OpenNebula / one

The open source Cloud & Edge Computing Platform bringing real freedom to your Enterprise Cloud 🚀
http://opennebula.io
Apache License 2.0
1.32k stars 488 forks source link

Improve remote auth logout method #6526

Open mkutouski opened 9 months ago

mkutouski commented 9 months ago

Description

The Sunstone/FireEdge remote authentication method only handles the authentication of the user at the time of login. Authentication of the remote ticket is a complementary setup, which can rely on Apache/Nginx for OIDC (confirmed! thanks), following the same procedure that if we're using SAML.

Following the de-authentication issue after logout() and cookie destruction/reset or session expiration, we're considering to implement a Sunstone/FireEdge Initiated Logout ASAP. For this case, we will consider that FireEdge will be responsible for initiation of internal security context (security session) destruction (i.e., logout the user). After this, we will redirect the user agent to the IdP logout endpoint URL defined in the current OIDC Session Management Spec fixing and closing the process

Progress Status

atodorov-storpool commented 9 months ago

OIDC authentication is working with both Nginx and Apache.

But the de-authentication is another matter. On logout, Sunstone is resetting only its cookies, so a user is still authenticated via OIDC after signing out from Sunstone. Also when the OIDC cookie expires, the reverse proxy is trying to redirect the user to the OIDC login to re-authenticate, but that is not handled in Sunstone - an error is thrown instead like "can't connect to server". A page refresh (via F5 on the browser) returns the OIDC login.

A monkey patching of main-dist.js resolves both issues, but having a proper upstream solution would be greatly appreciated.

As a bonus wish - support multiple OIDC providers. not only a single email stored in the password field ;)

jguijarroo commented 8 months ago

The Sunstone/FireEdge remote authentication method only handles the authentication of the user at the time of login. Authentication of the remote ticket is a complementary setup, which can rely on Apache/Nginx for OIDC (confirmed! thanks), following the same procedure that if we're using SAML.

Following the de-authentication issue after logout() and cookie destruction/reset or session expiration, we're considering to implement a Sunstone/FireEdge Initiated Logout ASAP. For this case, we will consider that FireEdge will be responsible for initiation of internal security context (security session) destruction (i.e., logout the user). After this, we will redirect the user agent to the IdP logout endpoint URL defined in the current OIDC Session Management Spec fixing and closing the process :)