Red Hat Bugzilla – Bug 979273
[RFE] Don't show logout link when logging out is not supported
Last modified: 2018-02-05 19:41:31 EST
Description of problem:
clicking link logout should actually logout
Version-Release number of selected component (if applicable):
beaker-devel Version - 0.13.1
Steps to Reproduce:
1. click link logout.
2. click link login
you will see, the former account login automatically, actually when clicking logout it is not logout, we should clear cookies and close the browser, then it works.
it should logout without clearing cookies and closing browser.
This is a limitation of the way browsers handle Kerberos - once the browser has loaded the user's Kerberos ticket, it will supply it automatically in response to any later requests for authentication from Beaker.
maybe it is not very important, but this 'logout' is really confused many times, and other project which also uses Kerberos ticket has no 'logout' on the web, like TCMS, so I'd like to change this bug to one RFE for just recording.
Logging out does have an effect (it deletes the existing authentication token) even when Beaker is configured to use Kerberos authentication, and the "Logout" link does have that desired effect. So there is really no bug here. It is beneficial to still show the logout link under some circumstances (for one thing, to test the web UI behaviour without an authenticated session) so I don't think we should conditionally hide it.
Reading between the lines in comment 0 it seems like the request is actually to be able to click Login and then *not* have the browser automatically authenticate using your Kerberos ticket, but rather prompt for credentials (presumably for testing under other accounts or such). But the entire point of Kerberos ticket authentication is that there is no authentication prompt. If you want an authentication prompt, the right answer is to either disable Kerberos negotiation in the browser, or just kdestroy so that there is no valid Kerberos ticket.
There is no way for the Logout link in Beaker to somehow trigger kdestroy, nor would it even make sense or be desirable to do that.
Steps to reproduce, on a Beaker instance configured to use Kerberos:
2. In a new browser session, open Beaker: you are not authenticated, the menu shows "Log in"
3. Click "Log in": browser authenticates you without prompting using your Kerberos ticket
5. Click around in Beaker: you will see that you are still authenticated due to the authentication token stored in a cookie
6. Click "Log out": authentication token is cleared, now you are logged out
7. Click "Log in" again: prompted for authentication because there is no Kerberos ticket
Step 6 in this process illustrates that the Logout link does actually do something useful.