Bug 979273 - [RFE] Don't show logout link when logging out is not supported
[RFE] Don't show logout link when logging out is not supported
Product: Beaker
Classification: Community
Component: web UI (Show other bugs)
Unspecified Unspecified
medium Severity medium (vote)
: ---
: ---
Assigned To: beaker-dev-list
: FutureFeature, Reopened
Depends On:
  Show dependency treegraph
Reported: 2013-06-28 02:46 EDT by wangjing
Modified: 2018-02-05 19:41 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-01-11 21:40:51 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description wangjing 2013-06-28 02:46:46 EDT
Description of problem:
clicking link logout should actually logout

Version-Release number of selected component (if applicable):
beaker-devel Version - 0.13.1

How reproducible:

Steps to Reproduce:
1. click link logout.
2. click link login

Actual results:
you will see, the former account login automatically, actually when clicking logout it is not logout, we should clear cookies and close the browser, then it works.

Expected results:
it should logout without clearing cookies and closing browser.

Additional info:
Comment 1 Nick Coghlan 2013-06-30 19:35:33 EDT
This is a limitation of the way browsers handle Kerberos - once the browser has loaded the user's Kerberos ticket, it will supply it automatically in response to any later requests for authentication from Beaker.
Comment 2 wangjing 2013-07-08 06:09:26 EDT
maybe it is not very important, but this 'logout' is really confused many times, and other project which also uses Kerberos ticket has no 'logout' on the web, like TCMS,  so I'd like to change this bug to one RFE for just recording.
Comment 4 Dan Callaghan 2017-01-11 21:40:51 EST
Logging out does have an effect (it deletes the existing authentication token) even when Beaker is configured to use Kerberos authentication, and the "Logout" link does have that desired effect. So there is really no bug here. It is beneficial to still show the logout link under some circumstances (for one thing, to test the web UI behaviour without an authenticated session) so I don't think we should conditionally hide it.

Reading between the lines in comment 0 it seems like the request is actually to be able to click Login and then *not* have the browser automatically authenticate using your Kerberos ticket, but rather prompt for credentials (presumably for testing under other accounts or such). But the entire point of Kerberos ticket authentication is that there is no authentication prompt. If you want an authentication prompt, the right answer is to either disable Kerberos negotiation in the browser, or just kdestroy so that there is no valid Kerberos ticket.

There is no way for the Logout link in Beaker to somehow trigger kdestroy, nor would it even make sense or be desirable to do that.
Comment 5 Dan Callaghan 2017-01-11 21:44:18 EST
Steps to reproduce, on a Beaker instance configured to use Kerberos:
1. kinit
2. In a new browser session, open Beaker: you are not authenticated, the menu shows "Log in"
3. Click "Log in": browser authenticates you without prompting using your Kerberos ticket
4. kdestroy
5. Click around in Beaker: you will see that you are still authenticated due to the authentication token stored in a cookie
6. Click "Log out": authentication token is cleared, now you are logged out
7. Click "Log in" again: prompted for authentication because there is no Kerberos ticket

Step 6 in this process illustrates that the Logout link does actually do something useful.

Note You need to log in before you can comment on or make changes to this bug.