OIDC user session is not ended in OIDC provider when OIDC user log out from Harbor log out

[reynaulaque]

Description:

Harbor should logout from OIDC provider too when OIDC user logout from harbor log out. Currently, Harbor does not log out OIDC provider after OIDC user logout from harbor. It is dangerous because anyone can log in directly via oidc provider.

Keycloak supports logout by pointing to its logout endpoint sending the token as a reference

Steps to reproduce:

1. Login in Harbor with an OIDC user by clicking on "Login via oidc provider" button
2. Click “Log out” button

Current result:

Harbor does not end OIDC user session in OIDC provider after logout from harbor. If you click "Login via OIDC provider" button again, it will be login with previous OIDC user directly

Expected result: OIDC user session should be ended on OIDC provider too when user logout from harbor log out

Version: -Harbor version: v1.10.3

[reasonerjt]

Last time I checked the logout mechanism is implemented differently across providers, but I think I can investigate and try to figure out a relatively common workflow that works for some major providers.

Another concern is that other app may also depend on this session, logging out OIDC when logging out Harbor may impact other apps

@reynaulaque let me know your suggestion if you have experience in this area.

[reynaulaque]

I do not have experience in this area, just I know that Keycloak supports logout and about the concern, you are right another app can depend on this session but it can be login again with their credential if it is required, on the other hands, I think the risk is high whether the session is not ended on OIDC provider for example if you access harbor from a public server, once you logout harbor, other can log in directly via OIDC and steal information because the session is active.

[jkroepke]

Last time I checked the logout mechanism is implemented differently across providers, but I think I can investigate and try to figure out a relatively common workflow that works for some major providers.

By default, the .well-known/openid-configuration should contain a end_session_endpoint that should work across all providers following the OpenID spec.

[Dannyx323]

We experience the same issues for keycloak -> Harbor. a workaround until a fix could be calling the following url after the Harbor logout: https://<keycloak_base_url/auth/realms/<Realm_name>/protocol/openid-connect/logout This wil clean the session

Harbor : Version v2.2.2

[xzizka]

Hello, I see the same issue with Keycloak and Harbor. The workaround mentioned by @Dannyx323 works.

Harbor v2.3.2-6b6c21da

[NagenderPulluri]

Do we have any update on this ?

OIDC user session is not ended in OIDC provider when OIDC user logged out from Harbor.

[scara]

Hello Everyone, could prompt=login be an option at Harbor login stage to force re-authentication w/o the need for a global - I mean, at SSO level - logout?

This will impact the SSO UX given the user will be forced to authenticate her/himself but it will mitigate the risk of being logged in from the browser instance with which the OIDC session has been started, after a clean and successful logout from Harbor.

HTH, Matteo

[VikramPunnam]

Do we have any updates on this? OIDC user session is not ended in OIDC provider when OIDC user logged out from Harbor. Where to configure the prompt?

[Tonkari]

We would also be interested in this. Maybe RP-Initiated Logout could be considered for this, as it's part of OIDC spec and widely supported. https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout

[joel-s]

We are encountering this problem as well. (We're using Harbor with Keycloak.) It would be great if it could be fixed.

[VladoPortos]

Same, just configured Harbor Version v2.9.0-44f5702 and latest Keycloak, log in works fine, group assignment fine,.... when I logout and click to log in I get immediately log in again without it ending the session on log out. This is a problem :(

[VladoPortos]

@Dannyx323 or @xzizka where did you set it ? Harbor is only app I can't get the log out working and its driving me nuts, I can't find option nowhere, and kind of do not want to rummage through code it self if I don't know where.

[xzizka]

@Dannyx323 or @xzizka where did you set it ? Harbor is only app I can't get the log out working and its driving me nuts, I can't find option nowhere, and kind of do not want to rummage through code it self if I don't know where.

If it is not fixed yet, you need to call it manually. Not possible to set it anywhere in Harbor.

[VladoPortos]

Thanks @xzizka , I installed the lates version oh Harbor and its not working there. Its bugging me though, since its the only app from the whole stack that can't do it. As soon as I have some time I might just "hack" it in to log out button.

[steled]

As a hint, Grafana is doing it via a signout_redirect_url. Would be great to have the possibility in Harbor too.

[makar723]

Hello! Unfortunately, it is not fixed yet. Only after I manually visit https:///realms//protocol/openid-connect/logout/ i cannot log in (without entering a password). I have also tried to enter this url as a "Valid post logout redirect URIs" in keycloak, but no luck. Harbor version is v2.10.2-1a741cb7

Is there any other workaround to avoid automatically logging in after logout pressed? Thank you in advance