[
https://issues.apache.org/jira/browse/GEODE-7851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17087721#comment-17087721
]
ASF subversion and git services commented on GEODE-7851:
--------------------------------------------------------
Commit f9d94792aa7e251e283f362348e586238894dab4 in geode's branch
refs/heads/develop from Dale Emery
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=f9d9479 ]
GEODE-7851: Pulse logout requests end of OAuth session
When Pulse is configured to use OAuth, and a user logs out of Pulse,
Pulse redirects the browser to a page where the user can take action to
end their session. The available actions depend on the OAuth provider,
but may include revoking the token or logging out of the OAuth provider
entirely.
Main changes:
- Changed OAuthSecurityConfig to install two logout handlers: A
RepositoryLogoutHandler (renamed from LogoutHandler) and an
OidcClientInitiatedLogoutSuccessHandler.
- Added a pulse.security.oauth.endSessionEndpoint property to specify
the URL to which the OidcClientInitiatedLogoutSuccessHandler should
redirect the browser on logout.
- Configured the OAuthSecurityConfig to add the "end session endpoint"
property value to the client configuration metadata. On logout, the
OidcClientInitiatedLogoutSuccessHandler redirects the browser to this
endpoint, where the user can take action to end the session.
- In the OAuthClientConfig class (extracted from OAuthSecurityConfig),
restored the code to explicitly list the scopes that Pulse is
requesting, in particular to list "openid" in the scopes. Though
authentication works just fine without that explicit list, the
OidcClientInitiatedLogoutSuccessHandler does not. The
OidcClientInitiatedLogoutSuccessHandler handles logout only if the the
principal is an OidcUser. If "openid" is not explicitly listed in the
client's scopes. Spring creates OAuth2User principals instead of
OidcUser principals, and OidcClientInitiatedLogoutSuccessHandler
return without redirecting the browser.
Also refactored to support the above changes:
- Moved the oauth client service configuration from OAuthSecurityConfig
to a new OAuthClientConfig class. This breaks Respository's dependence
on OAuthSecurityConfig, which in turn (through the LogoutHandler)
depended on Repository. Repository now gets its
OAuth2AuthorizedClientService from the OAuthClientConfig class, which
does not in turn depend on Repository.
- Marked two Repository constructors as non-required. Spring will pick
whichever one has the most dependencies it can satisfy. So if the
profile specifies an OAuth2AuthorizedClientService, Spring will call
the constructor that takes one of those. Otherwise Spring will call
the no-args constructor.
- Renamed LogoutHandler to RepositoryLogoutHandler to better reflect its
specific responsibilities.
- Changed RepositoryLogoutHandler to implement LogoutHandler instead of
LogoutSuccessHandler. Now it does its work *during* logout instead of
*after.*
- Changed DefaultSecurityConfig to specify the logout success URL
directly instead of via a logout success handler. (OAuthSecurityConfig
no longer needs a logout success URL, because the OIDC logout handler
redirects to the OAuth provider instead.)
Co-authored-by: Dale Emery <dem...@pivotal.io>
Co-authored-by: Joris Melchior <joris.melch...@gmail.com>
> Pulse should support OAuth2 authorization code flow
> ---------------------------------------------------
>
> Key: GEODE-7851
> URL: https://issues.apache.org/jira/browse/GEODE-7851
> Project: Geode
> Issue Type: New Feature
> Components: docs, pulse
> Reporter: Jinmei Liao
> Assignee: Dale Emery
> Priority: Major
> Time Spent: 12h
> Remaining Estimate: 0h
>
> Instead of using username/password to log in to pulse, pulse should redirect
> to a configured authentication provider to get access token to login.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
