Horizon logout doesn't logout federated OIDC user (in proxy realm setup)

reqa commented 1 year ago

As a federated OIDC user, I want Horizon logout to also logout from the OIDC IdP so that I need to enter a password again instead of automatic re-use the access token from the cookie.

Current Situation: @JuanPTM has created a PoC setup with Federation to a Keycloak "Proxy realm" ("OSISM") and configuring the Keycloak extension https://github.com/sventorben/keycloak-home-idp-discovery to route the user to the customer-specific Keycloak realm based on their email.

Login Flow:

Open https://api.testbed.osism.xyz/auth/login/?next=/ and select "Authenticate with Keycloak"
Click on "Sign In" in that Horizon Login page gets you redirected to Keycloak "OSISM" realm
Keycloak displays "OSISM" : "Sign in to your account" : "Username or email"
Enter your email (e.g. juanp@testbed.osism.xyz) and click on "Sign In"
Keycloak redirects you to the realm "TEST" (based on domain part of email) and asks you for the password
After entering the correct password, the redirects cascade you back to Horizon and you are logged in. Logout:
In Horizon click on "Sign Out" Re-Login:
Try to re-login int Horizon by "Authenticate with Keycloak" Expected result:
Needing to re-authenticate Actual behavior:
You are directly logged in

Plan of work:

Look into the network flow in the browser developer console to see what happens during logout.
Find out if this problem arises only with this "Proxy realm" setup or does it also affect the "traditional" Keycloak federation? (In that case: What does OpenStack say about this?)
Find out how this would need to work in theory (backchannel logout? In both OSISM and TEST realm?)
Fix it.

Definition of Ready:

[ ] User Story is small enough to be finished within one sprint
[ ] User Story is clear and understood by the whole team
[ ] Acceptance criteria are defined
[ ] Acceptance criteria are clear and understood by the whole team

Definition of Done:

[ ] All acceptance criteria are met
[ ] Changes have been reviewed
[ ] CI tests have run successfully
[ ] Documentation has been updated
[ ] Release Notes have been updated

reqa commented 1 year ago

We noticed from experiment that

We are also still "logged in" after logout, even when we additionally remove the sessions in Keycloak (as admin). So that looks more like a thing between user browser and keystone?
The cookie mod_auth_openidc_session seems to be the credential that keeps us logged in even after logout. That cookie remains in the browser storage and if we remove that too then transparent re-login is not performed any longer.
At first glance it doesn't seem to be related on the "second OIDC hop" from the Keycloak "proxy realm" to the customer-specific realm.

This suggests that maybe mod_auth_openidc either doesn't get informed of the horizon logout or it doesn't properly handle it.

Maybe interesting info:

https://github.com/OpenIDC/mod_auth_openidc/wiki#9-how-do-i-logout-users explains that the Apache module supports three different logout mechanisms: session-management, frontchannel-logout and backchannel-logout. In wsgi-kyestone conf there currently are no configuration setting that would select frontchannel or backchannel.
https://github.com/OpenIDC/mod_auth_openidc/discussions/620 probably is not our problem as we have version 2.4.11 in the current keystone container

reqa commented 1 year ago

@JuanPTM has made some progress and found a creative alternative logout solution:

https://input.scs.community/2023-scs-horizon-webslo-solution1 - doesn't work (yet)
https://input.scs.community/2023-scs-horizon-webslo-solution2 - does work in PoC