Client initiated logout / logout propagation to oauth server #2148
Conversation
kschiffer
added
c/console
kschiffer
force-pushed
the
feature/token-session-correlation
branch
2 times, most recently
from
7fbb41c
to
361ce27
Compare
kschiffer
force-pushed
the
feature/1702-client-initiated-logout
branch
from
7116fa2
to
399f11f
Compare
kschiffer
changed the base branch from
feature/token-session-correlation
to
master
kschiffer
requested review from
bafonins,
johanstokking,
pgalic96 and
rvolosatovs
as code owners
pkg/oauth/server.go
Outdated
| @@ -79,8 +79,9 @@ type FrontendConfig struct { | |||
|
|
|||
| // Config is the configuration for the OAuth server. | |||
| type Config struct { | |||
| Mount string `name:"mount" description:"Path on the server where the OAuth server will be served"` | |||
| UI UIConfig `name:"ui"` | |||
| DefaultRedirectURI string `name:"default-redirect-uri" description:"The default URI the OAuth server will redirect to after login succeeded"` | |||
There was a problem hiding this comment.
Can we leave the "default redirect URI" feature for another PR?
There was a problem hiding this comment.
I think then it's best to disable standalone (not client-initiated) logins for the time being. Any other idea?
There was a problem hiding this comment.
I'd prefer to keep this PR scoped to one thing, and do other stuff later.
There was a problem hiding this comment.
Ok, I've reintroduced the old login handler which delets the active session, so we can show the current authenticated view of the oauth server again. Also updated the tests accordingly. We will have two logout handlers then in the interim.
kschiffer
force-pushed
the
feature/1702-client-initiated-logout
branch
from
399f11f
to
757a353
Compare
kschiffer
force-pushed
the
feature/1702-client-initiated-logout
branch
from
05843c1
to
6459389
Compare
kschiffer
force-pushed
the
feature/1702-client-initiated-logout
branch
from
84b20c4
to
3891ba3
Compare
kschiffer
added
blocking
|
Blocking #1422 |
kschiffer
force-pushed
the
feature/1702-client-initiated-logout
branch
from
146af81
to
78da59d
Compare
This was actually a bug related to the echo csrf middleware we're using, which spammed the browser with token cookies for all the routes that it was called on and hence mixing up tokens during lookup. This is now fixed. |
CHANGELOG.md
Outdated
| @@ -22,6 +22,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 | |||
| - `ns.down.data.schedule.attempt` and `ns.down.join.schedule.attempt` events, which are triggered when Network Server attempts to schedule a respective downlink on Gateway Server. | |||
| - `ns.down.data.schedule.success` and `ns.down.join.schedule.success` events, which are triggered when Network Server successfully schedules a respective downlink on Gateway Server. | |||
| - `ns.down.data.schedule.fail` and `ns.down.join.schedule.fail` events, which are triggered when Network Server fails to schedule a respective downlink on Gateway Server. | |||
| - Console logout is now propagated to the OAuth provider. | |||
| - This requires a database migration (`ttn-lw-stack is-db migrate`) because of the added columns. | |||
| - To set the `logout-redirect-uris` for existing clients, the CLI client can be used, e.g.: `ttn-lw-cli clients update console --redirect-uris "https://localhost:1885/console" --redirect-uris "http://localhost:1885/console"`. | |||
There was a problem hiding this comment.
This is not a realistic example. Realistic redirect URIs end with /console/oauth/callback and you're not giving any example for --logout-redirect-uris.
There was a problem hiding this comment.
Indeed wrong example. This should just be logout-redirect-uris instead of redirect-uris.
pkg/oauth/server.go
Outdated
| api.POST("/auth/logout", s.Logout, s.requireLogin) | ||
| api.POST("/auth/logout", s.Logout) |
There was a problem hiding this comment.
Won't this cause trouble in s.Logout for users that are not logged in?
There was a problem hiding this comment.
Indeed. This is a leftover from before #2148 (comment)
pkg/oauth/user.go
Outdated
| if err != nil { | ||
| if !errors.IsNotFound(err) { |
There was a problem hiding this comment.
This can be combined to if err != nil && !errors.IsNotFound(err) {
pkg/oauth/user.go
Outdated
| if err = s.store.DeleteAccessToken(ctx, accessTokenID); err != nil { | ||
| return err | ||
| } | ||
| s.removeAuthCookie(c) |
There was a problem hiding this comment.
We don't know that the auth cookie corresponds with the session we're deleting. If it doesn't, we may leave a session active while the user thinks it's revoked.
There was a problem hiding this comment.
I can't think of any realistic scenario where that would be the case. The user has obtained the access token using this auth cookie (session). Since our official clients tie them together, there should be no corruptions or mixups. So I think this is neglectible. In any case, we still have the old logout handler, so clients can decide for themselves.
There was a problem hiding this comment.
As discussed, the logout will now
- delete the access token
- delete the session that was associated with the access token
- delete the session associated with the current auth cookie of the user (if it differs from the sessions stored in the access token)
kschiffer
force-pushed
the
feature/1702-client-initiated-logout
branch
from
78da59d
to
fa8339d
Compare
kschiffer
force-pushed
the
feature/1702-client-initiated-logout
branch
3 times, most recently
from
3f91ee9
to
c3ed357
Compare
pkg/oauth/user.go
Outdated
| if err = s.store.DeleteSession(ctx, &at.UserIDs, at.UserSessionID); err != nil { | ||
| if !errors.IsNotFound(err) { |
There was a problem hiding this comment.
Can combine err != nil && !errors.IsNotFound(err)
kschiffer
force-pushed
the
feature/1702-client-initiated-logout
branch
from
c3ed357
to
4fe6c89
Compare
Summary
References #1422
Closes #1702
This PR will enable logout propagation from our official clients, meaning that the console logout will also result in a deletion of the session in the oauth server that was used to create the access token.
Changes
LogoutRedirectURIfield to the clients, used to check the validity of the requested redirect during the client-initiated logoutLogoutURLconfig to oauthclient util, used to trigger a logout of the oauth providerNotes for Reviewers
In order to test the setup in dev environment, it is necessary to set two new settings accordingly:
Also the console client needs to be reinitiated:
mage dev:dbStop dev:dbErase dev:dbStart dev:initStackThe flow works like this:
click to enlarge
op_logout_uri, containing the access token ID, as well as a desiredpost_logout_redirect_uriaccess_token_idquery parameter, delete the associated session of the access token and the access token itselfpost_logout_redirect_urihas been previously registered and redirect back to this URI (if nopost_logout_redirect_uriwas passed, the firstLogoutRedirectURIof the client will be usedI've kept the frontend changes in this PR to a minimum, so we can focus on the backend changes. I will follow up with a PR that does a proper refactor of the webui after this PR has been merged. This will include removing the login view, refactoring
withAuthutil component, removing unnecessary store logic and removing the landing view of the oauth app.As discussed with @htdvisser, we also plan to to federated logout (meaning logging out all currently authenticated SSO clients associated with the respective oauth session).
This would necessitate adding an
ssoflag to the client model, which will be used to determine what other clients need to be logged out. Should I also integrate this into this PR or use another scoped one?Checklist
README.md.CHANGELOG.md.CONTRIBUTING.md, there are no fixup commits left.