Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Request] Support OAuth logout #365

Closed
andrewazores opened this issue Apr 12, 2024 · 1 comment
Closed

[Request] Support OAuth logout #365

andrewazores opened this issue Apr 12, 2024 · 1 comment
Assignees
Labels
feat New feature or request

Comments

@andrewazores
Copy link
Member

andrewazores commented Apr 12, 2024

Describe the feature

When using oauth2_proxy for htpasswd authentication (smoketest, -helm) it should be sufficient to simply redirect the user to the oauth proxy's own /oauth2/sign_out endpoint.

When deployed in OpenShift and using the openshift-oauth-proxy (-helm with setting enabled, operator) then there is an additional redirect that must be configured.

openshift-oauth-proxy does not document it but it appears to implement the same /oauth/sign_out mechanism, however the default proxy path prefix is /oauth rather than /oauth2. This is configurable anyway.


https://github.com/cryostatio/cryostat3/blob/bbbbf38f7be5c9ca93e448d8f2465e6a2548173b/src/main/java/io/cryostat/security/Auth.java#L38

This endpoint should always respond with a redirect response to /oauth(2)/sign_out - either this URL should also be configurable so that the response can be adjusted for oauth2_proxy vs openshift-oauth-proxy, or else the openshift-oauth-proxy should be deployed with configuration to change its prefix to /oauth2 as well.

Then, the response should also optionally contain the rd parameter when deployed on OpenShift. This can be done either by supplying it as a configuration parameter or by automatic detection. If done by a configuration parameter then it is offloaded to the helm chart (or its user) or the operator to determine the correct endpoint URL and inject it as an environment variable. Otherwise, Cryostat 2.4 determined the logout URL like this:

https://github.com/cryostatio/cryostat/blob/788413ab750cc6dd075a8a76a22ae99982eb7eab/src/main/java/io/cryostat/net/openshift/OpenShiftAuthManager.java#L217

The domain must also be passed to the openshift-oauth-proxy's allowlist of redirect domain destinations, so perhaps it makes more sense to offload/upload this work onto the operator/helm-chart anyway, since Cryostat's own automatic detection can only determine what URL to use but cannot configure the proxy to allow it.

But first, this needs to be tested - maybe the openshift-oauth-proxy is already pre-configured to do this kind of redirect flow for OpenShift SSO automatically. It would make sense if it is.

Anything other information?

No response

@andrewazores andrewazores added the feat New feature or request label Apr 12, 2024
@andrewazores andrewazores self-assigned this Apr 12, 2024
@andrewazores andrewazores moved this to In Progress in 3.0.0 release Apr 12, 2024
@andrewazores
Copy link
Member Author

But first, this needs to be tested - maybe the openshift-oauth-proxy is already pre-configured to do this kind of redirect flow for OpenShift SSO automatically. It would make sense if it is.

Lucky day, it looks like this does just work out of the box!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feat New feature or request
Projects
No open projects
Status: Done
Development

No branches or pull requests

1 participant