conwetlab / ckanext-oauth2

OAuth2 support for CKAN
GNU Affero General Public License v3.0
25 stars 55 forks source link

No Logout Configuration #32

Open SamuelBradley opened 5 years ago

SamuelBradley commented 5 years ago

There doesn't seem to be any way to configure the api call that gets made on logout so ckan isn't actually logging me out of my account i.e. when i press logout and then login I am not prompted to login again.

aitormagan commented 5 years ago

Sorry, but the behaviour you describe is the intended one. When you log out, you close your session in your CKAN instance but not in your OAuth provider.

For this reason, if you click in log in again, you will be automatically log in, as you are already logged in your OAuth provider.

Br Aitor

El 28 ago 2019, a las 3:59, Sam Bradley notifications@github.com escribió:

There doesn't seem to be any way to configure the api call that gets made on logout so ckan isn't actually logging me out of my account i.e. when i press logout and then login I am not prompted to login again.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

pazepaze commented 4 years ago

In my (private) fork I solved this issue for keycloak. Since OAuth2Plugin already implements IAuthenticator, if a logout() function is added to this class, it will be called on logout. The username can be retrieved using repoze.who. With the stored token for this username, the logout on keycloak can be called with a library like "python-keycloak" or "python-keycloak-client".

marcyborg commented 3 years ago

@aitormagan so in CKAN native there isn't a method that could handle this kind of issue?

@pazepaze is that implementation visible on your repo? I don't use Keycloak unfortunately, perhaps could be useful have a look at it.

Thanks for your attention.

pazepaze commented 3 years ago

Sure, that's how I did it:

in plugin.py

class OAuth2Plugin(plugins.SingletonPlugin):
...

    def logout(self):
        user_name = None
        environ = toolkit.request.environ
        if 'repoze.who.identity' in environ:
            user_name = environ['repoze.who.identity']['repoze.who.userid']

        log.debug('Trying to logout user %s in keycloak...' % user_name)
        stored_token = self.oauth2helper.get_stored_token(user_name)
        if stored_token:
            try:
                self.keycloak_openid.logout(stored_token['refresh_token'])
            except Exception:
                log.warn('Failed to logout user %s in keycloak!' % user_name)
        else:
            log.warn('No token stored for user %s' % user_name)

...

keycloak_openid is just the keycloak client instance from the python-keycloak library

sanamart commented 3 years ago

Hi @pazepaze , i just have a question. I tried to use your code and i have installed $ pip install python-keycloak but when i run my container i keep getting the same error:

from keycloak import KeycloakOpenID ImportError: No module named keycloak

Any ideas why this is happening?

Thanks!