vincbeck commented on issue #48787: URL: https://github.com/apache/airflow/issues/48787#issuecomment-3164620378
> We've observed this issue as well where the redirect to the login page + our automated login flow negates the prior logout. We were able to fix that by overriding the get_url_logout method so that it redirected to a static HTML page rather than the login page. The way the log out works in Airflow is. When you click on logout in the UI, Airflow delete the local storage containing the JWT token. Then, the user gets redirected to the [logout URL](https://github.com/apache/airflow/blob/3.0.3/airflow-core/src/airflow/api_fastapi/core_api/routes/public/auth.py#L46-L57). This Logout endpoint redirects the user to the logout URL provided by the auth manager if provided. If your auth manager uses external resource such as cookie which needs to be invalided during the logout, you then need to create an endpoint on the auth manager side and the user will be redirected to this endpoint on logout. This is how `FabAuthManager` works. If your auth manager does not provide such endpoint, then the user is simply redirected to the login page. If your auth manager automatically logs in the user at login (with no form etc), then yes, the logout will look like as though it did not work but since your auth manager automatically logs in your users, I do not know what should be the appropriate behavior? > However, we've been trying to figure out the best approach for deleting / invalidating the cookie when a user intentionally logs out. Is there an expected / recommended way to handle the token invalidation? I can't seem to find where or how the cookie ends up being stored. Per the current [Auth manager doc](https://airflow.apache.org/docs/apache-airflow/3.0.3/core-concepts/auth-manager/index.html#jwt-token-management-by-auth-managers) You mean the cookie handled by Airflow or another cookie your auth manager is using? If it is the former, you should not take care of invalidating the cookie handled by Airflow, Airflow does it itself (unless there is a bug?). I hope that helps :) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
