[Bug 31900] New: Add support for logout from external OAuth2/OIDC identity providers
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 Bug ID: 31900 Summary: Add support for logout from external OAuth2/OIDC identity providers Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: new feature Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: tomascohen@gmail.com QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |31378 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31378 [Bug 31378] Add a generic OAuth2/OIDC client implementation -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- In order to do this, I think that we'd need to store a reference in the user's database session to the identity provider that was used when logging in. Perhaps "identity_provider: X" would be enough. Or potentially "identity_provider_logout" with the logout URL, so that we don't have to re-fetch the "end_session_endpoint" via the well_known_url. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 --- Comment #2 from Tomás Cohen Arazi <tomascohen@gmail.com> --- The logout URL is retrieved during the OIDC warm up, and reused. Alternatively, it can be set in the config, and the plugin will use it. And yes, we need to add the idp reference on the session. It should also be configurable with 3 options - No logout - Automatic logout - Give the option to logout -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- Sounds good to me. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 Bug 31900 depends on bug 31378, which changed state. Bug 31378 Summary: Add a generic OAuth2/OIDC client implementation https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31378 What |Removed |Added ---------------------------------------------------------------------------- Status|Needs documenting |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 Brendan Lawlor <blawlor@clamsnet.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |blawlor@clamsnet.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 Alex Buckley <alexbuckley@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |alexbuckley@catalyst.net.nz --- Comment #4 from Alex Buckley <alexbuckley@catalyst.net.nz> --- Hi all, As this bug report is a few years old. Could you please clarify for me. Does Koha now have support for logout from external OAuth2/OIDC identity providers or not? Thanks Alex -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- (In reply to Alex Buckley from comment #4)
Hi all,
As this bug report is a few years old. Could you please clarify for me.
Does Koha now have support for logout from external OAuth2/OIDC identity providers or not?
Thanks Alex
I don't think so. I don't have any plans to work on this either, as I don't have anyone asking for it. My next OIDC related task would be to return to page initiating the OIDC login. Happy to support anyone that wants to do this work though. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 --- Comment #6 from Alex Buckley <alexbuckley@catalyst.net.nz> --- (In reply to David Cook from comment #5)
(In reply to Alex Buckley from comment #4)
Hi all,
As this bug report is a few years old. Could you please clarify for me.
Does Koha now have support for logout from external OAuth2/OIDC identity providers or not?
Thanks Alex
I don't think so.
I don't have any plans to work on this either, as I don't have anyone asking for it. My next OIDC related task would be to return to page initiating the OIDC login.
Happy to support anyone that wants to do this work though.
Thanks very much David! We have a partner library who are running 24.11 who are using OIDC for authentication. When they log out of the Koha staff client they encounter a 'There was an error authenticating to external identity provider wrong_csrf_token'. So I am trying to establish if that is because Koha doesnt support OIDC logout or something else. Have you ever encountered that problem before? -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 --- Comment #7 from David Cook <dcook@prosentient.com.au> --- (In reply to Alex Buckley from comment #6)
Thanks very much David!
We have a partner library who are running 24.11 who are using OIDC for authentication. When they log out of the Koha staff client they encounter a 'There was an error authenticating to external identity provider wrong_csrf_token'.
So I am trying to establish if that is because Koha doesnt support OIDC logout or something else.
Have you ever encountered that problem before?
No, I don't think that would relate to Koha supporting OIDC logout from the IdP. In fact, based off the description, this doesn't sound like the full story. To me, it sounds like they've logged out via OIDC and then tried to login via OIDC again. Sounds like you've got some troubleshooting to do. But Koha won't be trying to initiate a OIDC logout from the IdP so I'd say it's not related to bug 31900. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 --- Comment #8 from David Cook <dcook@prosentient.com.au> --- @Alex something you might want to consider is bug 33259. That may or may not be related to your issue. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 --- Comment #9 from Alex Buckley <alexbuckley@catalyst.net.nz> --- (In reply to David Cook from comment #8)
@Alex something you might want to consider is bug 33259. That may or may not be related to your issue.
Many thanks David for this and your previous comment, appreciate it! -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=40596 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 Alexander Wagner <alexander.wagner@desy.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |alexander.wagner@desy.de --- Comment #10 from Alexander Wagner <alexander.wagner@desy.de> --- In our system we use OIDC as authentication and this works fine. However, it is an SSO login that will also open up quite a few other web services like mail etc. Therefore, we believe that a logout from Koha should also initiate a logout at the IdP. Otherwise, the user sees a successful logout but in fact you can still happily open up any other service (and even koha) again without authentication. Therefore, I tried to work on this bug but was not able to really solve the issue. AFAIS it is necessary to enhance `checkauth()` in `Auth.pm` in the `if ($logout) { }` branch and call the relevant logout-url there. This logout-url requires an `id_token` and/or `oidc_stat` that is passed on during login. But I do not understand how to pass these tokens on from the login functions properly. It seems that `Koha::REST::V1::Client` gets the necessary tokens when `login()` returns and they should go with the `$session` from there on. So I could retrieve them during logout and pass them on in the logout url. But there is some magic beyond my limited powers involved. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 --- Comment #11 from Alexander Wagner <alexander.wagner@desy.de> --- This bug seems to be related to https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34806 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 --- Comment #12 from David Cook <dcook@prosentient.com.au> --- (In reply to Alexander Wagner from comment #10)
In our system we use OIDC as authentication and this works fine. However, it is an SSO login that will also open up quite a few other web services like mail etc. Therefore, we believe that a logout from Koha should also initiate a logout at the IdP. Otherwise, the user sees a successful logout but in fact you can still happily open up any other service (and even koha) again without authentication.
Therefore, I tried to work on this bug but was not able to really solve the issue.
AFAIS it is necessary to enhance `checkauth()` in `Auth.pm` in the `if ($logout) { }` branch and call the relevant logout-url there. This logout-url requires an `id_token` and/or `oidc_stat` that is passed on during login. But I do not understand how to pass these tokens on from the login functions properly. It seems that `Koha::REST::V1::Client` gets the necessary tokens when `login()` returns and they should go with the `$session` from there on. So I could retrieve them during logout and pass them on in the logout url. But there is some magic beyond my limited powers involved.
Depends if you're doing front channel or back channel logout. Front channel logout is very easy because you just redirect to the IdP's end session endpoint. That's what I implemented 12 years ago when I wrote my own OIDC implementation. Unfortunately, it wasn't accepted into Koha, and so I abandoned that in favour of the community version despite its limitations. It's really not too hard to do. It just hasn't been a priority for me... lots of other things taking my attention. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |agostino.nigro@nigroweb.com --- Comment #13 from David Cook <dcook@prosentient.com.au> --- *** Bug 34806 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 --- Comment #14 from David Cook <dcook@prosentient.com.au> --- (In reply to Alexander Wagner from comment #11)
This bug seems to be related to https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34806
Yeah I think that these are probably duplicates... -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31900 --- Comment #15 from David Cook <dcook@prosentient.com.au> --- Another related idea is IdP initiated logout where you log out of the IdP and you want the user logged out of all the systems they used the IdP to log into. But that's a different challenge. I also haven't had any call for that really, so no plans to work on it. If only I had more time/money... -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org