Unable to logout from dashboard

Steps to reproduce (on stackspin.net):

• Login to the dashobard using username + password
• Click Sign out
• Click Sign in
• You're logged in without re-authenticating

There's #47 about a broader single sign off feature, but this is particularly about the dashboard

marked this issue as related to #47

changed the description

added SSO label

added Security label

changed milestone to %1.0

added 1 deleted label

assigned to @maarten

I think the problem is caused by the request to https://dashboard.stackspin.net/undefined/oauth2/sessions/logout

removed 1 deleted label

added Doing label

The problem is caused by the fact that:

1. React doesn't read environment variables (an incorrect assumption I made when making the deployment)

We can solve this:

• React does read the .env file, which we currently generate at build time in .gitlab-ci.yml.
• We can mount a .env file instead, from the Helm configuration.

This message was me not understanding React.

React only uses env variables during build time. There's no (logical) way to set dynamic environments for React applications once they've been built, because they are static HTML&JS applications.

The correct way to solve this is to add the variable to the back-end rather than the front-end. I think we should add a /logout endpoint to areas/auth/auth.py in the dashboard-backend.

@davor what do you think? And if you think my solution makes sense, or if you have another solution, could you include how much time it would cost you to implement the solution if you did it?

There is a /logout endpoint in login.py. Not sure if that does what it needs to. But just to check. What steps should we follow to properly logout user from all apps?

Let me explain:

1. login.py is the "login provider", a web application that we made for Hydra that creates an SSO session. The login process of the Dashboard uses Hydra, which in turn uses the login provider. We should do something similar on logout: the Dashboard should talk to Hydra, then Hydra calls the logout endpoint in login.py to end the SSO session.
   • In order to make Hydra call the /logout endpoint that ends the SSO session, our application needs to call Hydra's logout endpoint, which is https://sso.<domain>/oauth2/sessions/logout
2. Signing off from all apps is not covered by this issue. We have a separate issue for that: #47

The problem in this issue is that <domain> is different for all applications, so we can't set the Hydra logout endpoint as a variable in the pre-built REACT app. That's why I think we need to somehow communicate that variable from the back-end, which is what my previous question comes from.

I see. Yes, I think we could create a /logout endpoint in auth.py and it would call Hydra with <domain>. I don't think it would be a lot of work, I would just like to know what exactly steps what to do with Hydra.

created branch 70-unable-to-logout-from-dashboard to address this issue

mentioned in merge request !44 (closed)

mentioned in issue stackspin#1343 (closed)

We want to "quick fix" this right now (because logging out in production is broken) by setting the logout domain based on the current dashboard domain.

The way of finding the SSO URL is: s/dashboard.<domain>/sso.<domain>/ (i.e. dashboard.init.stackspin.net becomes sso.init.stackspin.net)

Note that this is a hotfix, we'll need to properly configure the Hydra URL through the back-end in the future.

assigned to @luka and unassigned @maarten

removed Doing label

@luka I'm assigning this to you as discussed in the meeting this morning.

added 1 deleted label

Fixed by !46 (merged)