Open mircea-pavel-anton opened 2 years ago
I am not part of defect dojo dev team as such, but I've been involved in providing the keycloak mapping glue code, so I am happy to take a look and see if I can help solving issues or generally support. Thanks for providing those detailed results, I will try to reproduce ASAP.
edit: if the issue is just about adding a REVOKE_TOKEN_URL then it should be fairly trivial. Will check that.
Yeah, i am not sure if it's as simple as adding the revoke token URL, but that would be the 1st place i check to see if it's an easy fix or no. By the name of it, it should be what we're looking for (i think), but it's just a guess at this point.
I'm still seeing the same error.
Bump: This is still an issue
so thing here is: the underlying framework used for OAuth/OIDC (mentioned here here ) does not support these types of logouts, at least I could not see how, I would like to be convinced otherwise.
So the first step towards a solution would be to enable the social-login library to support this SLO feature. (EDITED: removed wrong speculation about SLO possibly being not possible with OAuth/OIDC)
You might try SAML instead. We used to run keycloak+defectdojo with SAML back in the days of the old SAML integration for defectdojo. Eventually keycloak had to change the SAML integration to a newer one, and with that I never managed to get fields from keycloak mapped properly to defectdojo. The defectdojo documentation mentions the DD_SAML2_ATTRIBUTES_MAP
, but I never came to satisfying results in a k8s/helm environment. That actually was the reason why I decided to enable the defectdojo-keycloak OIDC path, which uses the social auth/ social-core library as mentioned at the beginning of this comment.
(EDITED: removed wrong speculation about SLO possibly being not possible with OAuth/OIDC)
Suggestion: next step would be to enable the pything social auth / social core library, then let's explore further what needed to be done to implement it. Until then, I tend to believe this is not a bug, at least not of defectdojo itself.
If you need SLO now, then I suggest you explore the SAML way of connecting keycloak to defectdojo. Sounds more promising.
(updated: 2023/12/22 18:33 UTC)
ok, did a bit more research and these types of central logouts seem to be possible with OIDC as well. Sorry for not being an expert in this field. Still I would say that the social-core library is the first stop to explore possible configurations, see here: https://github.com/python-social-auth/social-core/blob/master/social_core/backends/keycloak.py I am still happy to receive experts advice on how to improve this.
Bug description
I have managed to get SSO working via Keycloak on my instance, but it seems that SLO is not working/not implemented.
While DefectDojo can use keycloak to authenticate, it seems that past that point, the 2 are not aware of each others state. Ending the keycloak session will not log out the defectdojo active user, and, similarly, logging out from defectdojo will not end the keycloak session.
Steps to reproduce keycloak session ending not logging out defectdojo:
Login with Keycloak
button.Steps to reproduce defectdojo logout not ending keycloak session:
Login with Keycloak
button.Expected behavior
Both apps should be aware of each others state. Ending the keycloak session should log me out of defectdojo and defectdojo logout should cause the keycloak session to end.
Deployment method (select with an
X
)Environment information
Logs
No weird logs are thrown by the defectdojo-django pod nor by the keycloak pod.
Additional context (optional)
What I have tried:
Front Channel Logout
totrue
Front Channel Logout URL
tohttps://defectdojo.your_domain_here/logout
Back Channel Logout URL
tohttps://defectdojo.your_domain_here/logout
Backchannel Logout Session Required
totrue
I have taken a bit of a look at the python social auth plugin that is used in the SSO integration, and it seems that there should be a
REVOKE_TOKEN_URL
that may do that, but I don't see it being documented as working for the keycloak integration. I haven't looked into it much more past that point.The
extraConfig
params given to my defectdojo instance:My keycloak client configuration:
Main Configuration:
Fine Grain Configuration:
Mappers: