[Koha-bugs] [Bug 18549] New: There should be a warning that logging out of Koha will leave browser session logged in to OAuth

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Fri May 5 12:10:03 CEST 2017


https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18549

            Bug ID: 18549
           Summary: There should be a warning that logging out of Koha
                    will leave browser session logged in to OAuth
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5 - low
         Component: Authentication
          Assignee: gmcharlt at gmail.com
          Reporter: nick at bywatersolutions.com
        QA Contact: testopia at bugs.koha-community.org
                CC: dpavlin at rot13.org

>From bug 16892

Nick:
For CAS we have casLogout - can we have something similar here? I think
disconcerting if a patron signs in via google, signs out of Koha and walks away
leaving their google auth intact unintentionally

Mark:
This is the problem. If you have multiple tabs, let's say gmail in one, and
Koha in the other. If Koha does a forced logout, then your gmail tab will be
affected.

This is the problem that is widely known. I was thinking of actually doing
another bug to drop-down choose what kind of log out.

Martin:
A federated logout is actually pretty rare in my experience, though it is
possible. 

As you say Mark, it 'feels' strange to the user that logging out of seemingly
unrelated apps can have the knock on effect of logging out apps in other tabs
that happen to share an aouth2 openid connect identity provider.  

On a related note, I'm not sure I saw any code out end to support such a
federated logout triggered by another service in our end either... but perhaps
I missed it ;)

Nick:
Perhaps if OAuth is activated just a note added that when you log out of Koha
you may still be logged in via google?

I agree a user with many tabs open may not expect this, but a patron using a
shared machine in the library who signs in to place a hold or renew may never
visit their email or expect that they have signed in to that.

I think a pop-up when logging out to say "Hey, you are logged in to google, and
they know lots of stuff about you" wouldn't hurt, who can say if it would help
:-)

Mark:
Perhaps this type of discussion should happen on another bug report, as this
bug has nothing to do with logging out. :)

Also, yes, some sort of warning should be displayed, somewhere, somehow.

Nick:
It can happen here now :-)

-- 
You are receiving this mail because:
You are watching all bug changes.


More information about the Koha-bugs mailing list