Single Logout (SLO)

Single logout (SLO) enables users to logout from all applications at once, without having to sign out from each one separately.

Under construction

This guide is a work in progress.

OIDC defines the following specifications related to logout:

Because Kubeflow is a confidential client that doesn’t live in the user’s browser, the Back-Channel logout is what applies here. The gist of the spec is:

  • When a user logs out from the Provider (GitLab), the Provider sends requests to a logout endpoint at every Client (Kubeflow).
  • When a user logs out from a Client, the Client redirects them to a special page at the Provider where the Provider prompts them to log out. Then, the Provider initiates a procedure that logs them out of all Clients.

However, GitLab doesn’t seem to either:

  • Implement the OpenID Connect Back-Channel Logout specification.
  • Provide an administrative endpoint to log out users from all Clients.

To work around those issues, here are the suggested solutions:

  • To log a user out of GitLab when they log out of Kubeflow, we an HTTP POST request to the GitLab /users/sign_out endpoint. This is effectively using CSRF so it is not ideal, however a recent GitLab issue removed CSRF protection of the logout endpoint for exactly this use.

  • To log a user out of Kubeflow (or other applications) when they logout of GitLab, force the AuthService to effectively use GitLab for session management and check the access/refresh token’s validity for every request.

    Important

    Currently, when a user logs out of GitLab, GitLab doesn’t revoke all the tokens issued to applications. This means that logging out of GitLab does not log the user out of Kubeflow.

    Authentication is done via OIDC tokens. To log out globally, navigate to your Profile Settings -> Applications, and in the Authorized Applications section revoke every application’s access token.

What’s Next

Check out the rest of our user guides.