OpenID with Keycloak for OAuth2

[butterfly-thomas]

Describe the bug

When logout from PgAdmin, the session is still open on Keycloak, hence unable to log as another user until the current session is closed.

To Reproduce

Steps to reproduce the behavior:

In the config.py:

AUTHENTICATION_SOURCES = ['oauth2','internal']

OAUTH2_CONFIG = [
    {
        'OAUTH2_NAME': 'keycloak',
        'OAUTH2_DISPLAY_NAME': 'keycloak',
        'OAUTH2_CLIENT_ID': 'pgadmin_client',
        'OAUTH2_CLIENT_SECRET': '*********************************',
        'OAUTH2_TOKEN_URL': 'https://***************/realms/*****/protocol/openid-connect/token',
        'OAUTH2_AUTHORIZATION_URL': 'https://***************/realms/*****/protocol/openid-connect/auth',
        'OAUTH2_API_BASE_URL': 'https://***************/realms/*****/protocol/openid-connect/',
        'OAUTH2_SERVER_METADATA_URL': 'https://***************/realms/*****/.well-known/openid-configuration',
        'OAUTH2_USERINFO_ENDPOINT': 'userinfo',
        'OAUTH2_SCOPE': 'openid email profile',
        'OAUTH2_USERNAME_CLAIM': 'preferred_username',
        'OAUTH2_ICON': 'fa-github'
    }
]

Expected behavior

Closing session on Keycloak when logout from PgAdmin

Temporary fix

Changed the redirect URI in pgadmin\authenticate\oauth2.py

@blueprint.route('/logout', endpoint="logout",
                     methods=['GET', 'POST'])
    @pgCSRFProtect.exempt
    def oauth_logout():
        if not current_user.is_authenticated:
            return redirect(get_safe_post_logout_redirect())

        id_token_hint = session['oauth2_token']['id_token']

        for key in list(session.keys()):
            session.pop(key)

        logout_user()

        return redirect(f'https://***************/realms/*/protocol/openid-connect/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A5050%2Flogin&id_token_hint={id_token_hint}')

Screenshots

Request

Possibility to pass the redirect URI with parameters to ensure closing the external user provider session when logout.

[materpillar]

Hi there,

I believe this is not only a problem for keycloak as I am currently setting up OAuth2 with AWS Cognito as a IdP and I have the same problem.

Cheers

[Fl0r14nJ]

Hello, someone working on it?

[khushboovashi]

Hello, someone Wirkung on it?

If you want, you can work on it.

[Fl0r14nJ]

can be closed?

[adityatoshniwal]

can be closed?

It will be closed after one round of testing on the installers.

[pravesh-sharma]

Issue fixed. Verified on snapshot image for docker.

[adussarps]

Hello there, I'm running on the same issue with a Keycloack SSO Setup. The code seems to break when clicking on logout

i.e:

2024-07-22 18:54:40,481: ERROR  pgadmin:        'oauth2_token'
Traceback (most recent call last):
  File "/venv/lib/python3.12/site-packages/flask/app.py", line 880, in full_dispatch_request
    rv = self.dispatch_request()
         ^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.12/site-packages/flask/app.py", line 865, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)  # type: ignore[no-any-return]
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 83, in oauth_logout
    id_token = session['oauth2_token'].get('id_token')
               ~~~~~~~^^^^^^^^^^^^^^^^
KeyError: 'oauth2_token'

Not too sure what's happening there for now; but just in case, can someone share the config of it's Keycloack client ?
I may have a misconfiguration on the logout side.

[adityatoshniwal]

Hello there, I'm running on the same issue with a Keycloack SSO Setup. The code seems to break when clicking on logout

i.e:

2024-07-22 18:54:40,481: ERROR  pgadmin:        'oauth2_token'
Traceback (most recent call last):
  File "/venv/lib/python3.12/site-packages/flask/app.py", line 880, in full_dispatch_request
    rv = self.dispatch_request()
         ^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.12/site-packages/flask/app.py", line 865, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)  # type: ignore[no-any-return]
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 83, in oauth_logout
    id_token = session['oauth2_token'].get('id_token')
               ~~~~~~~^^^^^^^^^^^^^^^^
KeyError: 'oauth2_token'

Not too sure what's happening there for now; but just in case, can someone share the config of it's Keycloack client ? I may have a misconfiguration on the logout side.

What is your pgAdmin version?

[adussarps]

I'm running dpage/pgadmin4:8 which in my case correspond to the latest version 8.9.

Thanks for having a look !