configure the api call that gets made on logout so ckan isn't actually logging me out of my account i.e. when i press logout and then login I am not prompted to login again.

SamuelBradley avatar Aug 28 '19 01:08 SamuelBradley

Sorry, but the behaviour you describe is the intended one. When you log out, you close your session in your CKAN instance but not in your OAuth provider.

For this reason, if you click in log in again, you will be automatically log in, as you are already logged in your OAuth provider.

Br Aitor

El 28 ago 2019, a las 3:59, Sam Bradley [email protected] escribió:

There doesn't seem to be any way to configure the api call that gets made on logout so ckan isn't actually logging me out of my account i.e. when i press logout and then login I am not prompted to login again.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

aitormagan avatar Aug 28 '19 05:08 aitormagan

In my (private) fork I solved this issue for keycloak. Since OAuth2Plugin already implements IAuthenticator, if a logout() function is added to this class, it will be called on logout. The username can be retrieved using repoze.who. With the stored token for this username, the logout on keycloak can be called with a library like "python-keycloak" or "python-keycloak-client".

pazepaze avatar Jul 03 '20 11:07 pazepaze

@aitormagan so in CKAN native there isn't a method that could handle this kind of issue?

@pazepaze is that implementation visible on your repo? I don't use Keycloak unfortunately, perhaps could be useful have a look at it.

Thanks for your attention.

marcyborg avatar Mar 09 '21 21:03 marcyborg

Sure, that's how I did it:

in plugin.py

class OAuth2Plugin(plugins.SingletonPlugin):
...

    def logout(self):
        user_name = None
        environ = toolkit.request.environ
        if 'repoze.who.identity' in environ:
            user_name = environ['repoze.who.identity']['repoze.who.userid']

        log.debug('Trying to logout user %s in keycloak...' % user_name)
        stored_token = self.oauth2helper.get_stored_token(user_name)
        if stored_token:
            try:
                self.keycloak_openid.logout(stored_token['refresh_token'])
            except Exception:
                log.warn('Failed to logout user %s in keycloak!' % user_name)
        else:
            log.warn('No token stored for user %s' % user_name)

...

keycloak_openid is just the keycloak client instance from the python-keycloak library

pazepaze avatar Mar 10 '21 07:03 pazepaze

Hi @pazepaze , i just have a question. I tried to use your code and i have installed $ pip install python-keycloak but when i run my container i keep getting the same error:

from keycloak import KeycloakOpenID ImportError: No module named keycloak

Any ideas why this is happening?

Thanks!

sanamart avatar Aug 04 '21 06:08 sanamart