search

DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.68k stars 1.55k forks source link

SLO not working / not implemented for Native Keycloak Integration #5933

Open mircea-pavel-anton opened 2 years ago

mircea-pavel-anton commented 2 years ago

Bug description

I have managed to get SSO working via Keycloak on my instance, but it seems that SLO is not working/not implemented.

While DefectDojo can use keycloak to authenticate, it seems that past that point, the 2 are not aware of each others state. Ending the keycloak session will not log out the defectdojo active user, and, similarly, logging out from defectdojo will not end the keycloak session.

Steps to reproduce keycloak session ending not logging out defectdojo:

  1. Configure SSO via Keycloak as per the official docs
  2. Go to your DefectDojo instance, and click on the Login with Keycloak button.

image

  1. At this point, you should be greeted by the dashboard

image

  1. Go to your Keycloak admin panel, Go to clients, select your defectdojo client and then open the sessions tab. You should see the number of active session as being: 1

image

  1. From any other SSO-enabled app, or from keycloak itself, end that client's session.
  2. Go back to your Keycloak admin page and see the active sessions count for the defectdojo client be 0

image

  1. Go to your defectdojo instance and see that you are still logged in, even though the session has ended.

Steps to reproduce defectdojo logout not ending keycloak session:

  1. Configure SSO via Keycloak as per the official docs
  2. Go to your DefectDojo instance, and click on the Login with Keycloak button.

image

  1. At this point, you should be greeted by the dashboard

image

  1. Go to your Keycloak admin panel, Go to clients, select your defectdojo client and then open the sessions tab. You should see the number of active session as being: 1

image

  1. Go back to your DefectDojo instance and Log out:

image

image

  1. In your keycloak panel, on the client page, in the active sessions tab, the number of active sessions is still 1:

image

Expected behavior

Both apps should be aware of each others state. Ending the keycloak session should log me out of defectdojo and defectdojo logout should cause the keycloak session to end.

Deployment method (select with an X)

Environment information

Logs

No weird logs are thrown by the defectdojo-django pod nor by the keycloak pod.

Additional context (optional)

What I have tried:

I have taken a bit of a look at the python social auth plugin that is used in the SSO integration, and it seems that there should be a REVOKE_TOKEN_URL that may do that, but I don't see it being documented as working for the keycloak integration. I haven't looked into it much more past that point.

The extraConfig params given to my defectdojo instance:

  DD_SOCIAL_LOGIN_AUTO_REDIRECT: 'True'
  DD_SOCIAL_AUTH_SHOW_LOGIN_FORM: 'True'

  # Recommended settings for Keycloak SSO
  DD_SESSION_COOKIE_SECURE: 'True'
  DD_CSRF_COOKIE_SECURE: 'True'
  DD_SECURE_SSL_REDIRECT: 'True'

  # Keycloak SSO Config
  DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_ENABLED: 'True'
  DD_SOCIAL_AUTH_KEYCLOAK_KEY: "<keycloak_client_id>"
  DD_SOCIAL_AUTH_KEYCLOAK_SECRET: "<keycloak_client_secret>"
  DD_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL: 'https://<keycloak url>/auth/realms/<realm name>/protocol/openid-connect/auth'
  DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL: 'https://<keycloak url>/auth/realms/<realm name>/protocol/openid-connect/token'
  DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY: '<keycloak realm public key here>'

My keycloak client configuration:

Main Configuration: image

Fine Grain Configuration: image

Mappers: image

oliversommer commented 2 years ago

I am not part of defect dojo dev team as such, but I've been involved in providing the keycloak mapping glue code, so I am happy to take a look and see if I can help solving issues or generally support. Thanks for providing those detailed results, I will try to reproduce ASAP.

edit: if the issue is just about adding a REVOKE_TOKEN_URL then it should be fairly trivial. Will check that.

mircea-pavel-anton commented 2 years ago

Yeah, i am not sure if it's as simple as adding the revoke token URL, but that would be the 1st place i check to see if it's an easy fix or no. By the name of it, it should be what we're looking for (i think), but it's just a guess at this point.

jfmrm commented 1 year ago

I'm still seeing the same error.

teyhouse commented 10 months ago

Bump: This is still an issue

oliversommer commented 10 months ago

so thing here is: the underlying framework used for OAuth/OIDC (mentioned here here ) does not support these types of logouts, at least I could not see how, I would like to be convinced otherwise.

So the first step towards a solution would be to enable the social-login library to support this SLO feature. (EDITED: removed wrong speculation about SLO possibly being not possible with OAuth/OIDC)

You might try SAML instead. We used to run keycloak+defectdojo with SAML back in the days of the old SAML integration for defectdojo. Eventually keycloak had to change the SAML integration to a newer one, and with that I never managed to get fields from keycloak mapped properly to defectdojo. The defectdojo documentation mentions the DD_SAML2_ATTRIBUTES_MAP, but I never came to satisfying results in a k8s/helm environment. That actually was the reason why I decided to enable the defectdojo-keycloak OIDC path, which uses the social auth/ social-core library as mentioned at the beginning of this comment.

(EDITED: removed wrong speculation about SLO possibly being not possible with OAuth/OIDC)

Suggestion: next step would be to enable the pything social auth / social core library, then let's explore further what needed to be done to implement it. Until then, I tend to believe this is not a bug, at least not of defectdojo itself.

If you need SLO now, then I suggest you explore the SAML way of connecting keycloak to defectdojo. Sounds more promising.

(updated: 2023/12/22 18:33 UTC)

oliversommer commented 10 months ago

ok, did a bit more research and these types of central logouts seem to be possible with OIDC as well. Sorry for not being an expert in this field. Still I would say that the social-core library is the first stop to explore possible configurations, see here: https://github.com/python-social-auth/social-core/blob/master/social_core/backends/keycloak.py I am still happy to receive experts advice on how to improve this.