2022-08-04 11:26:51 |
Alexander Litvinov |
bug |
|
|
added bug |
2022-08-04 11:27:54 |
Alexander Litvinov |
description |
When using external IDP and having relation with keystone-SAML mellon,
openstack dashboard would still have a default logout URL generated.
<a href="/auth/logout/" target="_self">
Sign Out
</a>
(sp-metadata file would have a different URL /auth/mellon/logout/)
So if the user clicks logout - session cookies are not cleaned.
The next time when login with external IDP is selected - user could login without password prompt.
Looking at the code, looks like if those 3 variables are be passed then redirect could happen to custom LOGOUT_URL
WEBSSO_ENABLED
WEBSSO_DEFAULT_REDIRECT
WEBSSO_DEFAULT_REDIRECT_LOGOUT
https://github.com/openstack/horizon/blob/a2b6e6c9bdce7323fd7876a1d22e14f8c1d42bab/openstack_auth/views.py#L250-L255
and probably WEBSSO_DEFAULT_REDIRECT_LOGOUT should be set with ?ReturnTo=URL back to /auth/logout. |
When using external IDP and having relation with keystone-SAML mellon,
openstack dashboard would still have a default logout URL generated.
<a href="/auth/logout/" target="_self">
Sign Out
</a>
(sp-metadata file would have a different URL /auth/mellon/logout/)
So if the user clicks logout - session cookies are not cleaned.
The next time when login with external IDP is selected - user could login without password prompt.
Looking at the code, looks like if those 3 variables are be passed then redirect could happen to custom LOGOUT_URL
WEBSSO_ENABLED
WEBSSO_DEFAULT_REDIRECT
WEBSSO_DEFAULT_REDIRECT_LOGOUT
https://github.com/openstack/horizon/blob/a2b6e6c9bdce7323fd7876a1d22e14f8c1d42bab/openstack_auth/views.py#L250-L255 |
|
2022-08-04 11:36:04 |
Alexander Litvinov |
bug |
|
|
added subscriber Canonical Field High |
2022-08-04 11:37:23 |
Alexander Litvinov |
description |
When using external IDP and having relation with keystone-SAML mellon,
openstack dashboard would still have a default logout URL generated.
<a href="/auth/logout/" target="_self">
Sign Out
</a>
(sp-metadata file would have a different URL /auth/mellon/logout/)
So if the user clicks logout - session cookies are not cleaned.
The next time when login with external IDP is selected - user could login without password prompt.
Looking at the code, looks like if those 3 variables are be passed then redirect could happen to custom LOGOUT_URL
WEBSSO_ENABLED
WEBSSO_DEFAULT_REDIRECT
WEBSSO_DEFAULT_REDIRECT_LOGOUT
https://github.com/openstack/horizon/blob/a2b6e6c9bdce7323fd7876a1d22e14f8c1d42bab/openstack_auth/views.py#L250-L255 |
When using external IDP and having relation with keystone-SAML mellon,
openstack dashboard would still have a default logout URL generated.
<a href="/auth/logout/" target="_self">
Sign Out
</a>
(sp-metadata file would have a different URL /auth/mellon/logout/)
So if the user clicks logout - session cookies are not cleaned.
The next time when login with external IDP is selected - user could login without password prompt.
Looking at the code, looks like if those 3 variables are be passed then redirect could happen to custom LOGOUT_URL
WEBSSO_ENABLED
WEBSSO_DEFAULT_REDIRECT
WEBSSO_DEFAULT_REDIRECT_LOGOUT
https://github.com/openstack/horizon/blob/a2b6e6c9bdce7323fd7876a1d22e14f8c1d42bab/openstack_auth/views.py#L250-L255
mod_auth_mellon supports both IdP-initiated and SP-initiated logout through the same endpoint. The endpoint is located at "/logout". "/logoutRequest" is an alias for this endpoint, provided for compatibility with version 0.0.6 and earlier of mod_auth_mellon.
To initiate a logout from your web site, you should redirect or link to "/logout?ReturnTo=". Note that the ReturnTo parameter is mandatory. For example, if the web site is located at "https://www.example.com/secret", and the mellon endpoints are located under "https://www.example.com/secret/endpoint", then the web site could contain a link element like the following:
<a href="/secret/endpoint/logout?ReturnTo=https://www.example.org/logged_out.html">Log out</a>
https://github.com/latchset/mod_auth_mellon/blob/main/README.md#logging-out |
|
2022-08-04 11:45:35 |
Nobuto Murata |
bug |
|
|
added subscriber Nobuto Murata |
2022-10-07 10:38:03 |
OpenStack Infra |
charm-openstack-dashboard: status |
New |
In Progress |
|
2023-05-26 16:57:28 |
Alex Kavanagh |
charm-openstack-dashboard: assignee |
|
Alexander Litvinov (alitvinov) |
|