[jira] [Commented] (QPID-7062) Poor logout experience when using Oauth2 authentication mechanism for management

Thu, 11 Feb 2016 15:36:11 -0800 

    [ 
https://issues.apache.org/jira/browse/QPID-7062?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15143700#comment-15143700
 ] 

Rob Godfrey commented on QPID-7062:
-----------------------------------

Agree adding a logout URL that can be found via the 
HttpRequestInteractiveAuthenticators makes sense.

And yeah - we should do something about the login page - I guess we could 
actually write a HttpRequestInteractiveAuthenticators for username/password 
authentication managers and have it render the login page somehow...

> Poor logout experience when using Oauth2 authentication mechanism for 
> management
> --------------------------------------------------------------------------------
>
>                 Key: QPID-7062
>                 URL: https://issues.apache.org/jira/browse/QPID-7062
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker
>            Reporter: Keith Wall
>
> If I configure OAuth2 and use a provider such as CloudFoundry, when I go to 
> logout of the Qpid Web Management Console I get caught in a loop, giving the 
> impression that the logout function is broken and leaving no means of escape 
> without closing the window/tab or typing an address.
> # The logout button directs the browser to /logout.
> # Web Management invalidates the Session
> # Redirects to /management (odd - this should have been retired)
> # Oauth2InteractiveAuthenticator redirects to the auethenticate endpoint 
> (CloudFoundry)
> # CloudFoundry redirect back to the Web Management Console starting a new 
> session.
> The experience is similar in Google except I see Google's "Request for 
> permission" page after logout before the loop starts again.
> Perhaps the LogoutServlet should ask the HttpRequestInteractiveAuthenticators 
> for a logout link?  In the case of Oauth2, the plugin could then provide a 
> configurable link.
> I also notice that when using OAuth2, the /login page is still live, but 
> completely redundant/confusing.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to