Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Single Sign out Keycloak OIDC #45665

Open
piyushchhajed02 opened this issue Jun 3, 2024 · 3 comments
Open

[BUG] Single Sign out Keycloak OIDC #45665

piyushchhajed02 opened this issue Jun 3, 2024 · 3 comments
Labels
kind/bug Issues that are defects reported by users or that we know have reached a real release

Comments

@piyushchhajed02
Copy link

Rancher Server Setup

  • Rancher version: 2.8.3
  • Installation option (Docker install/Helm Chart):
    • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc): RKE2
  • Proxy/Cert Details:

Information about the Cluster

  • Kubernetes version: v1.28.8+rke2r1
  • Cluster Type (Local/Downstream): Local
    • If downstream, what type of cluster? (Custom/Imported or specify provider for Hosted/Infrastructure Provider):

User Information

  • What is the role of the user logged in? Admin
    • If custom, define the set of permissions:

Describe the bug'
I have Keycloak OIDC enabled for authentication to Rancher from Keycloak. When I logout from rancher and then again try to login it does not ask for credentials(Session does not get invalidated).

To Reproduce

  1. Configure Keycloak OIDC in Rancher.
  2. Login to Rancher
  3. Logout from Rancher.
  4. Retry to login to rancher. it would not ask for credentials.

Result
Upon logout user session is not invalidated.

Expected Result
Upon logout it should invalidate the session and re-login it should validte the credentials of the userr
@piyushchhajed02 piyushchhajed02 added the kind/bug Issues that are defects reported by users or that we know have reached a real release label Jun 3, 2024
@torsten-online
Copy link

Hi @piyushchhajed02.

I think when you logout of Rancher and already logged into Keycloak, so its normally expected and not a bug!

I tried to simulate this on my dev environment with Rancher 2.8.4 deployed:

When I logged in with Keycloak OIDC / OpenID, then I can logout of Rancher.

For the final logout (invalidate keycloak session), its required to visit keycloak logout URL/Button, for example available at Keycloak-Url

I hope this information helps you for solving the related "Bug/Issue".

Have a lot of Fun
Torsten

@piyushchhajed02
Copy link
Author

Ideally when i click on the Rancher logout button it should auto redirect to the Keycloak logout URL, So that user session gets invalidated.

But in current case when I logout from Rancher and try to login again it would directly allow the user in withould asking for credentials.

@torsten-online
Copy link

Correct, that means a logout from Rancher is not a logout from Keycloak. So we have here a "normal SSO behavior", when there is no option to configure a logout url ... as its done for rancher.

I think you should request this as "Feature" for configure a logout url. As I said, its not a bug.
Normally you can also logout of keycloak, then you are logged out of rancher also. Thats working fine

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Issues that are defects reported by users or that we know have reached a real release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@torsten-online @piyushchhajed02