redmine_oauth icon indicating copy to clipboard operation
redmine_oauth copied to clipboard
verified publisher icon kontron

Provide backchannel SSO logout endpoint

Open col-panic opened this issue 1 year ago • 11 comments

Currently pressing Logoff in redmine only closes the redmine session. Optionally a full SSO logoff should be possible.

col-panic avatar May 13 '24 11:05 col-panic

What do you mean with "optionally"?

picman avatar May 13 '24 11:05 picman

At the moment when logging off in Redmine (after logging into it with redmine_oauth) only redmine is logged out, while the OAUTH2 Session stays open.

There should be a configurable option (just like the don't show password login option) to perform SSO Logout on logging out in Redmine. So that both the redmine session and the SSO session are ended.

col-panic avatar May 13 '24 11:05 col-panic

But OAuth can be used from more than one application. E.g. You log out from Redmine but you don't want to be logged out from Azure too. I can add a new plugin option, something like "Force log out", or shouldn't be it per user?

picman avatar Sep 06 '24 09:09 picman

@picman you are right. If you end the session, then you only invalidate the redmine session, and as soon as you click the OpenId login (with a valid openid session) again, you will be logged into redmine again.

You could end the whole SSO session by calling the respective IdP endpoint, but if e.g. Azure is not configured to get the backchannel logout information, then it will stick as is.

So generally - every application after login has its own sesssion cookies running, and its a matter of how deep the specific application adopts SSO to what degree it will honor or prioritize SSO session information to its own session information.

Lets fix the scenario another way round:

You end your SSO session with the IdP directly - so you consider every application you logged in via SSO to end its current session. Maybe this should be the real feature we adopt - supporting backchannel logouts! Here you would have to provide an endpoint which gets called by the IdP telling you to logoff user X.

col-panic avatar Sep 08 '24 16:09 col-panic

I've implemented 'OAuth logout' if checked out in the settings. Could you test the logout branch please?

picman avatar Sep 11 '24 12:09 picman

Will check after https://github.com/kontron/redmine_oauth/issues/36 is integrated (easier ...)

col-panic avatar Sep 13 '24 12:09 col-panic

Merged into devel.

picman avatar Sep 13 '24 14:09 picman

What is the "Backchannel logout URL" to configure to Keycloak?

grafik

col-panic avatar Sep 13 '24 15:09 col-panic

I think that you can configure here for example a URL for password change and as soon as a user call a password change, it will log them out. You should leave it empty it shouldn't have anything to do with Redmine logout.

picman avatar Sep 16 '24 06:09 picman

Thank you @picman for the patch, i have several points/questions to this

  1. What does "Update login" effectively do?
  2. You implemented a SSO Logoff. That is, if I select the "OAuth logout" option, then I will logoff the SSO Session with Keycloak, which is good, but not the focus of this issue, resp. this is another feature (we should rename the issue for this).
  3. Backchannel logout would require an endpoint which is being called by Keycloak to invalidate my existing redmine session. The use-case is: I have a SSO Session with keycloak, and now I logout unter https://keycloak/user - now I want all associated services to respect this logout and make the sessions invalid. Here this would involve, that my redmine session gets invalidated.

col-panic avatar Sep 17 '24 15:09 col-panic

I'm not sure about this at the moment, could we probably move this to 2.2.6 and give it some time to think about?! I could then re-arrange the issues with better descriptions feedback!

col-panic avatar Sep 17 '24 15:09 col-panic