oidclogout #21718
oidclogout #21718
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #21718 +/- ##
==========================================
+ Coverage 45.36% 46.24% +0.87%
==========================================
Files 244 250 +6
Lines 13333 14150 +817
Branches 2719 2913 +194
==========================================
+ Hits 6049 6543 +494
- Misses 6983 7260 +277
- Partials 301 347 +46
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
Could you explain the difference between "oidc session" and "oidc offline session"? |
| securityCtx, ok := security.FromContext(cc.Context()) | ||
| if !ok { | ||
| log.Error("Failed to get security context") | ||
| cc.CustomAbort(http.StatusInternalServerError, "Internal error.") |
There was a problem hiding this comment.
Can we not have a precise error message, explaining what actually went wrong?
There was a problem hiding this comment.
Regarding the 500 error, we used to only provide more details in the log and not expose them further.
There was a problem hiding this comment.
does exposing the error, provide a threat, or might help the user to resolve the issue himself?
According to the OpenID Connect RP-Initiated Logout specification, RP-Initiated Logout should be performed by sending a request to the end_session_endpoint with the ID token. This approach is generally defined in the OpenID specification for all IdPs to properly terminate user sessions. Based on the Keycloak documentation and what I observed, specifically the section on offline access, an offline session is treated like an active session, created during user authentication with the offline_access scope. To revoke an offline session, a POST request must be made to the revoke endpoint. Since I’ve only tested with Keycloak, I’m uncertain whether other IdPs follow the same flow. As this behavior isn't explicitly defined in the OpenID specification, I’ve included an option (checkbox) for logging out offline sessions. |
wy65701436
force-pushed
the
oidcbase
branch
2 times, most recently
from
bb9a4e4 to
06dbd3c
Compare
I need to look into the details of the code for other parts, but IMO in this release we don't need to distinguish "OIDC session" and "offline session". I don't think of a use case where the user wants to end his "OIDC session" but keep the "offline session". I think we should just provide the option for the user to end "OIDC session" when he logs out from Harbor, and we always end the "offline session" when the "OIDC session" is terminated. This seems intuitive enough for me, and we won't need to debug the corner case like user log out without ending the "offline session" and login again which the ID provider may or may not terminate the existing offline session, which may impact the use case for "CLI secret" |
Sure, I will remove the option for logging out the offline session and treat it as a "nice-to-have" flow. |
enable oidc session logout 1, give the option of logging out user session from OIDC provider. 2, give the option of logging out user offline session from OIDC provider. Signed-off-by: wang yan <[email protected]>
Signed-off-by: wang yan <[email protected]>
Signed-off-by: wang yan <[email protected]>
wy65701436
force-pushed
the
oidcbase
branch
3 times, most recently
from
34a5c0d to
e88adfe
Compare
wy65701436
force-pushed
the
oidcbase
branch
2 times, most recently
from
f4af7d2 to
84935bd
Compare
Signed-off-by: wang yan <[email protected]>
|
I'm following this issue since I want to use Harbor with Keycloak as OIDC provider. The first thing I tried was enabling the OIDC Session Logout flag (to complete a correct RP-initiated logout) and requesting an offline_access scope. My expected behaviour is that after a logout from the web portal I can continue to use the CLI secret throught docker cli, but this is valid only for a short amount of time (tokens remaining lifespan). If I remove the flag from OIDC Session Logout CLI secret continue to work (since I'm not terminate the session/revoking the offline token), but I completely lose the track of my offline sessions (every login create a new session) and the only way to revoke them is manually throught the keycloak console. Is there a way to setup Harbor to perform somewhere similar to AWS cli, where the two session (docker credential and browser) are generated in two different way (oauth2.0 code flow and cli secret request)? |
enable oidc session logout
1, give the option of logging out user session from OIDC provider. 2, give the option of logging out user offline session from OIDC provider.
Thank you for contributing to Harbor!
Comprehensive Summary of your change
Issue being fixed
Fixes #(issue)
Please indicate you've done the following: