[JENKINS-16350] "logout" link doesn't work

Type: Bug
Resolution: Fixed
Priority: Major
Component/s: github-oauth-plugin
Labels:
- plugin
Environment:
Ubuntu 12.04

Similar Issues:
Powered by SuggestiMate

Show

When the plugin is configured to allow READ permission for Authenticated, but not Anonymous, users, clicking "logout" has no effect. You actually have to go to GitHub and log out there.

links to

CloudBees Internal OSS-1305

PR #58

Sam Gleske added a comment - 2016-05-16 00:55

Not sure what point you folks are making. The default behavior of a locked down Jenkins is to force the user to log in. In the case of OAuth, the user is automatically logged in via OAuth.

I've clearly explained the use of the logout link and what happens when you log out (to be automatically logged back in). Additionally, if user or team membership changes the logout link still serves a purpose.

If you want the user to be officially "logged out" and to show a "login" link then the only way possible is to allow Overall Read. The core behavior is not going to be changed.

Closing this issue... again.

Sam Gleske added a comment - 2016-05-16 00:55 Not sure what point you folks are making. The default behavior of a locked down Jenkins is to force the user to log in. In the case of OAuth, the user is automatically logged in via OAuth. I've clearly explained the use of the logout link and what happens when you log out (to be automatically logged back in). Additionally, if user or team membership changes the logout link still serves a purpose. If you want the user to be officially "logged out" and to show a "login" link then the only way possible is to allow Overall Read. The core behavior is not going to be changed. Closing this issue... again.

James Nord added a comment - 2016-06-24 19:40

This is a bug in the github-oauth plugin not Jenkins.

James Nord added a comment - 2016-06-24 19:40 This is a bug in the github-oauth plugin not Jenkins.

James Nord added a comment - 2016-06-24 20:52

The default behaviour of Jenkins is not to force a login.

The default behaviour if you don't have permissions and are not logged and request a restricted page in is to redirect to the login page to *start a login*. By default this is the username/password form, but this can be changed by the Security Realm which is the case here.

There are several things here that are important - note the "restricted page"
on logout the realm is redirecting to the root of Jenkins which may well be a restricted page depending on your security setup.

So there are 2 things that you can do.

1) change the login to take an intermediary form that requires the user to take action (ie a separate Login with GitHub button)
2) do not redirect to a page that requires authentication when you log out.

I went for option 2 as in the normal use case it is one less button to click.

James Nord added a comment - 2016-06-24 20:52 The default behaviour of Jenkins is not to force a login. The default behaviour if you don't have permissions and are not logged and request a restricted page in is to redirect to the login page to * start a login *. By default this is the username/password form, but this can be changed by the Security Realm which is the case here. There are several things here that are important - note the "restricted page" on logout the realm is redirecting to the root of Jenkins which may well be a restricted page depending on your security setup. So there are 2 things that you can do. 1) change the login to take an intermediary form that requires the user to take action (ie a separate Login with GitHub button) 2) do not redirect to a page that requires authentication when you log out. I went for option 2 as in the normal use case it is one less button to click.

SCM/JIRA link daemon added a comment - 2016-10-24 01:32

Code changed in jenkins
User: James Nord
Path:
src/main/java/org/jenkinsci/plugins/GithubLogoutAction.java
src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java
src/main/resources/org/jenkinsci/plugins/GithubLogoutAction/index.jelly
http://jenkins-ci.org/commit/github-oauth-plugin/93c31ef51be59feae914eec4228c02c8af10434c
Log:
~~JENKINS-16350~~ fix the logout -> immediate login

When using a secured jenkins without anonymous read on the main page the
redirect at the end of the login would case Jenkins to redirect to the
security realms login page.

This does not log you out of github but at least it means your JENKINS
cookie can not be snarfed by anyone for evil purposes.

SCM/JIRA link daemon added a comment - 2016-10-24 01:32 Code changed in jenkins User: James Nord Path: src/main/java/org/jenkinsci/plugins/GithubLogoutAction.java src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java src/main/resources/org/jenkinsci/plugins/GithubLogoutAction/index.jelly http://jenkins-ci.org/commit/github-oauth-plugin/93c31ef51be59feae914eec4228c02c8af10434c Log: JENKINS-16350 fix the logout -> immediate login When using a secured jenkins without anonymous read on the main page the redirect at the end of the login would case Jenkins to redirect to the security realms login page. This does not log you out of github but at least it means your JENKINS cookie can not be snarfed by anyone for evil purposes.

Sam Gleske added a comment - 2016-12-03 02:08

Should be fixed by 0.25

Sam Gleske added a comment - 2016-12-03 02:08 Should be fixed by 0.25

SCM/JIRA link daemon added a comment - 2016-12-03 08:14

Code changed in jenkins
User: Sam Gleske
Path:
CHANGELOG.md
http://jenkins-ci.org/commit/github-oauth-plugin/c78dc42fd2f8f468f6ec1021e8ebc7473daf484b
Log:
update CHANGELOG

[fixes JENKINS-16350]
[fixes JENKINS-34896]
[fixes JENKINS-39200]

SCM/JIRA link daemon added a comment - 2016-12-03 08:14 Code changed in jenkins User: Sam Gleske Path: CHANGELOG.md http://jenkins-ci.org/commit/github-oauth-plugin/c78dc42fd2f8f468f6ec1021e8ebc7473daf484b Log: update CHANGELOG [fixes JENKINS-16350] [fixes JENKINS-34896] [fixes JENKINS-39200]

SCM/JIRA link daemon added a comment - 2016-12-03 08:17

Code changed in jenkins
User: Sam Gleske
Path:
CHANGELOG.md
http://jenkins-ci.org/commit/github-oauth-plugin/83f478099714eecefdfbe15068b83ccc905a4534
Log:
update CHANGELOG

[fixes JENKINS-16350]
[fixes JENKINS-34896]
[fixes JENKINS-39200]

SCM/JIRA link daemon added a comment - 2016-12-03 08:17 Code changed in jenkins User: Sam Gleske Path: CHANGELOG.md http://jenkins-ci.org/commit/github-oauth-plugin/83f478099714eecefdfbe15068b83ccc905a4534 Log: update CHANGELOG [fixes JENKINS-16350] [fixes JENKINS-34896] [fixes JENKINS-39200]

SCM/JIRA link daemon added a comment - 2016-12-03 08:19

Code changed in jenkins
User: Sam Gleske
Path:
CHANGELOG.md
http://jenkins-ci.org/commit/github-oauth-plugin/c175b45f6eab1ee86b1af28df7e7838f51521b1f
Log:
update CHANGELOG

[fixes JENKINS-16350]
[fixes JENKINS-34896]
[fixes JENKINS-39200]

SCM/JIRA link daemon added a comment - 2016-12-03 08:19 Code changed in jenkins User: Sam Gleske Path: CHANGELOG.md http://jenkins-ci.org/commit/github-oauth-plugin/c175b45f6eab1ee86b1af28df7e7838f51521b1f Log: update CHANGELOG [fixes JENKINS-16350] [fixes JENKINS-34896] [fixes JENKINS-39200]

SCM/JIRA link daemon added a comment - 2016-12-03 08:20

Code changed in jenkins
User: Sam Gleske
Path:
CHANGELOG.md
http://jenkins-ci.org/commit/github-oauth-plugin/85599d1b484328ce64bc4e21a79c9f43ed051a8c
Log:
update CHANGELOG

[fixes JENKINS-16350]
[fixes JENKINS-34896]
[fixes JENKINS-39200]

SCM/JIRA link daemon added a comment - 2016-12-03 08:20 Code changed in jenkins User: Sam Gleske Path: CHANGELOG.md http://jenkins-ci.org/commit/github-oauth-plugin/85599d1b484328ce64bc4e21a79c9f43ed051a8c Log: update CHANGELOG [fixes JENKINS-16350] [fixes JENKINS-34896] [fixes JENKINS-39200]

Sam Gleske added a comment - 2016-12-05 22:22

This should be fixed. Release github-oauth 0.25.

Sam Gleske added a comment - 2016-12-05 22:22 This should be fixed. Release github-oauth 0.25.

Assignee:: Unassigned

Reporter:: Dave Abrahams

Votes:: 5 Vote for this issue

Watchers:: 12 Start watching this issue

Created:: 2013-01-15 15:30

Updated:: 2020-12-10 13:45

Resolved:: 2016-12-05 22:23

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Sam Gleske added a comment - 2016-05-16 00:55

Expand comment: Sam Gleske added a comment - 2016-05-16 00:55

Collapse comment: James Nord added a comment - 2016-06-24 19:40

Expand comment: James Nord added a comment - 2016-06-24 19:40

Collapse comment: James Nord added a comment - 2016-06-24 20:52

Expand comment: James Nord added a comment - 2016-06-24 20:52

Collapse comment: SCM/JIRA link daemon added a comment - 2016-10-24 01:32

Expand comment: SCM/JIRA link daemon added a comment - 2016-10-24 01:32

Collapse comment: Sam Gleske added a comment - 2016-12-03 02:08

Expand comment: Sam Gleske added a comment - 2016-12-03 02:08

Collapse comment: SCM/JIRA link daemon added a comment - 2016-12-03 08:14

Expand comment: SCM/JIRA link daemon added a comment - 2016-12-03 08:14

Collapse comment: SCM/JIRA link daemon added a comment - 2016-12-03 08:17

Expand comment: SCM/JIRA link daemon added a comment - 2016-12-03 08:17

Collapse comment: SCM/JIRA link daemon added a comment - 2016-12-03 08:19

Expand comment: SCM/JIRA link daemon added a comment - 2016-12-03 08:19

Collapse comment: SCM/JIRA link daemon added a comment - 2016-12-03 08:20

Expand comment: SCM/JIRA link daemon added a comment - 2016-12-03 08:20

Collapse comment: Sam Gleske added a comment - 2016-12-05 22:22

Expand comment: Sam Gleske added a comment - 2016-12-05 22:22

People

Dates