Make the logout button actually log out #24
Conversation
herglotzmarco
commented
Dec 20, 2024
herglotzmarco
commented
- Nexus has automatic session creation turned off and solely relies on the login dialog POSTing to SessionServlet for session creation
- We never have a login dialog, so this does not happen, thus we turn on automatic session creation when our token factory is used
- Oauth2 proxy has a "skip_jwt_bearer_tokens" flag that makes it accept, validate and process a sent jwt token instead of requesting its own
- It still adds all necessary headers, but also forwards the Auth header which made our token factoy refuse the operation before
- By doing this, the logout button actually works, destroying the user session and triggering a logout event we can listen for
- When this event triggers, we perform backchannel logout via oauth proxy, which can then backchannel logout from the IDP
- This logout requires page reload to not leave Nexus in an invalid state, however the logout call refuses to follow any kind of redirect so a kinda hacky solution in the frontend is necessary
- We use javascript document observers to heuristically guess when logout occured and thus a page refresh should be triggered
- Nexus has automatic session creation turned off and solely relies on the login dialog POSTing to SessionServlet for session creation - We never have a login dialog, so this does not happen, thus we turn on automatic session creation when our token factory is used - Oauth2 proxy has a "skip_jwt_bearer_tokens" flag that makes it accept, validate and process a sent jwt token instead of requesting its own - It still adds all necessary headers, but also forwards the Auth header which made our token factoy refuse the operation before - By doing this, the logout button actually works, destroying the user session and triggering a logout event we can listen for - When this event triggers, we perform backchannel logout via oauth proxy, which can then backchannel logout from the IDP - This logout requires page reload to not leave Nexus in an invalid state, however the logout call refuses to follow any kind of redirect so a kinda hacky solution in the frontend is necessary - We use javascript document observers to heuristically guess when logout occured and thus a page refresh should be triggered
|
First of all - Happy New Year! Thank you for yet another contribution and your patience with us reviewing it. This one is a little more complex, but definitely desirable to have. A few notes:
That's what I could see so far at least. I was able to make it beyond the unresolved hostname and I also managed to let nexus know it's behind a TLS-terminating proxy (so it must send requests using https to itself). I need to fiddle my CA into the nexus keystore yet, to make it beyond certificate validation and then I will probably see that what you've built works fine. P.S.: Nice explanatory comments in your code, by the way! P.P.S.: We recently gained one (that we know of) user using Authentik instead of OAuth2 Proxy. We don't officially support it, but this is an aspect that would break. It is not urgent to include that in this PR, but I guess it would make sense to make the logout URL configurable at some point. You can see how that works in |
|
Happy New Year to you as well :) To the exceptions: If you prefer to reduce exception message, I will do that. During my testing however, I learned to appreciate more detailed messages inlcuding stacktraces for tracking down failure reasons, e.g. I can take a look at configurability. I figured as the plugin is called oauth2-proxy-plugin that needs to be the only supported tool :D |
|
About formatting: There only is this, as far as I remember. @ChriFo introduced that. We are both not really active Java developers anymore and just use vscode with the java extension to work with it. From my old Java days I remember it was painful to even synchronize formatting between Eclipse and IntelliJ users, but maybe things improved. In the python world you have external linters that kind of fix that. They can be called on command line by every user of the project, independent of their IDE. Don't know if such thing exists in the Java universe nowadays. We are both fans of proper formatting. We are just not familiar with the tooling anymore and for sure don't wanna spin up a fat IDE like IntelliJ for such simple little project. 😅 About the exceptions: You certainly have a point there. Maybe catch the exception, log the message as error and the stacktrace as debug, so we both get what we want. In the normal case when everything is working, no one will see it, but if any user of the plugin has some misconfiguration in place (like not forwarding the header that informs about TLS termination to nexus) they get a lot of spam in the logs from users trying to logout. You are absolutely right about that this is mostly/only about OAuth2 Proxy. I was pleasantly surprised that Authentik can be used in place. Leaves the users with more choices. But we concentrate on supporting OAuth2 Proxy and only support others if it's a low hanging fruit. After all, the users of other solutions can also contribute if they need that. |
|
I have finished my local testing and apart from a bunch of CORS-related errors everything seems to work as expected. I would file an issue to log this at least. After all it is much better to have the logout working than not. I would test once more after you pushed the adjustments we talked about and then merge the PR. Edit: As far as I understand it, the CORS errors are due to Nexus SPA-related nature. They send a lot of requests all the time for things like telemetry or saying hi to Nexus and fetching some state. This fails right after the OAuth2 proxy session is gone with the effect that all the XHRequests are receiving redirects from OAuth2 Proxy due to lack of a valid session (its usual behavior to make the user login at the IdP). So during this transition all theses requests are doomed to fail until the actual login via IdP succeeded and the OAuth2 Proxy session is valid again. |
|
@herglotzmarco if you feel like you won't find time for the adjustments in the near future, I don't wanna keep you busy with my nitpicking. In that case I can just merge it and follow up on my own. I don't mean to make you hurry up. Just trying to get a feeling if I should do that or you will. ;) |
|
@tumbl3w33d sorry for not responding. I will absolutely take a look, but I am still on new years vacation ;) |
|
Would it be possible to add a variable that specifies the logout URL? In my case, with Authentik, the Proxy has its own logout URL |
|
@eirisdg yes, I am already working on it ;) |
@tumbl3w33d Adjustments are done. The CORS errors should by the way not really be visible on the UI but only in the network console right? At least the frontend javascript parts I included should reload the page pretty much right after the logout was finished, meaning OAuth2 Proxy would immediately redirect to the IDP login mask, ideally before any of the errors can pop up on the UI. At least for me this is working fine. Only thing I observed: Nexus seems to ship all frontend javascript stuff with caching headers enabled, so might be you have to force reloading/cache clearing in your browser for those changes to take effect. |
Yep, we noticed in #27 yesterday. 😁
Right. Will test once more today and merge then. Thank you for the adjustments! |
|
Nice approach with configuring the URL via capability! |
