Cannot logout user account on che dashboard

[huonguyenlt]

Summary

When logging out using the Logout button on che dashboard, it logs out and logs in immediately.

I use keycloak as oidc provider. Not sure if i missconfig anything in keycloak or che.

Relevant information

This is log after I logout

10.192.76.39:48736 - acb84c09c2b4a8487d0126c0e22e1fa3 - [email protected] [2024/09/20 08:34:11] [AuthSuccess] Authenticated via OAuth2: Session{email:[email protected] user:f6d09018-f217-4fa4-9302-9d8a11d0d63f PreferredUsername:che-user token:true id_token:true created:2024-09-20 08:34:11.151334944 +0000 UTC m=+1017.964253406 expires:2024-09-20 08:39:11.14600942 +0000 UTC m=+1317.958927893 refresh_token:true}
10.192.76.39:48736 - a521a75fd7d4b2cdfeb40b70fa944786 - [email protected] [2024/09/20 08:34:11] che.stengg-devcheworkspaces.com GET / "/dashboard/" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Edg/128.0.0.0" 200 964 0.005

My gateway configuration

ateway:
        deployment:
          containers:
            - name: oauth-proxy
              env: 
                - name: OAUTH2_PROXY_COOKIE_CSRF_PER_REQUEST
                  value: "true"
        oAuthProxy:
          cookieExpireSeconds: 300

https://github.com/user-attachments/assets/dfee52d6-df56-44b7-b01a-18109487ac70

che version 7.89 oidc: keycloak kubernetes: AWS EKS

[svor]

@tolusha could you take a look please

[huonguyenlt]

This is log after I logout, it login imediately

10.192.76.39:48736 - acb84c09c2b4a8487d0126c0e22e1fa3 - [email protected] [2024/09/20 08:34:11] [AuthSuccess] Authenticated via OAuth2: Session{email:[email protected] user:f6d09018-f217-4fa4-9302-9d8a11d0d63f PreferredUsername:che-user token:true id_token:true created:2024-09-20 08:34:11.151334944 +0000 UTC m=+1017.964253406 expires:2024-09-20 08:39:11.14600942 +0000 UTC m=+1317.958927893 refresh_token:true}
10.192.76.39:48736 - a521a75fd7d4b2cdfeb40b70fa944786 - [email protected] [2024/09/20 08:34:11] che.stengg-devcheworkspaces.com GET / "/dashboard/" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Edg/128.0.0.0" 200 964 0.005

[tolusha]

Hello. I am currently investigating the issue

[huonguyenlt]

Upload video

https://github.com/user-attachments/assets/fcad7185-74cd-4c03-be23-89b101e8352c

[tolusha]

@olexii4 @akurinnoy
When user clicks logout, then dashboard simply redirects request to /oauth/sign_out It is not enough accordingly OAuth2 proxy documentation [2] and automatic log-in might happen, so we need to add redirect URL. In case of keycloak it will be https://<keyckoak_domain>/realms/che/protocol/openid-connect/logout

[1] https://github.com/eclipse-che/che-dashboard/blob/main/packages/dashboard-frontend/src/services/helpers/login.ts#L18 [2] https://oauth2-proxy.github.io/oauth2-proxy/features/endpoints/#sign-out

[tolusha]

Some discussion how not show logout confirmation window

https://github.com/keycloak/keycloak/discussions/12183

[huonguyenlt]

@tolusha does this problem happen with other oidc provider or only with keycloak? Is there any quick fix I can try at the moment (configuration, code snippet, etc.)?

[tolusha]

Is there any quick fix I can try at the moment (configuration, code snippet, etc.)?

Unfortunately no. I will take this issue into a new sprint which starts tomorrow.

[tolusha]

@huonguyenlt After updating OAuth2 proxy image to v7.6.0, the issue can be resolved by updating checluster CR:

spec:
  networking:
    auth:
      gateway:
        deployment:
          containers:
          - env:
            - name: OAUTH2_PROXY_BACKEND_LOGOUT_URL
              value: http://<KEYCLOAK_HOST>/realms/<CHE_REALM>/protocol/openid-connect/logout?id_token_hint={id_token}
            name: oauth-proxy

[1] https://github.com/eclipse-che/che-operator/pull/1935