You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Rob Godfrey (JIRA)" <ji...@apache.org> on 2016/02/12 00:35:18 UTC

[jira] [Commented] (QPID-7062) Poor logout experience when using Oauth2 authentication mechanism for management

    [ https://issues.apache.org/jira/browse/QPID-7062?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15143700#comment-15143700 ] 

Rob Godfrey commented on QPID-7062:
-----------------------------------

Agree adding a logout URL that can be found via the HttpRequestInteractiveAuthenticators makes sense.

And yeah - we should do something about the login page - I guess we could actually write a HttpRequestInteractiveAuthenticators for username/password authentication managers and have it render the login page somehow...

> Poor logout experience when using Oauth2 authentication mechanism for management
> --------------------------------------------------------------------------------
>
>                 Key: QPID-7062
>                 URL: https://issues.apache.org/jira/browse/QPID-7062
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>            Reporter: Keith Wall
>
> If I configure OAuth2 and use a provider such as CloudFoundry, when I go to logout of the Qpid Web Management Console I get caught in a loop, giving the impression that the logout function is broken and leaving no means of escape without closing the window/tab or typing an address.
> # The logout button directs the browser to /logout.
> # Web Management invalidates the Session
> # Redirects to /management (odd - this should have been retired)
> # Oauth2InteractiveAuthenticator redirects to the auethenticate endpoint (CloudFoundry)
> # CloudFoundry redirect back to the Web Management Console starting a new session.
> The experience is similar in Google except I see Google's "Request for permission" page after logout before the loop starts again.
> Perhaps the LogoutServlet should ask the HttpRequestInteractiveAuthenticators for a logout link?  In the case of Oauth2, the plugin could then provide a configurable link.
> I also notice that when using OAuth2, the /login page is still live, but completely redundant/confusing.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org