Logout button to clear oauth2 proxy cookie

[kjee87]

I am using nginx/Oauth2 proxy on dbeaver/cloudbeaver:latest docker image (community edition) for the authentication log in. However, when user click "log out" and "log in" button, oauth2-proxy is not triggered, until I manually delete "_oauth2_proxy" cookie & page refresh. (therefore, nothing gets triggered when the user click "login"). Is there any way to redirect to "/oauth2/sign_out" to clear the oauth proxy cookie?

Please let me know if you need any additional information.

[kjee87]

And I also have another question: After cloudbeaver is loaded and started, then I do see cb-session-id is created. But 'logout' button does not end this session, even though the tab was closed and started in a new tab, same cb-session-id. What does this 'logout' button do?

[EvgeniaBzzz]

Hi @kjee87! Community edition do not have support of oauth, Enterprise edition has.

To find out what's the reason for your issue we need a description of your proxy deployment processes.

What does this 'logout' button do?

'Logout' button does logout without clearing coockies.

[kjee87]

Hello,

Here is the nginx/oauth2 configuration that I am using:

`server { listen 80; server_name localhost;

location /oauth2/ { proxy_pass http://127.0.0.1:4180/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_set_header X-Auth-Request-Redirect $request_uri;

or, if you are handling multiple domains:

# proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;

} location = /oauth2/auth { proxy_pass http://127.0.0.1:4180/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme;

nginx auth_request includes headers but not body

proxy_set_header Content-Length   "";
proxy_pass_request_body           off;

}

location / { auth_request /oauth2/auth; error_page 401 = /oauth2/sign_in;

# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user     $upstream_http_x_auth_request_user;
auth_request_set $email   $upstream_http_x_auth_request_email;
auth_request_set $role    $upstream_http_x_auth_request_role;
proxy_set_header X-User   $email;
proxy_set_header X-Role user|admin;

# if you enabled --pass-access-token, this will pass the token to the backend
auth_request_set $token  $upstream_http_x_auth_request_access_token;
proxy_set_header X-Access-Token $token;

# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;

# When using the --set-authorization-header flag, some provider's cookies can exceed the 4kb
# limit and so the OAuth2 Proxy splits these into multiple parts.
# Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
# so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;

# Extract the Cookie attributes from the first Set-Cookie header and append them
# to the second part ($upstream_cookie_* variables only contain the raw cookie content)
if ($auth_cookie ~* "(; .*)") {
    set $auth_cookie_name_0 $auth_cookie;
    set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
}

# Send both Set-Cookie headers now if there was a second part
if ($auth_cookie_name_upstream_1) {
    add_header Set-Cookie $auth_cookie_name_0;
    add_header Set-Cookie $auth_cookie_name_1;
}

# cloudbeaver header
proxy_pass       http://localhost:8978/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

} }`

And this is cloudbeaver.conf that I am using: `{ server: { serverPort: 8978,

    workspaceLocation: "workspace",
    contentRoot: "web",
    driversLocation: "drivers",

    rootURI: "/",
    serviceURI: "/api/",

    productConfiguration: "conf/product.conf",

    expireSessionAfterPeriod: 120000,

    develMode: true,

    enableSecurityManager: false,

    database: { private db connection
    }

},
app: {
    anonymousAccessAllowed: true,
    anonymousUserRole: "user",
    authenticationEnabled: true,
    enableReverseProxyAuth: true,
    supportsCustomConnections: false,
    publicCredentialsSaveEnabled: false,
    adminCredentialsSaveEnabled: false,
    resourceManagerEnabled: true,
    forwardProxy: true,
    redirectOnFederatedAuth: false,
    resourceQuotas: {
        dataExportFileSizeLimit: 10000000,
        resourceManagerFileSizeLimit: 500000,
        sqlMaxRunningQueries: 100,
        sqlResultSetRowsLimit: 100000,
        sqlResultSetMemoryLimit: 2000000,
        sqlTextPreviewMaxLength: 4096,
        sqlBinaryPreviewMaxLength: 261120
    },
    defaultNavigatorSettings: {
        showSystemObjects: false,
        showUtilityObjects: false,
        showOnlyEntities: false,
        mergeEntities: false,
        hideFolders: false,
        hideSchemas: false
    },
    plugins: {

    },
    defaultAuthProvider: "reverseProxy",
    enabledAuthProviders: [
        "reverseProxy"
    ],
    enabledDrivers: []
}

}`

When server starts very first time, oauth_proxy kicks in and able to login/forward headers to the cloudbeaver, but when user is logged out by logout button and trying to re-login by clicking "login" button, nothing gets triggered.

[kjee87]

@EvgeniaBzzz Attached nginx and cloudbeaver conf above.

[EvgeniaBzzz]

Hi @kjee87 Sorry for the delay. We need some more time to figure it out. We haven't forgotten about you :)

[dariamarutkina]

Hi @kjee87 ! Added ability to configure reverse proxy header name and redirect URL at logout. Admin will now be able to configure all settings in .cloudbeaver.runtime, for example: "authConfigurations": [ { "id": "reverseProxy", "provider": "reverseProxy", "displayName": "Reverse Proxy", "disabled": false, "iconURL": "", "description": "Automatically created provider after changing Reverse Proxy configuration way in 23.3.4 version", "parameters": { "first-name-header": "X-First-name", "user-header": "X-User", "team-header": "X-Team", "last-name-header": "X-Last-name", "logout-url": "https://www.google.com/" } } ]

Please take a look at the new version of CloudBeaver 23.3.4. Thank you for your interest in CloudBeaver!