Problem: Using OIDC for authentication, users are unable to log out using the GUI logout function. Using the logout function, they are redirected to /users/extlogout, but their session is not terminated. When they change back to / they are still logged in.
Expected outcome: Users which have logged in with OIDC are able to terminate their Foreman UI session by using the GUI logout function.
Foreman and Proxy versions: Foreman 3.10
Foreman and Proxy plugin versions: Katello 4.12
Distribution and version: Alma8
Other relevant data:
This problem occurs if mod_auth_openidc on Foreman http is configured as follows:
# /etc/httpd/conf.d/idp-xyz
OIDCClientID foreman-client-id
OIDCProviderMetadataURL https://idp/.well-known/openid-configuration
OIDCCryptoPassphrase xyz
OIDCClientSecret foremanclientsecret
OIDCRedirectURI https://foreman/users/extlogin/redirect_uri
OIDCRemoteUserClaim sub
OIDCDefaultURL https://foreman/hosts
<Location /users/extlogin>
AuthType openid-connect
Require valid-user
</Location>
In Foreman settings, the following relevant settings are mode:
- authorize_login_delegation: True
- login_delegation_logout_url: (empty)
Current Workaround
A partial workaround is to require mod_auth_openidc authentication on all URLs (with the API-endpoint as exception):
<Location ~ "^((?!/(api|pulp|unattended|katello|rhsm|salt)).)*$">
AuthType openid-connect
Require valid-user
</Location>
and to set the login_delegation_logout_url to the “kill session” URL of mod_auth_openidc as described in [1].
This workaround establishes the following behavior:
- Every access to every location on the Foreman user interface requires a valid OIDC authentication. Note: In the concerned landscape this behavior is feasible.
- The v2 API, pulp content, unattended templates, Katello- and RHSM-endpoints and Saltstack-plugin-endpoint are excepted from this behavior. Note: This list of exceptions may be incomplete!
- An IdP-unauthenticated user will be redirected to the IdP.
- An IdP-authenticated user will be able to access the Foreman user interface.
- An IdP-authenticated user, by using the Foreman user interface logout function will trigger a termination of the IdP session of the user. Subsequent access to the user interface will redirect the user to the IdP login.
We believe that the observed behavior has in parts be explained in [2], but the concerned landscape has specific contradicting requirements. Even accepting the explanation given in [2], we find it counter-intuitive that a logout function is presented to users that does not actually log out the users from the user interface.
We are in the process of determining if the workaround described above can meet the specific requirements in the concerned landscape. Since this workaround requires a plugin-specific list of exceptions in the Foreman httpd config, and since the workaround disables non-federated logins to the user interface, it can not be considered applicable in the general case.
References:
[1] mod_auth_openidc, Frequently Asked Questions: “9. How do i logout users?” Home · OpenIDC/mod_auth_openidc Wiki · GitHub
[2] [Keycloak SSO] Foreman redirects to /users/login instead of /users/extlogin when session expired