Support regular OIDC logout from the central dashboard #7568
Comments
|
I don't have much understanding of ideally how the logout flow should work on OIDC, but am for sure in favor of any effort to untangle it from the AuthService. @AndersBennedsgaard do you have enough expertise to describe a numbered list of steps of how the logic should work in this case? |
|
Sorry, no, I am definitely not an expert in this field. But having read the KeyCloak documentation on it it sounds like RP-Initiated Logout is the solution we want. It sounds like when the user clicks the "Log out" button you just redirect the browser to the logout URL, and the authentication backend handles the rest of the flow, which would be very simple to implement in the central dashboard. If we want to be backwards compatible with the current functionality, we could add another environment variable |
/kind feature
Why you need this feature:
Currently the central dashboard makes hard assumptions on it using https://github.com/arrikto/oidc-authservice. There is some talk about changing Kubeflow to using the OAuth2 proxy instead, but as explained here, this causes issues with logging out through the central dashboard since redirects after clicking the logout button is based on the
afterLogoutURLkey response, which is not part of the OIDC protocol. Therefore, you have to manually refresh the page in order to redirect to the Kubeflow home page again when using OIDC-compliant tools.Describe the solution you'd like:
Instead of assuming usage of the
oidc-authservice, we should support regular OIDC logout, where we directly redirect the browser to the logout URL instead of just a simple POST to the authservice.The KeyCloak documentation explains how this should be done quite well: https://www.keycloak.org/docs/latest/server_admin/#_oidc-logout
The text was updated successfully, but these errors were encountered: