Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-19949

logout doesn't work when using openid with google apps auth

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reopened (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: openid-plugin
    • Labels:
      None
    • Environment:
      openid 1.7
      jenkins 1.534
    • Similar Issues:

      Description

      Users can't logout when using the openid plugin with google apps auth. the /logout function returns and the user remains logged in. Expect that you should be actually logged out and need to relogin.

      Upon attempting logout I see the following in the logs:

      Starting discovery on URL identifier: https://www.google.com/accounts/...
      INFO org.openid4java.discovery.yadis.YadisResolver discover
      Yadis discovered 1 endpoints from: https://www.google.com/accounts/...
      INFO org.openid4java.discovery.Discovery discover
      Discovered 1 OpenID endpoints.
      INFO org.openid4java.consumer.ConsumerManager associate
      Trying to associate with https://www.google.com/a/...
      INFO org.openid4java.consumer.ConsumerManager associate
      Found an existing association: ...
      INFO org.openid4java.consumer.ConsumerManager authenticate
      Creating authentication request for OP-endpoint: https://www.google.com/...
      INFO org.openid4java.server.RealmVerifier match...
      INFO org.openid4java.consumer.ConsumerManager verify
      Verifying authentication response...
      INFO org.openid4java.consumer.ConsumerManager verify
      Received positive auth response.
      INFO org.openid4java.discovery.Discovery discover
      Starting discovery on URL identifier: https://www.google.com/accounts/...
      INFO org.openid4java.discovery.yadis.YadisResolver discover
      Yadis discovered 1 endpoints from: https://www.google.com/accounts/...
      INFO org.openid4java.discovery.Discovery discover
      Discovered 1 OpenID endpoints.
      INFO org.openid4java.consumer.ConsumerManager verifySignature
      Found association: ...
      INFO org.openid4java.consumer.ConsumerManager verifySignature
      Verification succeeded for:...

        Attachments

          Activity

          Hide
          trbaker Trevor Baker added a comment -

          In order to log out, you must revoke access via https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en. Once revoked, the logout functionality works. Is there a way to make the Jenkins logout and the google auth tokens interoperate as expected?

          Show
          trbaker Trevor Baker added a comment - In order to log out, you must revoke access via https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en . Once revoked, the logout functionality works. Is there a way to make the Jenkins logout and the google auth tokens interoperate as expected?
          Hide
          trbaker Trevor Baker added a comment -

          After a bounce or two of Jenkins it is now working. I'll keep monitoring and close this as appropriate.

          Show
          trbaker Trevor Baker added a comment - After a bounce or two of Jenkins it is now working. I'll keep monitoring and close this as appropriate.
          Hide
          kylecordes kylecordes added a comment -

          The current behavior is: as long as that right is granted at Google, login occurs automatically. Our users found this unexpected; it is not broken, just not what they expected. It is actually quite convenient and useful.

          I have attempted to reduce the surprise by bolding a few words on the Wiki page:

          https://wiki.jenkins-ci.org/display/JENKINS/OpenID+plugin

          Show
          kylecordes kylecordes added a comment - The current behavior is: as long as that right is granted at Google, login occurs automatically. Our users found this unexpected; it is not broken, just not what they expected. It is actually quite convenient and useful. I have attempted to reduce the surprise by bolding a few words on the Wiki page: https://wiki.jenkins-ci.org/display/JENKINS/OpenID+plugin
          Hide
          kohsuke Kohsuke Kawaguchi added a comment -

          Basically what kylecordes said. SSO means you have to log out from SSO server, not from Jenkins, and Jenkins doesn't know where to send you for causing logout.

          Show
          kohsuke Kohsuke Kawaguchi added a comment - Basically what kylecordes said. SSO means you have to log out from SSO server, not from Jenkins, and Jenkins doesn't know where to send you for causing logout.
          Hide
          jinahya Jin Kwon added a comment -

          Let me ask again.
          Can this v-feature-v make it possible that someone logged into the company's Jenkins on a publicly available terminal and someone else can directly get into the Jenkins?

          It the way of revoking the grant from the google's account page only way?
          Please reopen this issue if it needs to be resolved or at least enhanced.

          We can grant people using google auth and why we can't revoke it while logging out?

          Show
          jinahya Jin Kwon added a comment - Let me ask again. Can this v-feature-v make it possible that someone logged into the company's Jenkins on a publicly available terminal and someone else can directly get into the Jenkins? It the way of revoking the grant from the google's account page only way? Please reopen this issue if it needs to be resolved or at least enhanced. We can grant people using google auth and why we can't revoke it while logging out?
          Hide
          teilo James Nord added a comment -

          Nahh...
          This is a bug - when the logout happens - I bet you are redirecting to the root of jenkins and anonymous does not have read access. This will kick the authentication in again (normally this would be a form, but for SSO its a redirect to a different server with some special information) which then redirects you back to Jenkins with the magic which means you are logged in...

          Jenkins maintains its own cookine and unless the SSO provider is also doing single sign out (not may are) then you need to delete the Jenkins cookie and sign out of SSO for a tru sign out. However it is usefull and desired at times to logout of just a single app and not the whole SSO. (this will not stop you signing back in - but the sign in should not be immediate as you logout).

          basically override getPostLogOutUrl() to redirect to a page that anonymous can read on Jenkins - or maybe even to the SSO providers global logout page (or be fancy and redirect to the Jenkins page that give the user an option to go to the SSO providers single signout page - should it support it).

          Show
          teilo James Nord added a comment - Nahh... This is a bug - when the logout happens - I bet you are redirecting to the root of jenkins and anonymous does not have read access. This will kick the authentication in again (normally this would be a form, but for SSO its a redirect to a different server with some special information) which then redirects you back to Jenkins with the magic which means you are logged in... Jenkins maintains its own cookine and unless the SSO provider is also doing single sign out (not may are) then you need to delete the Jenkins cookie and sign out of SSO for a tru sign out. However it is usefull and desired at times to logout of just a single app and not the whole SSO. (this will not stop you signing back in - but the sign in should not be immediate as you logout). basically override getPostLogOutUrl() to redirect to a page that anonymous can read on Jenkins - or maybe even to the SSO providers global logout page (or be fancy and redirect to the Jenkins page that give the user an option to go to the SSO providers single signout page - should it support it).
          Hide
          teilo James Nord added a comment -

          Can this v-feature-v make it possible that someone logged into the company's Jenkins on a publicly available terminal and someone else can directly get into the Jenkins

          Well if you can get the Jenkins Cookie from that public terminal yes.
          But if you can do that - you can probably get the sign on information for the SSO provider anyway - so the fact you can't logout is not really a major concern.

          So on a public terminal iff the sso provider does not support single sign out you would need to logout of the SSO provider and *then* log out of Jenkins. (doing it the other way around would mean you would get logged back into jenkins as soon as you logged out).

          Show
          teilo James Nord added a comment - Can this v-feature-v make it possible that someone logged into the company's Jenkins on a publicly available terminal and someone else can directly get into the Jenkins Well if you can get the Jenkins Cookie from that public terminal yes. But if you can do that - you can probably get the sign on information for the SSO provider anyway - so the fact you can't logout is not really a major concern. So on a public terminal iff the sso provider does not support single sign out you would need to logout of the SSO provider and * then * log out of Jenkins. (doing it the other way around would mean you would get logged back into jenkins as soon as you logged out).
          Hide
          amoss Amos Shapira added a comment -

          I'm not sure whether this is related - I can logout but when I press the "login" button I'm immediately taken back to the last user, with no option to login as a different user.

          Show
          amoss Amos Shapira added a comment - I'm not sure whether this is related - I can logout but when I press the "login" button I'm immediately taken back to the last user, with no option to login as a different user.

            People

            Assignee:
            kohsuke Kohsuke Kawaguchi
            Reporter:
            trbaker Trevor Baker
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated: