Page MenuHomePhabricator
Create Task
Maniphest T356784

OpenID Connect logout does not log out of IdP on idp.wmcloud.org
Closed, InvalidPublic
Actions

Description

We are using OpenID Connect for authentication with idp.wmcloud.org on https://catalyst.wmcloud.org/. When we log out, we do see a request to the OpenID Connect logout endpoint (https://idp.wmcloud.org/oidc/oidcLogout, which we see indicated at https://idp.wmcloud.org/oidc/.well-known/openid-configuration), and we are redirected back to the login page. But, if we attempt to log in again, we are usually still logged in to the IdP, so are immediately redirected back to the web site in a logged in state.

Also, if we visit the OpenID Connect logout endpoint directly in our browser, it does say we are logged out of the IdP, but we are still not actually logged out (but I'm not sure if that's a good test).

Is it possible to coordinate to check the logs to see what is happening on the IdP side?

We're also seeing some odd interaction between idp.wmcloud.org and idp.wikimedia.org. If I visit https://idp.wmcloud.org/ and login and then click the logout link, which takes me to https://idp.wmcloud.org/logout, I am then redirected to https://idp.wikimedia.org/logout. I'm not sure if this is significant.

Event Timeline

CCicalese_WMF created this task.Feb 6 2024, 4:24 PM
SLyngshede-WMF claimed this task.Feb 9 2024, 1:53 PM
SLyngshede-WMF triaged this task as Medium priority.
SLyngshede-WMF added a comment.Feb 12 2024, 9:44 AM

So what's happening is exactly what is suppose to be happening.

The idp.wmcloud.org simply delegates authorization to idp.wikimedia.org, which allows us to use the production LDAP, but not actually give the cloud VMs access to LDAP directly.
When you signup from catalyst, what you're doing is invalidating the session you have with the IDP server, but it doesn't sign you out of the idp.wmcloud.org, because that would also sign the users out of any other services that uses the single sign on.

When you then go to sign in to catalyst again, you're already signed in to idp.wmcloud.org, when then just handles the issuing of tokens to catalyst. If you sign out of idp.wmcloud.org, which does just redirect you to idp.wikimedia.org, as that's what's handling the actual authentication.

The sign out in the openid-configuration is only to invalidate sessions for a sign application, not for signing out of the IDP.

Is this causing any particular issue for you? If so we're happy to see if there's a solution.

SLyngshede-WMF changed the task status from Open to In Progress.Feb 12 2024, 9:44 AM
CCicalese_WMF closed this task as Invalid.Feb 12 2024, 1:10 PM

Thank you, that makes perfect sense. And, we wouldn't want to log out of all services when we log out of Catalyst. I've seen this in many other environments, and I don't know why I was expecting it to be different for this environment. Thanks for the confirmation of the behavior!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL