Bug #16913
closed
[controller] logout error in federation configuration with login controller
100%
Description
Logged in as activated (admin) user on Tordo. Click "log out" on tordo:
https://tordo.arvadosapi.com/logout?return_to=https%3A%2F%2Fworkbench.tordo.arvadosapi.com%2F
{"errors":["configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, and Login.Test must be enabled"]}
Updated by
Updated by Peter Amstutz over 4 years ago
- Logout from workbench1 only clears cookies, it doesn't revoke the token.
- The Logout route in controller only sends you to the remote cluster if you provided a v2 token to be revoked
- Because no token is provided, it uses the "local" Connection which invokes errorLoginController.
As it happens, workbench never provides an API token to be revoked on log out. This makes the "logging out doesn't revoke tokens" long-standing behavior possible which enables users to copy their web session token into a shell.
We will tighten up this behavior. This is covered in #16520.
For the time being, the immediate solution is to include the case where LoginCluster is set, and provide a controller that returns noopLogout.
Updated by Peter Amstutz over 4 years ago
16913-logout @ arvados|7d91fe636e1ce09697fdff28b43e4020df041f17
- Treat Login.LoginCluster as a distinct login method
- federatedLoginController performs noopLogout() like most of the other methods (this fixes the original bug)
- As a side effect, the configuration behavior has changed from "error if another method is not set" to "error if another method is set". Added a note in the upgrade notes.
Updated by Peter Amstutz over 4 years ago
- Status changed from New to In Progress
Updated by Peter Amstutz over 4 years ago
- Status changed from In Progress to Resolved
Applied in changeset arvados|c9c0706ab97753cc8517096b66057d418908cd35.