Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-19949

logout doesn't work when using openid with google apps auth

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • openid-plugin
    • None
    • openid 1.7
      jenkins 1.534

      Users can't logout when using the openid plugin with google apps auth. the /logout function returns and the user remains logged in. Expect that you should be actually logged out and need to relogin.

      Upon attempting logout I see the following in the logs:

      Starting discovery on URL identifier: https://www.google.com/accounts/...
      INFO org.openid4java.discovery.yadis.YadisResolver discover
      Yadis discovered 1 endpoints from: https://www.google.com/accounts/...
      INFO org.openid4java.discovery.Discovery discover
      Discovered 1 OpenID endpoints.
      INFO org.openid4java.consumer.ConsumerManager associate
      Trying to associate with https://www.google.com/a/...
      INFO org.openid4java.consumer.ConsumerManager associate
      Found an existing association: ...
      INFO org.openid4java.consumer.ConsumerManager authenticate
      Creating authentication request for OP-endpoint: https://www.google.com/...
      INFO org.openid4java.server.RealmVerifier match...
      INFO org.openid4java.consumer.ConsumerManager verify
      Verifying authentication response...
      INFO org.openid4java.consumer.ConsumerManager verify
      Received positive auth response.
      INFO org.openid4java.discovery.Discovery discover
      Starting discovery on URL identifier: https://www.google.com/accounts/...
      INFO org.openid4java.discovery.yadis.YadisResolver discover
      Yadis discovered 1 endpoints from: https://www.google.com/accounts/...
      INFO org.openid4java.discovery.Discovery discover
      Discovered 1 OpenID endpoints.
      INFO org.openid4java.consumer.ConsumerManager verifySignature
      Found association: ...
      INFO org.openid4java.consumer.ConsumerManager verifySignature
      Verification succeeded for:...

          [JENKINS-19949] logout doesn't work when using openid with google apps auth

          Trevor Baker added a comment -

          In order to log out, you must revoke access via https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en. Once revoked, the logout functionality works. Is there a way to make the Jenkins logout and the google auth tokens interoperate as expected?

          Trevor Baker added a comment - In order to log out, you must revoke access via https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en . Once revoked, the logout functionality works. Is there a way to make the Jenkins logout and the google auth tokens interoperate as expected?

          Trevor Baker added a comment -

          After a bounce or two of Jenkins it is now working. I'll keep monitoring and close this as appropriate.

          Trevor Baker added a comment - After a bounce or two of Jenkins it is now working. I'll keep monitoring and close this as appropriate.

          kylecordes added a comment -

          The current behavior is: as long as that right is granted at Google, login occurs automatically. Our users found this unexpected; it is not broken, just not what they expected. It is actually quite convenient and useful.

          I have attempted to reduce the surprise by bolding a few words on the Wiki page:

          https://wiki.jenkins-ci.org/display/JENKINS/OpenID+plugin

          kylecordes added a comment - The current behavior is: as long as that right is granted at Google, login occurs automatically. Our users found this unexpected; it is not broken, just not what they expected. It is actually quite convenient and useful. I have attempted to reduce the surprise by bolding a few words on the Wiki page: https://wiki.jenkins-ci.org/display/JENKINS/OpenID+plugin

          Basically what kylecordes said. SSO means you have to log out from SSO server, not from Jenkins, and Jenkins doesn't know where to send you for causing logout.

          Kohsuke Kawaguchi added a comment - Basically what kylecordes said. SSO means you have to log out from SSO server, not from Jenkins, and Jenkins doesn't know where to send you for causing logout.

          Jin Kwon added a comment -

          Let me ask again.
          Can this v-feature-v make it possible that someone logged into the company's Jenkins on a publicly available terminal and someone else can directly get into the Jenkins?

          It the way of revoking the grant from the google's account page only way?
          Please reopen this issue if it needs to be resolved or at least enhanced.

          We can grant people using google auth and why we can't revoke it while logging out?

          Jin Kwon added a comment - Let me ask again. Can this v-feature-v make it possible that someone logged into the company's Jenkins on a publicly available terminal and someone else can directly get into the Jenkins? It the way of revoking the grant from the google's account page only way? Please reopen this issue if it needs to be resolved or at least enhanced. We can grant people using google auth and why we can't revoke it while logging out?

          James Nord added a comment -

          Nahh...
          This is a bug - when the logout happens - I bet you are redirecting to the root of jenkins and anonymous does not have read access. This will kick the authentication in again (normally this would be a form, but for SSO its a redirect to a different server with some special information) which then redirects you back to Jenkins with the magic which means you are logged in...

          Jenkins maintains its own cookine and unless the SSO provider is also doing single sign out (not may are) then you need to delete the Jenkins cookie and sign out of SSO for a tru sign out. However it is usefull and desired at times to logout of just a single app and not the whole SSO. (this will not stop you signing back in - but the sign in should not be immediate as you logout).

          basically override getPostLogOutUrl() to redirect to a page that anonymous can read on Jenkins - or maybe even to the SSO providers global logout page (or be fancy and redirect to the Jenkins page that give the user an option to go to the SSO providers single signout page - should it support it).

          James Nord added a comment - Nahh... This is a bug - when the logout happens - I bet you are redirecting to the root of jenkins and anonymous does not have read access. This will kick the authentication in again (normally this would be a form, but for SSO its a redirect to a different server with some special information) which then redirects you back to Jenkins with the magic which means you are logged in... Jenkins maintains its own cookine and unless the SSO provider is also doing single sign out (not may are) then you need to delete the Jenkins cookie and sign out of SSO for a tru sign out. However it is usefull and desired at times to logout of just a single app and not the whole SSO. (this will not stop you signing back in - but the sign in should not be immediate as you logout). basically override getPostLogOutUrl() to redirect to a page that anonymous can read on Jenkins - or maybe even to the SSO providers global logout page (or be fancy and redirect to the Jenkins page that give the user an option to go to the SSO providers single signout page - should it support it).

          James Nord added a comment -

          Can this v-feature-v make it possible that someone logged into the company's Jenkins on a publicly available terminal and someone else can directly get into the Jenkins

          Well if you can get the Jenkins Cookie from that public terminal yes.
          But if you can do that - you can probably get the sign on information for the SSO provider anyway - so the fact you can't logout is not really a major concern.

          So on a public terminal iff the sso provider does not support single sign out you would need to logout of the SSO provider and *then* log out of Jenkins. (doing it the other way around would mean you would get logged back into jenkins as soon as you logged out).

          James Nord added a comment - Can this v-feature-v make it possible that someone logged into the company's Jenkins on a publicly available terminal and someone else can directly get into the Jenkins Well if you can get the Jenkins Cookie from that public terminal yes. But if you can do that - you can probably get the sign on information for the SSO provider anyway - so the fact you can't logout is not really a major concern. So on a public terminal iff the sso provider does not support single sign out you would need to logout of the SSO provider and * then * log out of Jenkins. (doing it the other way around would mean you would get logged back into jenkins as soon as you logged out).

          Amos Shapira added a comment -

          I'm not sure whether this is related - I can logout but when I press the "login" button I'm immediately taken back to the last user, with no option to login as a different user.

          Amos Shapira added a comment - I'm not sure whether this is related - I can logout but when I press the "login" button I'm immediately taken back to the last user, with no option to login as a different user.

            kohsuke Kohsuke Kawaguchi
            trbaker Trevor Baker
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: