Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-23011

[openid-plugin] Add Single Logout feature

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Why this feature: Single logout feature is an optional feature supported by various OpenID providers.

      What does this feature do: When the user logs out of his OpenID endpoint, he also logs out of Jenkins.

      How did I implement: When a user logs out of his openid provider, the openid plugin resets the remember-me cookie and returns an image indicating that it is logged out of jenkins.

      Link to the commit/pull request: https://github.com/jenkinsci/openid-plugin/pull/7

        Attachments

          Activity

          Hide
          kohsuke Kohsuke Kawaguchi added a comment -

          Do you have any reference to the spec of this optional feature anywhere?

          I'm not finding any, and it seems closer to this one but I'd imagine there'd have to be some advertising of this capability from Jenkins to OpenID provider.

          Show
          kohsuke Kohsuke Kawaguchi added a comment - Do you have any reference to the spec of this optional feature anywhere? I'm not finding any, and it seems closer to this one but I'd imagine there'd have to be some advertising of this capability from Jenkins to OpenID provider.
          Hide
          jssnirmal Nirmal Jonnalagedda added a comment -

          We have discovered the logout image is actually a implementation detail of the OP (OpenID Provider) we use. Logout doesn't appeared to be covered at all in the OpenID 2.0 Spec (http://openid.net/specs/openid-authentication-2_0.html) so we may be the only use-case for this.

          However, we noticed that "ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY" cookie is used in the other jenkins plugins (such as https://svn.jenkins-ci.org/tags/hudson-/core/src/main/java/hudson/security/SecurityRealm.java). I wonder if in the OpenID Connect spec (http://openid.net/specs/openid-connect-session-1_0.html#RPLogout), if it would be appropriate to reset this cookie.

          Feel free to close this issue, if you think this feature is unnecessary.

          Show
          jssnirmal Nirmal Jonnalagedda added a comment - We have discovered the logout image is actually a implementation detail of the OP (OpenID Provider) we use. Logout doesn't appeared to be covered at all in the OpenID 2.0 Spec ( http://openid.net/specs/openid-authentication-2_0.html ) so we may be the only use-case for this. However, we noticed that "ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY" cookie is used in the other jenkins plugins (such as https://svn.jenkins-ci.org/tags/hudson-/core/src/main/java/hudson/security/SecurityRealm.java ). I wonder if in the OpenID Connect spec ( http://openid.net/specs/openid-connect-session-1_0.html#RPLogout ), if it would be appropriate to reset this cookie. Feel free to close this issue, if you think this feature is unnecessary.
          Hide
          kohsuke Kohsuke Kawaguchi added a comment -

          I don't need this to be a part of the official OpenID spec, but I was hoping that this is bit more than a particular implementation detail of a particular OpenID provider.

          Looking at the change, I think my suggestion is that you implement this by writing another plugin that extends from OpenIdSsoSecurityRealm. You should be able to just add your doLogoutImage method in a subtype with a new descriptor, like GoogleAppSsoSecurityRealm.

          I hope that is acceptable with you.

          Show
          kohsuke Kohsuke Kawaguchi added a comment - I don't need this to be a part of the official OpenID spec, but I was hoping that this is bit more than a particular implementation detail of a particular OpenID provider. Looking at the change, I think my suggestion is that you implement this by writing another plugin that extends from OpenIdSsoSecurityRealm . You should be able to just add your doLogoutImage method in a subtype with a new descriptor, like GoogleAppSsoSecurityRealm . I hope that is acceptable with you.

            People

            Assignee:
            kohsuke Kohsuke Kawaguchi
            Reporter:
            jssnirmal Nirmal Jonnalagedda
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: