Support regular OIDC logout from the central dashboard

[AndersBennedsgaard]

/kind feature

Why you need this feature:

Currently the central dashboard makes hard assumptions on it using https://github.com/arrikto/oidc-authservice. There is some talk about changing Kubeflow to using the OAuth2 proxy instead, but as explained here, this causes issues with logging out through the central dashboard since redirects after clicking the logout button is based on the afterLogoutURL key response, which is not part of the OIDC protocol. Therefore, you have to manually refresh the page in order to redirect to the Kubeflow home page again when using OIDC-compliant tools.

Describe the solution you'd like:

Instead of assuming usage of the oidc-authservice, we should support regular OIDC logout, where we directly redirect the browser to the logout URL instead of just a simple POST to the authservice.
The KeyCloak documentation explains how this should be done quite well: https://www.keycloak.org/docs/latest/server_admin/#_oidc-logout

[kimwnasptd]

I don't have much understanding of ideally how the logout flow should work on OIDC, but am for sure in favor of any effort to untangle it from the AuthService.

@AndersBennedsgaard do you have enough expertise to describe a numbered list of steps of how the logic should work in this case?

[AndersBennedsgaard]

Sorry, no, I am definitely not an expert in this field. But having read the KeyCloak documentation on it it sounds like RP-Initiated Logout is the solution we want. It sounds like when the user clicks the "Log out" button you just redirect the browser to the logout URL, and the authentication backend handles the rest of the flow, which would be very simple to implement in the central dashboard.

If we want to be backwards compatible with the current functionality, we could add another environment variable LOGOUT_URL_REDIRECT which takes over the logout flow. Or we could add a --force-logout-redirect flag, which would make the dashboard do a redirect instead of a POST to the regular LOGOUT_URL.

[andreyvelich]

/transfer dashboard

[google-oss-prow]

@AndersBennedsgaard: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

In response to this:

/kind feature

Why you need this feature:

Currently the central dashboard makes hard assumptions on it using https://github.com/arrikto/oidc-authservice. There is some talk about changing Kubeflow to using the OAuth2 proxy instead, but as explained here, this causes issues with logging out through the central dashboard since redirects after clicking the logout button is based on the afterLogoutURL key response, which is not part of the OIDC protocol. Therefore, you have to manually refresh the page in order to redirect to the Kubeflow home page again when using OIDC-compliant tools.

Describe the solution you'd like:

Instead of assuming usage of the oidc-authservice, we should support regular OIDC logout, where we directly redirect the browser to the logout URL instead of just a simple POST to the authservice.
The KeyCloak documentation explains how this should be done quite well: https://www.keycloak.org/docs/latest/server_admin/#_oidc-logout

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[skeswani]

Is someone working on this?
how do people implement logout (or workaround this issue), are there any solutions available?

[juliusvonkohout]

@skeswani wani, i think there were some recent changes. Can you retest with the kubeflow/manifests master branch?