search

ubccr / mokey

FreeIPA self-service account management portal
BSD 3-Clause "New" or "Revised" License
189 stars 45 forks source link

Implement hydra logout endpoint #75

Open jvinolas opened 3 years ago

jvinolas commented 3 years ago

When doing logout from a client app this is the flow happening:

  1. Logout from the app: https://hydra.server/oauth2/sessions/logout
  2. Hydra calls mokey: https://mokey.server/auth/logout (with a post_logout_redirect). Here Hydra expects a flow as is setting a logout_challenge parameter on url (as stated in the documentation: https://www.ory.sh/hydra/docs/concepts/logout/)
  3. Looking at the code, mokey doesn't follow that flow and seems to just revoke Hydra authentication: https://github.com/ubccr/mokey/blob/04fcefd4fb14f9cd348a22efdbdd3a001167a07b/server/auth.go#L90 and after that just redirects to /auth/login https://github.com/ubccr/mokey/blob/04fcefd4fb14f9cd348a22efdbdd3a001167a07b/server/auth.go#L99 but, as it has no login_challenge as when it comes from an app, it will not follow the OpenID flow to the app again.

As stated on hydra documentation, there is a flow and there is a post_logout_redirect_uri where the user should be redirected after logout (and also an optional logout consent page). As I understand mokey should get that post redirect parameter from the logout flow from hydra and in the end redirect there (to the app), so when the user wants to log in again, the app will redirect with the login_challenge parameter from hydra (login flow).

Is the logout flow missing in mokey? Or am I misunderstanding the OpenID logout flow?

jvinolas commented 3 years ago

As a workaround now I just replaced the logout redirect in auth.go to return c.Redirect(http.StatusMovedPermanently, "https://myapp.server") and it works as the app brings back to mokey login with the login_challenge.

jvinolas commented 3 years ago

I've found that my workaround is not working as now when coming from hydra there is no mokey cookie (no sid or user found in session) and then the hydra revoke fails.

aebruno commented 3 years ago

Is the logout flow missing in mokey? Or am I misunderstanding the OpenID logout flow?

Yes, this logout flow is not implemented in mokey. Currently, the logout just revokes the hydra session using the admin api.

jvinolas commented 3 years ago

Any plans to implement it to accomplish OpenID standard with hydra? Thanks