Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tenant logout handler #266

Open
esnible opened this issue Mar 28, 2022 · 2 comments
Open

tenant logout handler #266

esnible opened this issue Mar 28, 2022 · 2 comments

Comments

@esnible
Copy link
Contributor

esnible commented Mar 28, 2022
edited

There is no way to log out of Observatorium.

I propose a login/logout handler /oidc/{tenant}/logout to be added near https://github.com/observatorium/api/blob/main/authentication/oidc.go#L160 . A similar handler will also be needed for /openshift.

This handler would set the tenant OIDC cookie to "" with expiration at 1-1-1970, and then redirect to some Observatorium path, triggering the OIDC login flow to let the user log in as someone else.

(Update: Lucas suggests reusing the login endpoint /oidc/{tenant}/login, and it seems that the functionality I need is implemented there, as long as the authentication is OIDC.)

I tried Lucas's suggestion locally. If my tenant is using OIDC, I can implement "logout" by having the trace UI visit /v1/traces/{tenant}/login, which I've redirected to /oidc/{tenant}/login. (This is oidc.go's handlerPrefix+loginRoute.)

Unfortunately this is the wrong URL if the tenant is using OpenShift -- for those I need to redirect to /openshift/tenant/login. So perhaps Observatorium could have an /{tenant}/login endpoint that redirects based on the tenant's auth provider?

If this is desired I can probably implement it.
@esnible esnible changed the title OIDC logout handler tenant logout handler Mar 28, 2022
@esnible
Copy link
Contributor Author

esnible commented Apr 6, 2022

Notes from April 6 2021 Observatorium Community Meeting

  • Separation of UI and tenancy metadata (UI does not need to compute path)
  • /login /logout
    • Each tenant has a different cookie
    • Putting tenants in the path will be then easier
  • Prem proposal: Easier for Jaeger UI - relative UI /logout/{tenant} that proxies to proper endpoint in UI.
    • Better namespaces to not have top-level matchers
    • /login/{tenant}
  • Every tenant has a specific URL

@esnible esnible mentioned this issue Apr 6, 2022
Closed
@esnible
Copy link
Contributor Author

esnible commented Jun 1, 2022

Notes from June 1 Observatorium Community Meeting

I am experiencing this problem again. I have installed Observatorium and am using Keycloak OIDC, but misconfigured tenants.yaml or rbac.yaml.

The symptom is that Keycloak believes I am logged in, but the login user has no permissions to see Observatorium resources. / returns valid JSON, the real pages correctly return HTTP Unauthorized.

The problem is that /oidc//login redirects to Keycloak, which believes I am logged in, and redirects back without an opportunity to log in as a different user. The only way to change users is by deleting Keycloak cookies on the browser.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Login endpoint at /api/traces/v1/{tenent}/login esnible/api-1
1 participant
@esnible