che Logout form Dashboard not working (DevWorkspace)

Describe the bug

If I press logout in the dashboard I am redirected to the home page but I am still logged in. I am using DevWorkspace and an external OIDC (auth0) on EKS.

It seems that the following is missing: "redirect the user to the authentication provider's sign out page afterwards using the rd query parameter". ref. https://oauth2-proxy.github.io/oauth2-proxy/docs/features/endpoints#sign-out

Che version

7.42@latest

Steps to reproduce

Successfully login via external OIDC
Logout from the dashboard

Expected behavior

After clicking logout, I should be redirected to the external OIDC login page.

Runtime

Kubernetes (vanilla)

Screenshots

No response

Installation method

chectl/latest

Environment

Amazon

Eclipse Che Logs

No response

Additional context

No response

Jan 31 '22 14:01 martinelli-francesco

@martinelli-francesco hello, just checked against 7.43.0-next version and logout is working just fine via /oauth/sign_out request

Could you please provide more details including the deployment method and the version of the project.

logout

Feb 03 '22 08:02 ibuziuk

I deployed 7.42 (DevWorkspace) using chectl (stable channel) on EKS (amazon kubernetes) and configured an auth0 instance as OIDC. I opened the browser developer tools and compared the calls after logging out of Eclipse Che and another application where the logout works. I noticed that the logout call to the OIDC is missing. It simply calls the dashboard logout which removes the oauth proxy cookie but without calling the OIDC logout the OIDC cookie is not removed. So it looks like exactly what I wrote in the initial post (and documented in oauth2-proxy):

It seems that the following is missing: "redirect the user to the authentication provider's sign out page afterwards using the rd query parameter". ref. https://oauth2-proxy.github.io/oauth2-proxy/docs/features/endpoints#sign-out

Probably tomorrow I can try to update to version 7.43.0-next to see if it is fixed.

Feb 03 '22 09:02 martinelli-francesco

Probably tomorrow I can try to update to version 7.43.0-next to see if it is fixed.

Thank you, if it is still reproducible, please provide http requests sequence from the Network

Feb 03 '22 09:02 ibuziuk

Just installed the 7.43.0 and unfortunately the issue persists. In the following the http requests sequence: immagine

As you can see the external OIDC sign out redirect is missing as already described.

Feb 04 '22 10:02 martinelli-francesco

@olexii4 @akurinnoy folks, could you please take a look? my understanding that we are missing the /oauth2/sign_out processing on the UD end

https://oauth2-proxy.github.io/oauth2-proxy/docs/features/endpoints/#sign-out

Feb 07 '22 14:02 ibuziuk

@ibuziuk that's possible, but then we need somehow to let the dashboard know which authentication is used, so it could navigate to a correct endpoint.

@martinelli-francesco are you able to configure the OIDC you use to change the endpoint to /oauth/sign_out? If so then logout will work correctly.

Feb 08 '22 06:02 akurinnoy

I am using auth0 and in auth0 the logout endpoint is not configurable: https://auth0.com/docs/api/authentication#logout

Feb 08 '22 08:02 martinelli-francesco

@skabashnyuk could you please take a look and advise how the auth config should be retrieved on the UD? Basically, my understanding is that /oauth/sign_out is currently hardcoded on the UD end. We could technically re-try the call with /oauth2/sign_out if /oauth/sign_out return 404, but this looks like a workaround.

Feb 08 '22 10:02 ibuziuk

/oauth/sign_out is correct but is missing the rd parameter. So, what I expect is that the logout button should redirect to /oauth/sign_out?rd=<my_oidc_signout_page> instead of /oauth/sign_out only. <my_oidc_signout_page> is a configuration that depends on the configured OIDC so it should be a configuration provided by the user in the same way of client_id, OIDC_URL, ... The OIDC configurations are handled by the oauth2-proxy component so probably a new configuration in CR is needed because of the oauth2-proxy configuration is managed by the Che operator.

ref. https://oauth2-proxy.github.io/oauth2-proxy/docs/features/endpoints/#sign-out

Feb 08 '22 10:02 martinelli-francesco

@martinelli-francesco ok, so the only thing that is missing is the rd= parameter. Would you be interested in contributing this functionality to the project?

Feb 08 '22 11:02 ibuziuk

Unfortunately, I cannot currently plan to develop this feature.

So currently, what I can suggest is the high level implementation (hopefully it will help) :

Add the configuration OIDC_END_SESSION_ENDPOINT to the dashboard container
if it has no value -> logout behaves as in the current implementation
if it has a value, the logout button should redirect to /oauth/sign_out?rd={OIDC_END_SESSION_ENDPOINT}

Also, the domain name should be added in the oauth2-proxy configuration:

BEWARE that the domain you want to redirect to (my-oidc-provider.example.com in the example) must be added to the --whitelist-domain configuration option otherwise the redirect will be ignored.

Feb 08 '22 15:02 martinelli-francesco

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

Aug 08 '22 00:08 che-bot

This issue is still present on Che 7.52. (GKE, OIDC). Here's the http requests sequence:

Aug 31 '22 16:08 gustavoromerobenitez