Single Logout (SLO)¶
Single logout (SLO) enables users to logout from all applications at once, without having to sign out from each one separately.
This guide is a work in progress.
OIDC defines the following specifications related to logout:
- OpenID Connect Session Management
- OpenID Connect Front-Channel Logout
- OpenID Connect Back-Channel Logout
Because Kubeflow is a confidential client that doesn’t live in the user’s browser, the Back-Channel logout is what applies here. The gist of the spec is:
- When a user logs out from the Provider (GitLab), the Provider sends requests to a logout endpoint at every Client (Kubeflow).
- When a user logs out from a Client, the Client redirects them to a special page at the Provider where the Provider prompts them to log out. Then, the Provider initiates a procedure that logs them out of all Clients.
However, GitLab doesn’t seem to either:
- Implement the OpenID Connect Back-Channel Logout specification.
- Provide an administrative endpoint to log out users from all Clients.
To work around those issues, here are the suggested solutions:
To log a user out of GitLab when they log out of Kubeflow, we an HTTP POST request to the GitLab
/users/sign_outendpoint. This is effectively using CSRF so it is not ideal, however a recent GitLab issue removed CSRF protection of the logout endpoint for exactly this use.
To log a user out of Kubeflow (or other applications) when they logout of GitLab, force the AuthService to effectively use GitLab for session management and check the access/refresh token’s validity for every request.
Currently, when a user logs out of GitLab, GitLab doesn’t revoke all the tokens issued to applications. This means that logging out of GitLab does not log the user out of Kubeflow.
Authentication is done via OIDC tokens. To log out globally, navigate to your Profile
Applications, and in the
Authorized Applicationssection revoke every application’s access token.