-
Notifications
You must be signed in to change notification settings - Fork 299
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client initiated logout and new client auth flow #2122
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that this doesn't address the issue of being logged in with multiple OAuth clients. If I'm logged in to the consoles of different clusters and logout from one console, the other one is still logged in, which may be confusing.
// The allowed logout redirect URIs against which client initiated logout | ||
// requests are checked. If the authorization request does not pass a redirect | ||
// URI, the first one from this list is taken. | ||
repeated string logout_redirect_uris = 10 [(gogoproto.customname) = "LogoutRedirectURIs"]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changing the numbers of existing fields breaks API. Use a unused number for new fields.
@@ -93,6 +97,7 @@ var ( | |||
"name", | |||
"secret", | |||
"redirect_uris", | |||
"logout-redirect-uris", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Field masks use underscores
return c.NoContent(http.StatusNoContent) | ||
events.Publish(evtUserLogout(ctx, at.UserIDs, nil)) | ||
for _, session := range sessions { | ||
if err = s.store.DeleteSession(ctx, &at.UserIDs, session.SessionID); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is what a user wants. If I logout using my phone, I don't want to also be logged out from my laptop.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, I went with the easy way for now. To be able to do this, we'd need to know the session that was used when obtaining the access token. To do this, we could either:
- pass the session id to the console together with the access token
- store the session id in the access token store when creating it
Re-requesting myself for a more in-depth review later. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed code owned files only, nothing to add to @htdvisser 's comment
@@ -51,11 +52,10 @@ const user = function(state = defaultState, { type, payload }) { | |||
...state, | |||
rights: payload, | |||
} | |||
case LOGOUT_SUCCESS: | |||
case LOGOUT_FAILURE: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const { ids = {} } = user | ||
|
||
return ids.user_id | ||
return user ? ids.user_id : undefined |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure what you are trying to do here if user
is undefined
you'll get an error anyway.
const user = undefined
>> undefined
const { ids={} } = user
>> TypeError: obj is undefined
Additionally, I am not sure if should even allow the user
object to be undefined
. If it is needed, then i think such implementation makes more sense:
const user = selectUser(state) || {}
const { ids = {} } = user
return ids.user_id
} | ||
|
||
export const selectUserIsAdmin = function(state) { | ||
const user = selectUser(state) | ||
return user.isAdmin | ||
|
||
return user ? user.isAdmin : undefined |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return user ? user.isAdmin : false
// Check whether the user has at least basic rights, without which it | ||
// makes no sense to access the console | ||
Boolean(user) && | ||
!isAdmin && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the admin account can be suspended/rejected as well. the only allowed operation for a suspended admin account is to list and delete other accounts. Do we want to allow that?
Also, while checking this I also found out that you are not logged out of the console when you delete your self. Most probably this is related to https://github.com/TheThingsNetwork/lorawan-stack/pull/2122/files#r391668222
Also, see #2144
What is the status here? |
Was superseded by #2146. I'll delete the branch. |
…ge/open-source-master Merge open source
Summary
References #1422, #1086
Follow up of #2012
This PR will add client initiated logout to the oauth server. It will enable logout propagation from the webui clients to the oauth provider, basically tying the authentication of our official clients (console, account app) to the authentication of the auth provider.
Changes
logout_redirect_uris
to client schema and updatedev:init
mage target to set this value for the consolewithAuth
util component to also handle insufficient rights issueswithAuth
utilityNotes for Reviewers
The implementation is inspired by OpenID connect's client initiated logout functionality.
post_logout_redirect_uri
needs to be previously registered in the client (similar to the login redirect URI) and defines, where the logout endpoint will redirect the user after successful logout. Right now, it will just redirect back to the console root, but it could be used for specific post logout viewsIn order to test the setup in dev environment, it is necessary to set two new settings accordingly:
Also the console client needs to be reinitiated:
mage dev:dbStop dev:dbErase dev:dbStart dev:initStack
Very sorry for the text-wall but the auth specifics are quite intricate, so I wanted to provide a clear summary.
Checklist
README.md
.CHANGELOG.md
.CONTRIBUTING.md
, there are no fixup commits left.