You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2016/11/13 15:33:58 UTC

[jira] [Commented] (KNOX-744) Logout for KnoxSSO WebSSO API

    [ https://issues.apache.org/jira/browse/KNOX-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15661654#comment-15661654 ] 

Larry McCay commented on KNOX-744:
----------------------------------

There is an unexpected challenge for this issue. It would be ideal to just add an additional API to the existing KNOXSSO service. 

Unfortunately, the separation of provider chains and API methods and the topology managed authentication providers is currently requiring the call to logout to be authenticated.

Out of the box, the form-based IdP is used which expects basic credentials to be presented otherwise it redirects to the form for authentication. While we could attempt to short-circuit that behavior within the ShiroProvider, it would still be a problem for other providers used to protect the API - such as pac4j with Okta/SAML.

We have encountered similar issues in the past with the Admin API. The API to get the Knox version shouldn't require authentication but it is affected by the same issue.

In the near term, I have created a new service called KNOXSSOUT which will need to be put into a separate topology with the Anonymous authentication provider.

Again, this is less than ideal but any alternative that I can think of would require much more complexity than is justifiable. If anyone has other thoughts they would be appreciated.

> Logout for KnoxSSO WebSSO API
> -----------------------------
>
>                 Key: KNOX-744
>                 URL: https://issues.apache.org/jira/browse/KNOX-744
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 0.11.0
>
>
> WebSSO needs to expose a method to "logout" of a KnoxSSO session. This simply means that the hadoop-jwt cookie be removed. Any other application level sessions will need to be managed by the application itself.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)