[
https://issues.apache.org/jira/browse/KNOX-571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15657384#comment-15657384
]
Larry McCay commented on KNOX-571:
----------------------------------
I'm glad to see revived discussion on this JIRA.
I think that there are a number variations of UI authentication scenarios in
play at the moment.
1. Some of the more feature rich UIs have their own authentication mechanisms
that can be extended to leverage KnoxSSO. These types of UIs generally have an
explicit dependency on the passthrough or Anonymous authentication provider.
These UIs manage their own application specific sessions and cookies.
2. Other UIs have limited or no authentication mechanism of their own and can
be fronted by KnoxSSO, HTTP basic from Knox, etc. These UIs may or may not have
their own application specific sessions and cookies.
3. A few UIs may rely solely on the ability to use KnoxSSO as their
authentication and session cookie.
*UI Specific Behaviors*
This provides some challenges in providing any sort of comprehensive logout.
Logout in SSO is often problematic actually.
For those UIs described in #1 above, we can provide a KnoxSSO logout API (or
have the TTL of the token be relatively short lived) that will remove or expire
the KnoxSSO cookie but will not invalidate the application specific session and
remove related cookies. Once the application specific session expires and there
is no KnoxSSO cookie available the user will be rechallanged for authentication
and a new session created.
For UIs that fall into #2 category, the same may be true or not. For the subset
that have no session cookies of their own and are being protected with the
SSOCookieProvider, they will be rechallenged when the cookie is removed or
expires.
Finally, for UIs described by #3, the expiration or removal of the KnoxSSO
cookie will result in an immediate logout of that application but also the
logout of other UIs as well - in fact, any UI that is dependent on the KnoxSSO
cookie will be logged out.
*KnoxSSO Logout Behavior*
To make matters worse, the removal or expiration of the KnoxSSO cookie/session
will generally result in a redirect back to the provider.
Depending on the configured provider and the lifetime of its session with
KnoxSSO, the user may be immediately logged back in. For instance, when using
the pac4j provider for SAML based authentication through Okta, the SAML/Okta
session is still intact. Therefore, when a UI redirects back to KnoxSSO and
KnoxSSO redirects back to Okta the Okta cookies are found and verified and a
new session is created without even challenging.
At the same time, logging out of a particular UI session shouldn't result in
the logout of all Okta protected applications that you are logged into.
Therefore, we shouldn't try and mess with their cookies.
However, if the out-of-the-box form based provider is being used instead of
Okta then the expiration of the KnoxSSO cookie/token will result in a new
challenge.
*Conclusion*
I am not sure that I can rationalize a way to have a generic logout across all
of these behavioral variations without:
1. stepping out of our area of responsibility and onto the toes of other
applications/providers
2. requiring Knox specific knowledge in the individual UIs
3. requiring UI specific knowledge in Knox to add a logout link to only apps
that don't have it or to augment those that do already have it to include a
call to Knox as well
I feel like this entire area needs to be fully thought through and maybe have a
KIP page of its own.
Then we can determine if it is worth pursuing and how best to get to the
desired end state over time.
> UI Web pages should have a way to logout
> ----------------------------------------
>
> Key: KNOX-571
> URL: https://issues.apache.org/jira/browse/KNOX-571
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 0.7.0
> Environment: Redhat/Windows
> Reporter: Jeffrey E Rodriguez
> Fix For: Future
>
> Attachments: knox_logout_design.jpg
>
>
> UI using Knox as a proxy should have a way to define a logout so Browser to
> Knox session is invalidated and user is challenged for Authentication. This
> is a web security requirement to prevent session hijacking attacks.
> References
> https://www.owasp.org/index.php/Session_hijacking_attack
> https://owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-007%29
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
