odd-platform icon indicating copy to clipboard operation
odd-platform copied to clipboard

Published 20 hours ago verified publisher icon opendatadiscovery

Unable to logout using Keycloak setup where issuer_uri isn't possible

Open ChrisSamo632 opened this issue 2 years ago • 5 comments

Describe the bug

Using Keycloak for Auth with ODD, but not able to use the issuer_uri due to Docker networking difficulties, means we cannot Logout from ODD.

Set up

Docker Compose stack, with:

  • ghcr.io/opendatadiscovery/odd-platform:0.14.1
  • quay.io/keycloak/keycloak:22.0.1

Because we're using Docker, we have had to skip using the issuer_uri as there is no URL (on MacOS) that allows connectivity both from within the ODD Platform container (e.g. for the token_uri) and the user's browser (e.g. for the authorization_uri). On Linux/Windows, the host.docker.internal URL could be used, but this doesn't work on Mac (not an ODD problem).

Instead, we have setup endpoints individually for:

  • token_uri (internal connection between odd-platform and keycloak, e.g. http://keycloak)
  • jwk_set_uri (internal)
  • user_info_uri (internal)
  • authorization_uri (external connection from user's browser to keycloak, e.g. http://localhost)

There is no way of specifying the logout_uri with this setup - it seems like the ODDOAuth2PropertiesConverter doesn't set the logoutUri separately from provided properties; then ODDIAMLogoutSuccessHandler then only gets the logout_uri from the issuer_uri (if provided).

Steps to Reproduce Steps to reproduce the behavior:

  1. Configure ODD with Keycloak using separate endpoint URIs
  2. Login to ODD through Keycloak
  3. Attempt to Logout from ODD - note that while you go through some "Logout" screens, the user's Keycloak session isn't terminated and navigating back to ODD Dashboard shows they are still logged in, without the need for credentials to be resupplied

Expected behavior ODD Logout terminates the Keycloak session via the Keycloak /logout endpoint

ChrisSamo632 avatar Jul 28 '23 14:07 ChrisSamo632

Hey, @ChrisSamo632 !

  1. Are you sure, that host.docker.internal doesn't work on MacOS? I have MacOS as well and it works for me.
  2. By default ODD uses Spring's OidcClientInitiatedServerLogoutSuccessHandler.java, which gets logout endpoint from provider. This should work for Keycloak, but I will doublecheck and come back to you!

damirabdul avatar Jul 28 '23 14:07 damirabdul

A few of us have tried and the host.docker.internal address hasn't been working for us and we've (so far) not figured out why - it works between containers, but not from a our browser to a container - it would be ideal if this does work for us, and I'll keep trying.

ODD (Spring) does indeed take the logout_uri details from issuer_uri, but we've not bee able to configure ODD using that methd because of the connectivity details, which is why we're in this position. The login and auth side of things seems fine by specifying the individual endpoints, just not the logout.

If we get the host.docker.internal address working, then this problem goes away for us, although would still be nice to be able to provide this URI directly as there might be instances in other environments where a single domain/address can't be used.

ChrisSamo632 avatar Jul 28 '23 14:07 ChrisSamo632

@ChrisSamo632 got it. We will add this to our roadmap, thanks for pointing out

damirabdul avatar Jul 28 '23 15:07 damirabdul

For anyone that comes across this in future and is having similar problems with Docker (Desktop) on MacOS, I've found that the host.docker.internal address isn't (always) being configured (e.g. via the /etc/hosts file within MacOS), which is why my original attempts to use the issuer_uri were failing on MacOS machines (although worked fine in Windows) - this appears to be a problem with Docker (Desktop) installations that keep recurring (I'm currently using MacOS Ventura 13.5, with Docker Desktop 4.21.1)

However, the kubernetes.docker.internal does get configured in the MacOC /etc/hosts and is usable from within Docker Containers for container-to-container communication

So, setting the ODD issuer_uri to use the kubernetes.docker.internal domain in our docker-compose.yml has allowed this to work and there's no longer need to use the separate endpoint overrides!

That said, I still think that allowing logout_uri override would be beneficial for ODD Platform as other environments may have the same sort of issue, e.g. if we hosted ODD Platform alongside Keycloak within an AWS ECS service, ODD would be able to to talk to Keycloak via localhost, but users would be using an external domain for connectivity - this might then need the separate endpoint configuration (or ODD Platform to use the external Keycloak address, which is arguably less secure, and almost certainly more expensive in such a setup)

ChrisSamo632 avatar Aug 01 '23 11:08 ChrisSamo632

While I believe adding a customization possibility to logout_uri would be beneficial in the short term, it won't help overall, as we will for sure encounter the same problems in any other place you intend to connect to your bare-metal machine from an ODD platform instance running inside a container.

Haarolean avatar Aug 01 '23 14:08 Haarolean