Can't logout

[fredericseiler]

Hi,

I tried the following :

• delete VouchCookie
• go to vouch.mydomain.com/logout
• go to google.com/accounts/logout

But I still can access my app. Is there any way to logout ?

[bnfinet]

@fredericseiler thanks for the report.

What OS/browser are you using? Is it Chrome? Are you logged into the browser itself by any chance?

[fredericseiler]

Windows 7 and Chrome 71.0.3578.98.

I'm logged into Chrome with my corp G Suite account, not my test account.

[bnfinet]

is your corp G Suite account in the same domain as your test account? Does the behavior change if you sign out of your corp G Suite account?

[fredericseiler]

Let's call my corp account corp.com and my test account test.com.

I'm using test.com in Vouch and Google OAuth.

When you go to google.com/accounts/logout, you log out from every logged in google account (and broke the sync with Chrome).

[bnfinet]

Hmm, I cannot reproduce the behavior. Is this a change in behavior that you've notice between versions?

Could you please provide a redacted config.yml and the logs from your vouch-proxy session with debug enabled? You could also try running with vouch.testing: true and see if that doesn't change the behavior.

[bnfinet]

And your nginx.conf (redacted) would be helpful as well

[fredericseiler]

I can't tell about any previous version, I just tried Vouch today.

Vouch vhost :

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name vouch.test.com;

    location / {
        include proxy.conf;
        proxy_pass http://192.168.0.1:9090;
    }
}

oauth.conf included in every secured vhost :

auth_request /validate;

location = /validate {
  proxy_pass https://vouch.test.com;

  proxy_pass_request_body off;
  proxy_set_header Content-Length "";

  auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;

  auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
  auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
  auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
}

error_page 401 = @error401;

location @error401 {
    return 302 https://vouch.test.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
}

config.yml :

vouch:
  domains:
  - test.com
  
oauth:
  provider: google
  client_id: [...]
  client_secret: [...]
  callback_urls: 
    - https://vouch.test.com/auth
  preferredDomain: test.com

Logs are coming.

[fredericseiler]

Common nginx settings for my vhosts (including Vouch) :

client_max_body_size 0;
client_body_buffer_size 128k;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;

client_body_timeout 30;
client_header_timeout 10;
keepalive_timeout 30;
send_timeout 60;
keepalive_requests 100;

access_log off;

proxy_buffers 32 4k;

proxy_connect_timeout 7d;
proxy_read_timeout 7d;
proxy_send_timeout 7d;

proxy_http_version 1.1;

proxy_redirect / $scheme://$server_name/;

proxy_set_header Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-HTTPS $https;
proxy_set_header X-Real-Port $remote_port;

proxy_set_header X-Server-IP $server_addr;
proxy_set_header X-Server-Port $server_port;

proxy_set_header Origin "$scheme://$host";

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

[bnfinet]

your config looks generally correct to my eyes

things to try..

• set vouch.testing: true and confirm you get redirected properly to vouch.test.com and then to google
• try adding "internal" to your /validate block
• remove include proxy.conf;
• confirm that you can reach http://192.168.0.1:9090 and https://vouch.test.com from your nginx environment

[bnfinet]

Do you see the same behavior with Firefox or any other browser?

[fredericseiler]

If I disable my browser cache and go to vouch.test.com/logout and then back to myapp.test.com, the redirections are working : myapp > vouch/login > google/auth > vouch/auth > myapp

With the cache enabled, the first request is loaded from disk cache and subsequent xhr queries are redirected to Vouch and fails silently (canceled) when redirected to google.

So, my bad. Next step : tweaking nginx cache headers...

Anyway, is there a way to log out a user from Vouch and redirect him to google account chooser instead of the auto-login process ?

[bnfinet]

I can't reproduce the behavior you're describing. I am prompted for account selection with Google as is expected. Are you logged into the browser?

…

On Wed, Jan 23, 2019, 8:26 AM Frederic Seiler ***@***.*** wrote: If I disable my browser cache and go to vouch.test.com/logout and then back to myapp.test.com, the redirections are working : myapp > vouch/login > google/auth > vouch/auth > myapp With the cache enabled, the first request is loaded from disk cache and subsequent xhr queries are redirected to Vouch and fails silently (canceled) when redirected to google. So, my bad. Next step : tweaking nginx cache headers... Anyway, is there a way to log out a user from Vouch and redirect him to google account chooser instead of the auto-login process ? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#56 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABNK62FWF90XIQiCyelju2W2ZF5oSXZeks5vGI1GgaJpZM4aOx8e> .

[fredericseiler]

I'm logged into the browser with user@corp.com but I'm testing Vouch with user@test.com, so I don't think it's an issue.

My steps (with cache disabled) :

1. New Chrome session
2. Go to myapp.test.com
3. 302 to vouch.test.com/login
4. 302 to Google/auth
5. Log in to Google with user@test.com
6. 302 to vouch.test.com/auth
7. 302 to myapp.test.com
8. Manually go to vouch.test.com/logout
9. "You have been logged out" page (with some 404 errors for css and img, is that normal ?)
10. Go to myapp.test.com
11. 302 to vouch.test.com/login
12. 302 to google/auth
13. 302 to vouch.test.com/auth
14. 302 to myapp.test.com

I don't have any prompt for account selection between steps 12 and 13, as you can see in this screenshot (beginning at step 10) :

[bnfinet]

Do you see the same behavior with a different browser?

[bnfinet]

and, can you comment out preferredDomain: and try again please?

[fredericseiler]

Nice catch !

When calling Google OAuth with the Host Domain hd: query string param, if you only have one user account registered with Google Account Chooser (AC) for the specified domain, it will be automatically used without using the AC.

Without the hd: param, the AC will only popup if you have at least 2 accounts (on different domains ?).

Is there a way to override the Google provider auth_url: setting in config.yml to add prompt=select_account consent ?

[bnfinet]

I wonder what would happen by setting preferredDomain: " "

You could try to config provider: oidc and then manually set the OIDC Google enpoints with auth_url to add prompt=select_account. I'm not certain if that will work but it would be worth a shot.

[fredericseiler]

With preferredDomain: " ", you have to type your e-mail and password :

With preferredDomain: "*" (as seen in the docs), the autologin is back (because I only test with G Suite accounts, not Gmail accounts).

About prompt=select_account consent, when I try with the OIDC provider, the Google OAuth URL is done right :

https://accounts.google.com/o/oauth2/v2/auth?prompt=select_account%20consent&client_id=[...].apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fvouch.test.com%2Fauth&response_type=code&scope=openid+email+profile&state=[...]

But I'm having a 400 Bad Request when redirected to Vouch :

https://vouch.test.com/auth?state=[...]&code=[...]&scope=openid%20email%20profile%20https://www.googleapis.com/auth/plus.me%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile&authuser=1&hd=test.com&session_state=[...]&prompt=consent

json: cannot unmarshal string into Go struct field User.id of type int

I'm not quite sure about the URLs to call :

auth_url: https://accounts.google.com/o/oauth2/v2/auth?prompt=select_account%20consent
token_url: https://www.googleapis.com/oauth2/v4/token
user_info_url: https://www.googleapis.com/oauth2/v2/userinfo

scopes:
  - openid
  - email
  - profile

Any thoughts ?

[fredericseiler]

Just figured out : I needed to use v3 of the userinfo api endpoint instead of v2. Edit : I just found out about OIDC Discovery, URLs updated.

vouch:
  domains:
  - test.com
  
oauth:
  provider: oidc
  client_id: [...].apps.googleusercontent.com
  client_secret: [...]
  auth_url: https://accounts.google.com/o/oauth2/v2/auth?prompt=select_account%20consent
  token_url: https://oauth2.googleapis.com/token
  user_info_url: https://openidconnect.googleapis.com/v1/userinfo
  scopes:
    - openid
    - email
    - profile
  callback_url: https://vouch.test.com/auth
  #preferredDomain: test.com

With those settings, I can protect my apps with Google Account Chooser.

Thanks @bnfinet and the Vouch team !

For anyone interested, to log out of your app, add the following to your nginx vhost config file :

location = /logout {
	return 302 https://vouch.test.com/logout?url=$scheme://$http_host;
}