Bug 1619479 - Couldn't re-login to kibana after logout from kibana web console.
Summary: Couldn't re-login to kibana after logout from kibana web console.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.3.0
Assignee: Jeff Cantrill
QA Contact: Anping Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-21 02:24 UTC by Qiaoling Tang
Modified: 2020-01-23 11:04 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The oauth-proxy is misconfigured Consequence: Trying to login again after logout is unsuccessful Fix: Remove the -skip-provider-button from the config Result: User's can login again after logout
Clone Of:
Environment:
Last Closed: 2020-01-23 11:03:45 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-logging-operator pull 284 0 'None' closed Bug 1619479: Remove Kibana oauth-proxy param to allow re-login 2021-01-21 21:23:21 UTC
Red Hat Product Errata RHBA-2020:0062 0 None None None 2020-01-23 11:03:59 UTC

Comment 2 Mo 2018-08-23 01:24:34 UTC 
Matt, PTAL.
Comment 3 Junqi Zhao 2018-11-27 05:37:44 UTC 
Same issue for logging on ded-int-aws environment
Comment 4 Robert Sandu 2019-03-27 09:23:29 UTC 
Hi all.

I'm seeing this same issue on 3 different clusters, with 3.11.88 and 3.11.82 versions. I'm not getting any error in the Chrome DevTools, but I'm getting the same oauth login loop after logging out from Kibana console.

If I logout and try to login again, the login loop happens. However, when opening up another (incognito) browser window, the Kibana console login works just fine.

Any known workaround of this behavior?
Comment 6 Jeff Cantrill 2019-03-28 14:48:18 UTC 
Any changes these fixes [1]  may resolve this issue?

https://github.com/openshift/cluster-logging-operator/pull/127/files#diff-5ff1cbe659b99e0e73d8ba484249c27cR463
Comment 9 Robert Sandu 2019-07-29 12:27:28 UTC 
(In reply to Jeff Cantrill from comment #6)
> Any changes these fixes [1]  may resolve this issue?
> 
> https://github.com/openshift/cluster-logging-operator/pull/127/files#diff-
> 5ff1cbe659b99e0e73d8ba484249c27cR463

Hi Jeff.

I've tested the login in 4.1.7, but when I login, logout and try to login again, I'm getting ERR_TOO_MANY_REDIRECTS error in Chrome. I'll attach the .har files with the HTTP request made both for the login and logout.
Comment 21 Jeff Cantrill 2019-08-30 14:57:06 UTC 
Pushing this off to 4.3 as this is not a blocker.  It is possible to work around by pasting the route back into the browser which loads the page correctly
Comment 22 Jeff Cantrill 2019-11-06 01:03:17 UTC 
@Ben,

There is something wrong with the logout workflow.

* The link from kibana is using the 'sign_in' endpoint which was documented as valid for sign out: [1]

/oauth/sign_in - the login page, which also doubles as a sign out page (it clears cookies) 

* The code actually says there is a 'sign_out' endpoint which redirects you to '/' once it clears the cookies

596 func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request) {
597     p.ClearSessionCookie(rw, req)
598     http.Redirect(rw, req, "/", 302)
599 }

The result of this action is to take you back into the application which is successful but you are already authenticated negating the 'sign out'


[1] https://github.com/openshift/oauth-proxy#endpoint-documentation


Shouldn't the oauth-proxy component owner be responsible for fixing this; it is not isolated to cluster logging
Comment 25 Qiaoling Tang 2019-11-11 02:21:05 UTC 
Verified with ose-cluster-logging-operator-v4.3.0-201911081316
Comment 27 errata-xmlrpc 2020-01-23 11:03:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062
Note You need to log in before you can comment on or make changes to this bug.