Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logging out from MinIO does not log out the session from Keycloak #3286

Closed
balaKarur opened this issue Apr 8, 2024 · 9 comments
Closed

Logging out from MinIO does not log out the session from Keycloak #3286

balaKarur opened this issue Apr 8, 2024 · 9 comments
Assignees
@pjuarezd
Labels
community working as intended

Comments

@balaKarur
Copy link

balaKarur commented Apr 8, 2024
edited
Loading

NOTE

If this case is urgent, please subscribe to Subnet so that our 24/7 support team may help you faster.

Expected Behavior

When logging out from MinIO, it should also trigger a logout from Keycloak

Current Behavior

When logging out from MinIO, it's not trigger a logout from Keycloak

Possible Solution

1)When logging out from MinIO,its should logout from Keycloak also ..(This feature is urgent )
2)When logging out from MinIO,its should ask the user , do you need to logout from Keycloak also, if user say yes , then logout from keycloak.

Steps to Reproduce (for bugs)

1)Configure MinIO for authentication using Keycloak by following the steps outlined in the MinIO documentation: [https://min.io/docs/minio/linux/operations/external-iam/configure-keycloak-identity-management.html]. Once Keycloak is updated for MinIO integration, update the Keycloak details in MinIO. Now, MinIO and Keycloak are integrated.

2)Login to MinIO and perform a logout action. This should trigger a logout from Keycloak followed by a logout from MinIO.

Context

To achieve single sign-on (SSO), logging out from the MinIO client console should also log out from Keycloak.

Regression

I am sure this may not be Regression, may be need to update some configuration in minio , even to logout from keycloak.

Your Environment

  • MinIO version used (minio --version):
    Latest minio version : quay.io/minio/minio:RELEASE.2024-03-21T23-13-43Z
    Latest keycloak : quay.io/keycloak/keycloak:24.0.2
  • Server setup and configuration:
    version: "3.8"
    services:
    minio:
    image: quay.io/minio/minio:RELEASE.2024-04-06T05-26-02Z
    container_name: minio
    volumes:
    - ./minio_data:/data
    command: server /data --console-address=":9001"
    ports:
    - 9000:9000
    - 9001:9001
    environment:
    - MINIO_ROOT_USER=admin
    - MINIO_ROOT_PASSWORD=password
    - MINIO_SERVER_URL=http://localhost:9000
    - MINIO_DOMAIN=http://localhost:9000
    - MINIO_IDENTITY_OPENID_CONFIG_URL_KEYCLOAK_PRIMARY=http://host.containers.internal:8088/kc/realms/myrealm/.well-known/openid-configuration
    - MINIO_IDENTITY_OPENID_CLIENT_ID_KEYCLOAK_PRIMARY=minio
    - MINIO_IDENTITY_OPENID_CLIENT_SECRET_KEYCLOAK_PRIMARY=SymWPBfZpbPTdeSVz4qJoC7MevG63Sat
    - MINIO_IDENTITY_OPENID_DISPLAY_NAME_KEYCLOAK_PRIMARY=MinIO OpenID Login
    #- MINIO_IDENTITY_OPENID_SCOPES_KEYCLOAK_PRIMARY=openid,preferred_username
    - MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
    - MINIO_IDENTITY_OPENID_VENDOR=keycloak
    - MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC_KEYCLOAK_PRIMARY=on
    - MINIO_IDENTITY_OPENID_SCOPES=minio-authorization
    - MINIO_IDENTITY_OPENID_KEYCLOAK_REALM=myrealm
    - MINIO_IDENTITY_OPENID_KEYCLOAK_ADMIN_URL=http://host.containers.internal:8088/kc/admin
    #- MINIO_BROWSER_REDIRECT_URL=http://localhost:9000/minio-console

    - CONSOLE_SUBPATH=/minio-console

        #- CONSOLE_MINIO_SERVER=http://localhost:9000
    #- MINIO_API_SELECT_PARQUET=on

  # restart: always

volumes:
minio_data:

  • Operating System and version (uname -a):
@balaKarur
Copy link
Author

Hello @pjuarezd ,
Please let me know if you need any details to check above issue .

@balaKarur
Copy link
Author

Hello @pjuarezd ,
I hope this message finds you well. Did you get the time to check the reported issue above? If not, could you please take a moment to review it? Thank you.

@allanrogerr
Copy link
Contributor

Looks like a duplicate of minio/operator#1969 @pjuarezd

@pjuarezd
Copy link
Member

Looks like a duplicate of minio/operator#1969 @pjuarezd

those are different software, MinIO Console and Operator Console have their own IDP implementation

@pjuarezd
Copy link
Member

hi @balaKarur already checked, did a test and MinIO Console actually closes the IDP session.

logout successfull

If helps, this is the settings I have in Tenant:

  env:
    - name: MINIO_IDENTITY_OPENID_CONFIG_URL_KEYCLOAK_PRIMARY
      value: "https://kc-admin.keycloak.svc.cluster.local:8443/realms/myrealm/.well-known/openid-configuration"
    - name: MINIO_IDENTITY_OPENID_CLIENT_ID_KEYCLOAK_PRIMARY
      value: "minio-console"
    - name: MINIO_IDENTITY_OPENID_CLIENT_SECRET_KEYCLOAK_PRIMARY
      value: "mlgZPuY9d2vUoe26XQN6CvTdQdnzRlcp" # Get secret for client
    - name: MINIO_IDENTITY_OPENID_DISPLAY_NAME_KEYCLOAK_PRIMARY
      value: "MinIO OpenID Login"
    - name: MINIO_IDENTITY_OPENID_SCOPES_KEYCLOAK_PRIMARY
      value: "email,minio-authorization"
    - name: MINIO_IDENTITY_OPENID_CLAIM_NAME_KEYCLOAK_PRIMARY
      value: "policy"
    - name: MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC_KEYCLOAK_PRIMARY
      value: "on"
    - name: MINIO_IDENTITY_OPENID_KEYCLOAK_REALM_KEYCLOAK_PRIMARY
      value: "myrealm"
    - name: MINIO_IDENTITY_OPENID_KEYCLOAK_ADMIN_URL_KEYCLOAK_PRIMARY
      value: "https://kc-admin.keycloak.svc.cluster.local:8443/kc/admin"
    - name: MINIO_BROWSER_REDIRECT_URL
      value: "https://myminio-console.tenant-1.svc.cluster.local:9443"

Make sure that you are following the docs for Keycloack side configurations https://min.io/docs/minio/linux/operations/external-iam/configure-keycloak-identity-management.html

And finally, make sure that domain names for the keycloak service are properly set, for your logout case pay special attention to the end_session_endpoint IDP configuration, make sure that it is reachable to MinIO and if under https, make sure to provide to minio with the certificate to trust the remote IDP endpoint in end_session_endpoint.

keycloack settings

@balaKarur
Copy link
Author

balaKarur commented May 13, 2024
edited
Loading

@pjuarezd
Thank you so much for your effort and timing. and shared the environmental variable.

Request note: You confirmed and closed this ticket from your side, but due to some configuration issues, I am still facing problems. I have shared all my configurations. Could you please assist?

      **yes end_session_endpoint has  https**
     "**end_session_endpoint**": "https://in-lap0062.esi-internal.esi-group.com/kc/realms/minio_realm/protocol/openid-connect/logout",

end_session_endpoint has https so added certs. Can you please check my configuration?

This is my yaml file
version: "3.8"
services:
minio:
image: quay.io/minio/minio:RELEASE.2024-05-07T06-41-25Z
container_name: minio
volumes:
- ./minio_data:/data
- ./certs:/certs
command: server /data --console-address=":9002"
ports:
- 9000:9000
- 9002:9002
environment:
- MINIO_CERTS=/certs/cert.pem
- MINIO_CERTS_KEY=/certs/privatekey.key
- MINIO_ROOT_USER=minio_user
- MINIO_ROOT_PASSWORD=password
- MINIO_SERVER_URL=http://localhost:9000
- MINIO_DOMAIN=http://localhost:9000
- MINIO_IDENTITY_OPENID_CONFIG_URL_KEYCLOAK_PRIMARY=http://host.containers.internal:8088/kc/realms/minio_realm/.well-known/openid-configuration
- MINIO_IDENTITY_OPENID_CLIENT_ID_KEYCLOAK_PRIMARY=minioclient
- MINIO_IDENTITY_OPENID_CLIENT_SECRET_KEYCLOAK_PRIMARY=nVrPspagFouiPniL14ZYmShqcOusuNVZ
- MINIO_IDENTITY_OPENID_DISPLAY_NAME_KEYCLOAK_PRIMARY=MinIO OpenID Login
- MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
- MINIO_IDENTITY_OPENID_VENDOR=keycloak
- MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC_KEYCLOAK_PRIMARY=on
- MINIO_IDENTITY_OPENID_SCOPES=minio-authorization
- MINIO_IDENTITY_OPENID_KEYCLOAK_REALM=minio_realm
- MINIO_IDENTITY_OPENID_KEYCLOAK_ADMIN_URL=http://host.containers.internal:8088/kc/admin

volumes:
minio_data:

keycloak Configuration Doc
Update keyclock with minio configurations_minio_client.docx

@pjuarezd
Copy link
Member

hey @balaKarur

I added a header to the /api/v1/logout endpoint with debug information and the exact error message if the IDP end session endpoint cannot be reached, see this PR #3346 for more details, this will be available in future releases of MinIO to help you debug this on your environment.

I do not have a way to replicate your environment and the one I did and shared with you do not have this problem, I closed this issue because is not a feature request, or a bug to be fixed, your case falls into a configuration issues which we already share you how to fix: "make sure that it is reachable to MinIO and if under https, make sure to provide to minio with the certificate to trust the remote IDP endpoint in end_session_endpoint."

If there is more assistance needed please reach out to [email protected] with more details.

@balaKarur
Copy link
Author

hello @pjuarezd,
Thanks for your effort and assistance in suggesting troubleshooting steps. Sure, I will try with the PR :
#3346.

@balaKarur
Copy link
Author

Hello @pjuarezd,
Thanks for your support. I resolved this issue ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pjuarezd pjuarezd

Labels
community working as intended
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pjuarezd @balaKarur @allanrogerr