Re-logging in doesn't require re-authentication after logging out for all apps

Steps to reproduce:

• Log into any app (i.e. the nextcloud)
• Log out again
• Hit "Sign in" and you're logged in again to the nextcloud, without any (re-)authentication

This is is counter-intuitive and different how the other apps behave.

moved from #20 (moved)

moved from single-sign-on#138 (moved)

added SSO + 1 deleted label

changed title from Logging in to the dashboard doesn't require re-authentication after logging out to Re-logging in doesn't require re-authentication after logging out for all apps

changed the description

added Prio::High Security labels

mentioned in issue single-sign-on#137 (moved)

added Discussion label

Solution needs to be discussed (it's not clear-cut), so I added Discussion in single-sign-on

There are 3 places relevant for logging out:

• Dashboard session key
• Hydra session
• Kratos session

A proper logout requires wiping all three of them. At this point, logging out from the dashboard executes the first (as it's just an app), but you are 'still logged in' in the session/kratos/hydra enviroment

This was not implemented because unclarity about single-sign-on#58 (closed) and like Maarten points out, needs definitely further discussion.

I changed the issue description example from dashobard to nextcloud to make the example clearer, and because dashboard is a special app, other then NC, zulip or wekan.

So I propose to discuss what needs to be done in order to logout from NC using the NC logout button, and if you want to re-login, re-authenticate with SSO.

added User feedback label

marked this issue as related to single-sign-on#58 (closed)

removed 1 deleted label

changed the description

Blocked by #19 (closed)

marked this issue as related to #19 (closed)

changed milestone to %0.8.2

Discussed in the meeting today. We're going to see if we can logout from the Hydra and Kratos sessions with every logout button we have

What we should do:

1. Implement logout page in the "login application" (soon /web in dashboard-backend) that logs you out of Kratos and logs you out of Hydra
2. Implement logout URLs in all applications.
   • I just manually tried to do this in Nextcloud. We can set the signout URL to sso.stackspin.net/oauth2/sessions/logout. This will redirect to the login application (soon to be renamed to /web in dashboard-backend). The login application can the execute the Kratos sign out as well as confirm the Hydra sign out.

assigned to @maarten

removed Discussion label

added 1 deleted label

added Blocked label and removed 1 deleted label

added 1 deleted label

removed Blocked label

I un- Blocked this because #19 (closed) is closed now

mentioned in issue stackspin#1234 (closed)

unassigned @maarten

assigned to @maarten

created branch 21-re-logging-in-doesn-t-require-re-authentication-after-logging-out-for-all-apps to address this issue

mentioned in merge request !69 (merged)

mentioned in issue stackspin#1173 (closed)

added Doing label and removed 1 deleted label

closed with merge request !69 (merged)