Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1954744

Summary: User logout action from OpenShift console uses logoutRedirect URL for all identityProviders
Product: OpenShift Container Platform Reporter: Hradayesh Shukla <hshukla>
Component: Management ConsoleAssignee: Jon Jackson <jonjacks>
Status: CLOSED NOTABUG QA Contact: Yadan Pei <yapei>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.7CC: aos-bugs, jokerman, spadgett
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-04 15:26:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hradayesh Shukla 2021-04-28 17:48:24 UTC 
Description of problem:
- User logout action from OpenShift console uses logoutRedirect URL for all identityProviders, when more than 1 identityProviders are used. 


Version-Release number of selected component (if applicable):
OCP 4.7 


How reproducible:
100% 


Steps to Reproduce:
1. OCP has 2 identityProviders [OpenID and LDAP (Active Directory)]
2. Configure logoutRedirect URL for OpenID identityProvider as explained in this doc [1] to perform single logout from SSO session as well from OCP logout.
3. Login using a user authenticated against Active Directory. When this user logs out, the request is sent to logoutRedirect URL.  


[1] https://docs.openshift.com/container-platform/4.7/web_console/configuring-web-console.html#web-console-configuration_configuring-web-console  


Actual results:
- Logout action is redirected to logoutRedirect URL for all identityProviders instead of OpenID. 


Expected results:
- Other IdentityProviders are not redirected to logoutRedirect URL. 


Additional info:
Comment 1 Jon Jackson 2021-04-29 16:05:10 UTC 
This came in late in the sprint, haven't had a chance to investigate yet.
Comment 2 Samuel Padgett 2021-05-04 15:26:19 UTC 
Hi, hshukla. Can you open this as an RFE in JIRA?

We understand the use case and agree there's a need for this. The current API as designed sets the logout redirect for all console users regardless of IDP, however. We'd need to work with the auth team to create a new API for specifying a redirect per IDP. Currently the console has no way to know what IDP the user logged in using since that is managed by the OAuth server.
Comment 3 Hradayesh Shukla 2021-05-04 15:43:06 UTC 
Sounds good to me Samuel, I'll open a RFE. I felt this was a flaw hence I opened a BZ. 

Thanks.