Closed michaelkarlcoleman closed 5 years ago
ericfranz
commented
5 years ago How about this for the logout page:
You are not yet logged out
This site is protected using Basic Auth. As a result, you must completely quit your browser in order for "logout" to occur. If after reopening your browser you are still logged in, please clear your cookies.
ericfranz
commented
5 years ago Actually I might remove "This site is protected using Basic Auth" as this is actually the default logout page regardless of your chosen authentication mechanism. Unless the logout url is actually changed.
ericfranz
commented
5 years ago That page has some interesting ideas.
I would prefer to have a better default authentication mechanism than Basic Auth, as people should be dissuaded from using it. Though I don't know of one that works well with Apache and that is not complex to install like Keycloak.
One consideration in the future is we could stick another server in between Apache and NGINX, one that does implement a default authentication that is more robust. Maybe this would also handle the complex routing rules and starting the PUNs, instead of relying on lua modules and an Apache config that is generated from a config file, which model I think makes it a little difficult to work with, especially for admins who are used to modifying Apache configs directly or use Puppet to manage those.
michaelkarlcoleman
commented
5 years ago Yes, that change in wording is a good improvement, in my mind. Part of this was more confusion on my part, but I think it's worth making it clear that "you're not logged out yet!".
I agree that Basic Auth leaves a lot to be desired. Unfortunately, our auth situation is a bit complex, and this option (using mod_authnz_external and pwauth) was the fastest way forward. We'll probably circle back later to do something better.
Regarding the generated Apache config file, it's not that obvious that this is a big win over just providing an example Apache config file, with comments pointing out that some lines (like auth) will need to be duplicated in multiple sections. I've had to figure out how to hammer things through the ssl: key anyway, which might be as much work.
michaelkarlcoleman
commented
5 years ago One refinement: Now or soon some users will be coming from Chromebooks (or Chromeboxes). The wording also might mention that such devices need to be rebooted in order to "quit" and log out.
michaelkarlcoleman
commented
5 years ago One other thing that might be worth mentioning somewhere is that using a "private" window is a great way to make logging out easy, in the Basic Auth scenario. Close that window and you're definitely out.
ericfranz
commented
5 years ago @michaelkarlcoleman FYI https://github.com/OSC/ood-dashboard/pull/425
The default logout page (at least in a Basic Auth scenario) should more emphatically state that until the browser is closed, the user is still logged in (even though they've hit the logout button).
Also, I wonder if one of the techniques on this page couldn't be utilized here to log the user out without closing the browser. In particular, the javascript bookmarklet seems to work for current Chrome and Firefox, at least. Not exactly sure how to add that myself, though.