You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This handler would set the tenant OIDC cookie to "" with expiration at 1-1-1970, and then redirect to some Observatorium path, triggering the OIDC login flow to let the user log in as someone else.
(Update: Lucas suggests reusing the login endpoint /oidc/{tenant}/login, and it seems that the functionality I need is implemented there, as long as the authentication is OIDC.)
I tried Lucas's suggestion locally. If my tenant is using OIDC, I can implement "logout" by having the trace UI visit /v1/traces/{tenant}/login, which I've redirected to /oidc/{tenant}/login. (This is oidc.go's handlerPrefix+loginRoute.)
Unfortunately this is the wrong URL if the tenant is using OpenShift -- for those I need to redirect to /openshift/tenant/login. So perhaps Observatorium could have an /{tenant}/login endpoint that redirects based on the tenant's auth provider?
If this is desired I can probably implement it.
The text was updated successfully, but these errors were encountered:
esnible
changed the title
OIDC logout handler
tenant logout handler
Mar 28, 2022
I am experiencing this problem again. I have installed Observatorium and am using Keycloak OIDC, but misconfigured tenants.yaml or rbac.yaml.
The symptom is that Keycloak believes I am logged in, but the login user has no permissions to see Observatorium resources. / returns valid JSON, the real pages correctly return HTTP Unauthorized.
The problem is that /oidc//login redirects to Keycloak, which believes I am logged in, and redirects back without an opportunity to log in as a different user. The only way to change users is by deleting Keycloak cookies on the browser.
There is no way to log out of Observatorium.
I propose a login/logout handler
/oidc/{tenant}/logout
to be added near https://github.com/observatorium/api/blob/main/authentication/oidc.go#L160 . A similar handler will also be needed for /openshift.This handler would set the tenant OIDC cookie to "" with expiration at 1-1-1970, and then redirect to some Observatorium path, triggering the OIDC login flow to let the user log in as someone else.(Update: Lucas suggests reusing the login endpoint /oidc/{tenant}/login, and it seems that the functionality I need is implemented there, as long as the authentication is OIDC.)
I tried Lucas's suggestion locally. If my tenant is using OIDC, I can implement "logout" by having the trace UI visit /v1/traces/{tenant}/login, which I've redirected to /oidc/{tenant}/login. (This is oidc.go's handlerPrefix+loginRoute.)
Unfortunately this is the wrong URL if the tenant is using OpenShift -- for those I need to redirect to /openshift/tenant/login. So perhaps Observatorium could have an /{tenant}/login endpoint that redirects based on the tenant's auth provider?
If this is desired I can probably implement it.
The text was updated successfully, but these errors were encountered: