Describe the bug
After integrating Keycloak for OAuth2 authentication in pgAdmin, logging out triggers a GET /oauth2/logout request. However, this results in a 400 Bad Request error due to a missing CSRF session token, as observed in the console logs. This issue prevents a proper logout process, potentially affecting security and user experience.
To Reproduce
Steps to reproduce the behavior:
Log in to pgAdmin using Keycloak OAuth2 authentication using "adminuser"
Initiate a logout process, don't close the browser.
Observe the error in the console.
Try logging in with browser still open - user is logged in.
Expected behavior
The logout process should complete without errors, properly invalidating the session and requiring re-authentication for access.
Actual behaviour
The console logs a 400 Bad Request: The CSRF session token is missing. error during the logout process, indicating a failure in CSRF token handling.
pgadmin | 2024-03-05 11:58:42,190: ERROR pgadmin: 400 Bad Request: The CSRF session token is missing. ... pgadmin | flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing.
Desktop:
OS: Windows 11
Browser Chrome
Version 122.0.6261.95 (Official Build) (64-bit)
Additional context
At the moment, advising users to close their browser or use incognito mode serves as a temporary workaround. However, since pgAdmin is currently running on a local stack, this issue primarily affects users in their local development or testing environments.
It's important to note that relying on users to manage their session state by closing browsers or using incognito mode is not ideal from a usability or security perspective.
Describe the bug After integrating Keycloak for OAuth2 authentication in pgAdmin, logging out triggers a GET /oauth2/logout request. However, this results in a 400 Bad Request error due to a missing CSRF session token, as observed in the console logs. This issue prevents a proper logout process, potentially affecting security and user experience.
To Reproduce Steps to reproduce the behavior:
Expected behavior The logout process should complete without errors, properly invalidating the session and requiring re-authentication for access.
Actual behaviour The console logs a 400 Bad Request: The CSRF session token is missing. error during the logout process, indicating a failure in CSRF token handling.
pgadmin | 2024-03-05 11:58:42,190: ERROR pgadmin: 400 Bad Request: The CSRF session token is missing. ... pgadmin | flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF session token is missing.Desktop:
Additional context At the moment, advising users to close their browser or use incognito mode serves as a temporary workaround. However, since pgAdmin is currently running on a local stack, this issue primarily affects users in their local development or testing environments.
It's important to note that relying on users to manage their session state by closing browsers or using incognito mode is not ideal from a usability or security perspective.