search

argoproj / argo-workflows

Workflow Engine for Kubernetes
https://argo-workflows.readthedocs.io/
Apache License 2.0
15.08k stars 3.2k forks source link

Logout Redirect #12389

Open lxlxok opened 11 months ago

lxlxok commented 11 months ago

Summary

Allow configuration to redirect user to custom URL after user clicks Logout button.

Use Cases

When would you use this?

This feature will be very handy when third party integrations for authentications are user. Especially when argo heavily relies on 3rd party for authentication needs.

When Okta integrated, an Okta session will persist even after the user invalidates their session with the Logout button. There is a security risk present for as long as the Okta session remains valid, which depends on the Okta configurations/timeout.

If the app could be redirected to the Okta /logout URL, then the user-initiated logout would also invalidate the Okta session.

There could be other use cases for Logout Redirect other than this (general functionality or security). This feature request should not be confused with SSO Global Logout, which is much more complicated to implement. No response is expected after the app is redirected to the custom URL.

Message from the maintainers:

Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.

Beyond this issue:

The similar issue in https://github.com/argoproj/argo-cd/issues/4452 have been resolved in the PR https://github.com/argoproj/argo-cd/pull/4826.

terrytangyuan commented 11 months ago

This would be a good enhancement.

terrytangyuan commented 11 months ago

Would you like to work on this?

lxlxok commented 11 months ago

Sure, @terrytangyuan, I'd be glad to take on this task. Could you please assign it to me?

jorgeteixe commented 10 months ago

This feature would be very cool to have. As we use Keycloak (and also tried Cognito) and it does not log out properly in the SSO providers.

lxlxok commented 8 months ago

Argo-CD stores the id_token in cookies as seen here , enabling it to retrieve and utilize this token for id_token_hint parameters within the logout URL.

However, according to the documentation available here, Argo-Workflows opts not to provide users with an id token, instead storing only the encrypted argoClaim in cookies, as indicated here. This approach suggests that achieving equivalent functionality in Argo-Workflows might not be feasible.