add logoutredirect URL to oauth-proxy

[deads2k]

Adds -logout-url=url-to-log-out-of-sso to be peer to https://github.com/openshift/api/blob/master/config/v1/types_console.go#L50-L63

I think this is logically comparable to https://github.com/openshift/console/blob/4efd97f82f824f56da6a1a627dbbd9d677ba9b63/frontend/public/module/auth.js#L72-L80

/assign @stlaz

/cc @jcantrill

The options for exposure are...

1. this PR which makes the redirect based on an oauth-proxy arg. Doing it like this prevents the web app from choosing a redirect URL that varies by user or by where a user is in the app itself. This is limiting, but easy.
2. create a different approach that allows a web app to go to the https://oauth-proxy/sign_out?redirect=foo. This allows webapps to choose any redirect based on any criteria. Based on a conversation with @spadgett, this requires creating a csrf token that is embedded in the page, but the logout is owned by the web app, not the oauth-proxy. That makes creating the csrf impractical.

We should go with option 1

[stlaz]

/lgtm

[deads2k]

/hold

just want to hold for manual testing before we commit.

[deads2k]

/hold

This proved the concept, but it may make more sense to accept a redirect URL as a query param alongside a CSRF token of some kind. I think I see this happening for the github logout. I suppose it is possible to provide the other option at some point in the future. I'm not familiar enough with browser repercussions to make the choice for a query param without research.

[deads2k]

The options for exposure are...

1. this PR which makes the redirect based on an oauth-proxy arg. Doing it like this prevents the web app from choosing a redirect URL that varies by user or by where a user is in the app itself. This is limiting, but easy.
2. create a different approach that allows a web app to go to the https://oauth-proxy/sign_out?redirect=foo. This allows webapps to choose any redirect based on any criteria. Based on a conversation with @spadgett, this requires creating a csrf token that is embedded in the page, but the logout is owned by the web app, not the oauth-proxy. That makes creating the csrf impractical

We should go with option 1

[deads2k]

/hold cancel

[deads2k]

This can wait until after 4.5.

[jcantrill]

LGTM. What is the value we should us or how may we discover the correct one?

[deads2k]

LGTM. What is the value we should us or how may we discover the correct one?

I think you have to have a way to accept user input into your operator. We’ve found these sign out URLs for commonly used IdPs:

1. https://github.com/logout
2. https://accounts.google.com/logout
3. http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri - from https://www.keycloak.org/docs/latest/securing_apps/index.html#logout

[sttts]

Sgtm.

[stlaz]

/lgtm
fair

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [deads2k,stlaz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[stlaz]

/hold
until 4.6 master is open

[sttts]

Master is open again.

/hold cancel

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.