Closed reqa closed 11 months ago
We noticed from experiment that
We are also still "logged in" after logout, even when we additionally remove the sessions in Keycloak (as admin). So that looks more like a thing between user browser and keystone?
The cookie mod_auth_openidc_session
seems to be the credential that keeps us logged in even after logout. That cookie remains in the browser storage and if we remove that too then transparent re-login is not performed any longer.
At first glance it doesn't seem to be related on the "second OIDC hop" from the Keycloak "proxy realm" to the customer-specific realm.
This suggests that maybe mod_auth_openidc either doesn't get informed of the horizon logout or it doesn't properly handle it.
Maybe interesting info:
@JuanPTM has made some progress and found a creative alternative logout solution:
After today SIG meeting, I use the propose from @jnull to improve the solution 2 into a new one.
Will need to go to osism/cfg-generics after successful test on testbed.
There is a merge request in the testbed to fix the logout corner cases ( SIG IAM 11-08) https://github.com/osism/testbed/pull/1717
Merged
Found a new issue on a fresh testbed deploy. A PR has been created on the testbed to fix it. MR testbed
Issues:
PR has been merged
Nice, this one is done.
As a federated OIDC user, I want Horizon logout to also logout from the OIDC IdP so that I need to enter a password again instead of automatic re-use the access token from the cookie.
Current Situation: @JuanPTM has created a PoC setup with Federation to a Keycloak "Proxy realm" ("OSISM") and configuring the Keycloak extension https://github.com/sventorben/keycloak-home-idp-discovery to route the user to the customer-specific Keycloak realm based on their email.
Login Flow:
https://api.testbed.osism.xyz/auth/login/?next=/
and select "Authenticate with Keycloak"juanp@testbed.osism.xyz
) and click on "Sign In"Plan of work:
Definition of Ready:
Definition of Done: