Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5542

Ability to logout from OKTA session when logging out from OpenShift

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • Auth
    • None
    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request

      Ability to logout from OKTA session when logging out from OpenShift

      2. What is the nature and description of the request?

      When user click on "logout" button in the OpenShift, the OpenShift token is invalidated and if the logoutRedirect is configured in the Console, the user is redirected to logout page. The process does not invalidate the token session from Okta, so when user opens the console page back - the user is automatically redirected to the Console Dashboard automatically authenticated. (same process as described in [2] when logoutRedirect is not provided)

      There is option to disable the tokens from Okta, by providing the logoutRedirect based on [1], but it requires to provide "id_token_hint" in the URL as paramater.
      This currently doesn't work as you can't provide dynamic (user/session specific) paramaters to the logoutRedirect.

      This RFE is request to be able to provide the "id_token_hint" dynamically to the "id_token" from the openid JWT token from the Okta when user is logging in.

      3. Why does the customer need this? (List the business requirements here)

      Customer wants this scenario:

      • login to OpenShift through Okta (Okta is single IDP configuired)
      • user is redirected to the Okta authentication page
      • once user is authenticated, it is redirected back to the oauth url
      • oauth will redirect the user to Console Dashboard
      • user clicks on the Logout page
      • user's token from OCP is invalidated
      • user is redirected to the logoutRedirect, which is configured to the Okta logout
      • Okta will invalidate the token from the Okta session (for specific client-id for OpenShift)
      • Okta will redirect the user to OpenShift console (which redirects to the OpenShift oauth -> redirects back to the Okta)

      For the last step to work, the Console "logoutRedirect" needs to be configured with the "id_token_hint" (required) and the "post_logout_redirect_uri" (optional).

      4. List any affected packages or components.

      • authentication
      • oauth
      • user.openshift.io api

      [1] https://developer.okta.com/docs/reference/api/oidc/#logout
      [2] https://access.redhat.com/solutions/4349271

              atelang@redhat.com Anjali Telang
              rhn-support-vwalek Vladislav Walek
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: