[
https://issues.apache.org/jira/browse/KNOX-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15661654#comment-15661654
]
Larry McCay commented on KNOX-744:
----------------------------------
There is an unexpected challenge for this issue. It would be ideal to just add
an additional API to the existing KNOXSSO service.
Unfortunately, the separation of provider chains and API methods and the
topology managed authentication providers is currently requiring the call to
logout to be authenticated.
Out of the box, the form-based IdP is used which expects basic credentials to
be presented otherwise it redirects to the form for authentication. While we
could attempt to short-circuit that behavior within the ShiroProvider, it would
still be a problem for other providers used to protect the API - such as pac4j
with Okta/SAML.
We have encountered similar issues in the past with the Admin API. The API to
get the Knox version shouldn't require authentication but it is affected by the
same issue.
In the near term, I have created a new service called KNOXSSOUT which will need
to be put into a separate topology with the Anonymous authentication provider.
Again, this is less than ideal but any alternative that I can think of would
require much more complexity than is justifiable. If anyone has other thoughts
they would be appreciated.
> Logout for KnoxSSO WebSSO API
> -----------------------------
>
> Key: KNOX-744
> URL: https://issues.apache.org/jira/browse/KNOX-744
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 0.11.0
>
>
> WebSSO needs to expose a method to "logout" of a KnoxSSO session. This simply
> means that the hadoop-jwt cookie be removed. Any other application level
> sessions will need to be managed by the application itself.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
