Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for SSO logout #4455

Closed
2 tasks done
Tracked by #4450
danielkelemen opened this issue Jun 24, 2024 · 5 comments
Closed
2 tasks done
Tracked by #4450

Add support for SSO logout #4455

danielkelemen opened this issue Jun 24, 2024 · 5 comments
Assignees
@gbetances089
Labels
scope:authorization DRI: Tobias scope:run Changes to the Run distribution. scope:spring-boot Changes to the Spring Boot starter. type:subtask Issues that are subtasks of another issue. Must always be part of the breakdown of the parent issue. version:7.22.0-alpha6 version:7.22.0

Comments

@danielkelemen
Copy link
Member

danielkelemen commented Jun 24, 2024
edited
Loading

Acceptance Criteria (Required on creation)

  • Implement SSO logout.
  • Extend the frontend so that the logout URL can be configured.
  • Document the new config.
    • Also add that it should be /logout for Spring Security/oauth2.
  • Add a config property that determines if SSO or normal logout is needed.
  • Tests. Moved to a separate ticket.

Hints

Links

Breakdown

PRs
Beta Give feedback
  1. feat(oauth2): add sso logout support #4604
    ci:run ci:spring-boot
    danielkelemen
  2. feat(oauth2): improve logging with token name #4638
    danielkelemen
@danielkelemen danielkelemen mentioned this issue Jun 24, 2024
Closed
1 task
@danielkelemen danielkelemen added type:subtask Issues that are subtasks of another issue. Must always be part of the breakdown of the parent issue. scope:run Changes to the Run distribution. scope:spring-boot Changes to the Spring Boot starter. scope:authorization DRI: Tobias potential:7.22.0 labels Jun 24, 2024
@Bragolgirith Bragolgirith mentioned this issue Aug 23, 2024
Closed
@tasso94
Copy link
Member

tasso94 commented Sep 6, 2024

Hey @danielkelemen,

I think #4585 is much more important.
Could you have a look at this first?

danielkelemen added a commit that referenced this issue Sep 13, 2024
@danielkelemen
feat(oauth2): add sso logout support
d63b7d1 
#4455
@danielkelemen danielkelemen mentioned this issue Sep 13, 2024
Merged
@danielkelemen
Copy link
Member Author

danielkelemen commented Sep 16, 2024
edited
Loading

Spring Security & Webapps logout

Spring Security has a default /logout (configurable) endpoint that takes care of the logout. With SSO logout, this clears the session and redirects to the provider's page for a full logout. Which means this call needs to be a page load, not just an async (AJAX) request.
Right now our Webapps exeute an async logout call, then forwards the user to the login page.

Solution

Create a logout plugin that overrides the default logout button. This can be done in multiple ways:

  1. Create a plugin point.
    • Cons: Higher effort.
  2. Intercept XHR request for logout and forward to Spring /logout.
    • Cons: Kind of hacky and it results in weird console errors.
  3. Listen to URL changes and forward to Spring /logout.
    • Cons: Kind of hacky and it results in multiple redirects which is not nice UX.
  4. Replace logout DOM.

@danielkelemen danielkelemen mentioned this issue Sep 16, 2024
Closed
1 task
@danielkelemen
Copy link
Member Author

danielkelemen commented Sep 18, 2024
edited
Loading

Dev2QA

SSO logout forwards the user to Okta for full logout then to the postLogoutRedirectUri.
With these properties you can enable SSO logout:

camunda.bpm.oauth2:
  sso-logout:
    enabled: true
    postLogoutRedirectUri: https://camunda.com/

Notes:

  • Normal logout shouldn't log out the user from Okta.
    • It still uses the Spring logout, so it will show a Spring logout page.
  • After SSO logout the user should be logged out from Camunda & Okta.
  • SSO logout should work from all Webapps.
  • Should work in both Run & Spring Boot.

danielkelemen added a commit that referenced this issue Sep 19, 2024
@danielkelemen
feat(oauth2): add sso logout support
aaf9ace 
#4455
@yanavasileva
Copy link
Member

It still uses the Spring logout, so it will show a Spring logout page.

That feels weird as I see "You have been signed out" but I am not. But we can improve this later if we get feedback.

image

@venetrius venetrius assigned danielkelemen and unassigned venetrius Sep 19, 2024
danielkelemen added a commit that referenced this issue Sep 19, 2024
@danielkelemen
feat(oauth2): add sso logout support (#4604)
8d843b4 
#4455
danielkelemen added a commit that referenced this issue Sep 19, 2024
@danielkelemen
fix(oauth2): update property javadoc
47dedf1 
#4455
@danielkelemen danielkelemen mentioned this issue Sep 19, 2024
Merged
danielkelemen added a commit that referenced this issue Sep 20, 2024
@danielkelemen
feat(oauth2): improve logging with token name (#4638)
32eb281 
#4455
@gbetances089
Copy link
Member

This was tested on both camunda-bpm-run-ee-7.22.0-20240919.175253-98 and spring boot.

hauptmedia added a commit to hauptmedia/operaton that referenced this issue Nov 10, 2024
@hauptmedia
feat(oauth2): add sso logout support (#4604)
af7d194 
camunda/camunda-bpm-platform#4455

Backported commit 8d843b4bee from the camunda-bpm-platform repository.
Original author: Daniel Kelemen <[email protected]>
@hauptmedia hauptmedia mentioned this issue Nov 10, 2024
Merged
javahippie pushed a commit to operaton/operaton that referenced this issue Nov 11, 2024
@hauptmedia @javahippie
feat(oauth2): add sso logout support (#4604)
fc925bf 
camunda/camunda-bpm-platform#4455

Backported commit 8d843b4bee from the camunda-bpm-platform repository.
Original author: Daniel Kelemen <[email protected]>
hauptmedia added a commit to hauptmedia/operaton that referenced this issue Nov 11, 2024
@hauptmedia
feat(oauth2): improve logging with token name (#4638)
a360d82 
camunda/camunda-bpm-platform#4455

Backported commit 32eb28133f from the camunda-bpm-platform repository.
Original author: Daniel Kelemen <[email protected]>
@hauptmedia hauptmedia mentioned this issue Nov 11, 2024
Merged
javahippie pushed a commit to operaton/operaton that referenced this issue Nov 12, 2024
@hauptmedia @javahippie
feat(oauth2): improve logging with token name (#4638)
19b52c0 
camunda/camunda-bpm-platform#4455

Backported commit 32eb28133f from the camunda-bpm-platform repository.
Original author: Daniel Kelemen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gbetances089 gbetances089

Labels
scope:authorization DRI: Tobias scope:run Changes to the Run distribution. scope:spring-boot Changes to the Spring Boot starter. type:subtask Issues that are subtasks of another issue. Must always be part of the breakdown of the parent issue. version:7.22.0-alpha6 version:7.22.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@gbetances089 @tasso94 @danielkelemen @venetrius @yanavasileva @psavidis