-
Notifications
You must be signed in to change notification settings - Fork 322
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't logout #56
Comments
@fredericseiler thanks for the report. What OS/browser are you using? Is it Chrome? Are you logged into the browser itself by any chance? |
Windows 7 and Chrome 71.0.3578.98. I'm logged into Chrome with my corp G Suite account, not my test account. |
is your corp G Suite account in the same domain as your test account? Does the behavior change if you sign out of your corp G Suite account? |
Let's call my corp account corp.com and my test account test.com. I'm using test.com in Vouch and Google OAuth. When you go to google.com/accounts/logout, you log out from every logged in google account (and broke the sync with Chrome). |
Hmm, I cannot reproduce the behavior. Is this a change in behavior that you've notice between versions? Could you please provide a redacted |
And your nginx.conf (redacted) would be helpful as well |
I can't tell about any previous version, I just tried Vouch today. Vouch vhost : server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vouch.test.com;
location / {
include proxy.conf;
proxy_pass http://192.168.0.1:9090;
}
} oauth.conf included in every secured vhost : auth_request /validate;
location = /validate {
proxy_pass https://vouch.test.com;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
}
error_page 401 = @error401;
location @error401 {
return 302 https://vouch.test.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
} config.yml : vouch:
domains:
- test.com
oauth:
provider: google
client_id: [...]
client_secret: [...]
callback_urls:
- https://vouch.test.com/auth
preferredDomain: test.com Logs are coming. |
Common nginx settings for my vhosts (including Vouch) : client_max_body_size 0;
client_body_buffer_size 128k;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
client_body_timeout 30;
client_header_timeout 10;
keepalive_timeout 30;
send_timeout 60;
keepalive_requests 100;
access_log off;
proxy_buffers 32 4k;
proxy_connect_timeout 7d;
proxy_read_timeout 7d;
proxy_send_timeout 7d;
proxy_http_version 1.1;
proxy_redirect / $scheme://$server_name/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-HTTPS $https;
proxy_set_header X-Real-Port $remote_port;
proxy_set_header X-Server-IP $server_addr;
proxy_set_header X-Server-Port $server_port;
proxy_set_header Origin "$scheme://$host";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; |
your config looks generally correct to my eyes things to try..
|
Do you see the same behavior with Firefox or any other browser? |
If I disable my browser cache and go to vouch.test.com/logout and then back to myapp.test.com, the redirections are working : myapp > vouch/login > google/auth > vouch/auth > myapp With the cache enabled, the first request is loaded from disk cache and subsequent xhr queries are redirected to Vouch and fails silently (canceled) when redirected to google. So, my bad. Next step : tweaking nginx cache headers... Anyway, is there a way to log out a user from Vouch and redirect him to google account chooser instead of the auto-login process ? |
I can't reproduce the behavior you're describing. I am prompted for
account selection with Google as is expected. Are you logged into the
browser?
…On Wed, Jan 23, 2019, 8:26 AM Frederic Seiler ***@***.*** wrote:
If I disable my browser cache and go to vouch.test.com/logout and then
back to myapp.test.com, the redirections are working : myapp >
vouch/login > google/auth > vouch/auth > myapp
With the cache enabled, the first request is loaded from disk cache and
subsequent xhr queries are redirected to Vouch and fails silently
(canceled) when redirected to google.
So, my bad. Next step : tweaking nginx cache headers...
Anyway, is there a way to log out a user from Vouch and redirect him to
google account chooser instead of the auto-login process ?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#56 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABNK62FWF90XIQiCyelju2W2ZF5oSXZeks5vGI1GgaJpZM4aOx8e>
.
|
I'm logged into the browser with user@corp.com but I'm testing Vouch with user@test.com, so I don't think it's an issue. My steps (with cache disabled) :
I don't have any prompt for account selection between steps 12 and 13, as you can see in this screenshot (beginning at step 10) : |
Do you see the same behavior with a different browser? |
and, can you comment out |
Nice catch ! When calling Google OAuth with the Host Domain Without the Is there a way to override the Google provider |
I wonder what would happen by setting You could try to config |
With With About But I'm having a 400 Bad Request when redirected to Vouch :
I'm not quite sure about the URLs to call : auth_url: https://accounts.google.com/o/oauth2/v2/auth?prompt=select_account%20consent
token_url: https://www.googleapis.com/oauth2/v4/token
user_info_url: https://www.googleapis.com/oauth2/v2/userinfo
scopes:
- openid
- email
- profile Any thoughts ? |
vouch:
domains:
- test.com
oauth:
provider: oidc
client_id: [...].apps.googleusercontent.com
client_secret: [...]
auth_url: https://accounts.google.com/o/oauth2/v2/auth?prompt=select_account%20consent
token_url: https://oauth2.googleapis.com/token
user_info_url: https://openidconnect.googleapis.com/v1/userinfo
scopes:
- openid
- email
- profile
callback_url: https://vouch.test.com/auth
#preferredDomain: test.com With those settings, I can protect my apps with Google Account Chooser. Thanks @bnfinet and the Vouch team ! For anyone interested, to log out of your app, add the following to your nginx vhost config file : location = /logout {
return 302 https://vouch.test.com/logout?url=$scheme://$http_host;
} |
Hi,
I tried the following :
But I still can access my app. Is there any way to logout ?
The text was updated successfully, but these errors were encountered: