Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KNOX-2972 - Session resource can generate application logout URL with profile/topologies query parameters #808

Merged
merged 1 commit into from
Oct 24, 2023

Conversation

smolnar82
Copy link
Contributor

@smolnar82 smolnar82 commented Oct 20, 2023

What changes were proposed in this pull request?

Updated the api/v1/sessioninfo REST API endpoint in SessionResouce in a way such that it can generate a logoutPageUrl (used by the application logout link in Knox's logout flow) with profile and topologies query parameters in the originalUrl part.

How was this patch tested?

Using curl:

  1. Without any query params:
$ curl -ik --cookie "hadoop-jwt=eyJra...APA" -X GET "https://localhost:8443/gateway/homepage/session/api/v1/sessioninfo"
HTTP/1.1 200 OK
Date: Fri, 20 Oct 2023 10:47:30 GMT
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1;mode=block
Content-Type: application/xml
Content-Length: 574

<?xml version="1.0" encoding="UTF-8"?>
<sessioninfo>
   <user>admin</user>
   <logoutUrl>https://localhost:8443/gateway/homepage/knoxssout/api/v1/webssout</logoutUrl>
   <logoutPageUrl>https://localhost:8443/gateway/knoxsso/knoxauth/logout.jsp?originalUrl=https://localhost:8443/gateway/homepage/home</logoutPageUrl>
   <globalLogoutPageUrl>https://dev-p8gzwjyj66yvfble.eu.auth0.com/oidc/logout</globalLogoutPageUrl>
   <canSeeAllTokens>true</canSeeAllTokens>
   <currentKnoxSsoCookieTokenId>40005574-61f2-4507-aa9f-0171b787ed4c</currentKnoxSsoCookieTokenId>
</sessioninfo>
  1. Only with the logoutPageProfile param:
$ curl -ik --cookie "hadoop-jwt=eyJra...APA" -X GET "https://localhost:8443/gateway/homepage/session/api/v1/sessioninfo?logoutPageProfile=token"
HTTP/1.1 200 OK
Date: Fri, 20 Oct 2023 10:48:05 GMT
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1;mode=block
Content-Type: application/xml
Content-Length: 588

<?xml version="1.0" encoding="UTF-8"?>
<sessioninfo>
   <user>admin</user>
   <logoutUrl>https://localhost:8443/gateway/homepage/knoxssout/api/v1/webssout</logoutUrl>
   <logoutPageUrl>https://localhost:8443/gateway/knoxsso/knoxauth/logout.jsp?originalUrl=https://localhost:8443/gateway/homepage/home%3Fprofile=token</logoutPageUrl>
   <globalLogoutPageUrl>https://dev-p8gzwjyj66yvfble.eu.auth0.com/oidc/logout</globalLogoutPageUrl>
   <canSeeAllTokens>true</canSeeAllTokens>
   <currentKnoxSsoCookieTokenId>40005574-61f2-4507-aa9f-0171b787ed4c</currentKnoxSsoCookieTokenId>
</sessioninfo>
  1. Only with the logoutPageTopologies param:
$ curl -ik --cookie "hadoop-jwt=eyJra...APA" -X GET "https://localhost:8443/gateway/homepage/session/api/v1/sessioninfo?logoutPageTopologies=sandbox"
HTTP/1.1 200 OK
Date: Fri, 20 Oct 2023 10:48:52 GMT
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1;mode=block
Content-Type: application/xml
Content-Length: 593

<?xml version="1.0" encoding="UTF-8"?>
<sessioninfo>
   <user>admin</user>
   <logoutUrl>https://localhost:8443/gateway/homepage/knoxssout/api/v1/webssout</logoutUrl>
   <logoutPageUrl>https://localhost:8443/gateway/knoxsso/knoxauth/logout.jsp?originalUrl=https://localhost:8443/gateway/homepage/home%3Ftopologies=sandbox</logoutPageUrl>
   <globalLogoutPageUrl>https://dev-p8gzwjyj66yvfble.eu.auth0.com/oidc/logout</globalLogoutPageUrl>
   <canSeeAllTokens>true</canSeeAllTokens>
   <currentKnoxSsoCookieTokenId>40005574-61f2-4507-aa9f-0171b787ed4c</currentKnoxSsoCookieTokenId>
</sessioninfo>
  1. Both with 'logoutPageProfile' and logoutPageTopologies params:
$ curl -ik --cookie "hadoop-jwt=eyJra...APA" -X GET "https://localhost:8443/gateway/homepage/session/api/v1/sessioninfo?logoutPageTopologies=sandbox&logoutPageProfile=full"
HTTP/1.1 200 OK
Date: Fri, 20 Oct 2023 08:07:26 GMT
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1;mode=block
Content-Type: application/xml
Content-Length: 610

<?xml version="1.0" encoding="UTF-8"?>
<sessioninfo>
   <user>admin</user>
   <logoutUrl>https://localhost:8443/gateway/homepage/knoxssout/api/v1/webssout</logoutUrl>
   <logoutPageUrl>https://localhost:8443/gateway/knoxsso/knoxauth/logout.jsp?originalUrl=https://localhost:8443/gateway/homepage/home%3Fprofile=full%26topologies=sandbox</logoutPageUrl>
   <globalLogoutPageUrl>https://dev-p8gzwjyj66yvfble.eu.auth0.com/oidc/logout</globalLogoutPageUrl>
   <canSeeAllTokens>true</canSeeAllTokens>
   <currentKnoxSsoCookieTokenId>40005574-61f2-4507-aa9f-0171b787ed4c</currentKnoxSsoCookieTokenId>
</sessioninfo>

I also tested the entire flow by temporarily modifying the home application. I updated the sessionUrl variable:

sessionUrl = this.topologyContext + 'session/api/v1/sessioninfo'

became

sessionUrl = this.topologyContext + 'session/api/v1/sessioninfo?logoutPageProfile=token&logoutPageTopologies=sandbox'

After I redeployed Knox I confirmed that I got the correct link on the logout page and after clicking the Return to Application link and logging in again, the given query parameters were applied.
Screenshot 2023-10-20 at 15 12 42
Screenshot 2023-10-20 at 15 13 53
Screenshot 2023-10-20 at 15 14 13

@smolnar82 smolnar82 self-assigned this Oct 20, 2023
@smolnar82 smolnar82 added homepage SSO Knox SSO javascript Pull requests that update Javascript code labels Oct 20, 2023
@smolnar82 smolnar82 requested a review from zeroflag October 20, 2023 14:07
@smolnar82 smolnar82 merged commit ad0ea7d into apache:master Oct 24, 2023
2 checks passed
@smolnar82 smolnar82 deleted the KNOX-2972 branch October 24, 2023 17:21
stoty pushed a commit to stoty/knox that referenced this pull request May 14, 2024
…ut URL with profile/topologies query parameters (apache#808)

In adition to the API change, the configured logout URL should contain the 'token' profile and show the 'cdp-proxy-token' topology only.

Change-Id: Icc5bc3104c44e41f16594aea8548de045d1026f9
stoty pushed a commit to stoty/knox that referenced this pull request May 14, 2024
…into cdpd-master

* changes:
  CDPD-62588, KNOX-2972: Session resource can generate application logout URL with profile/topologies query parameters (apache#808)
  CDPD-62595, KNOX-2970: Removing KnoxSSO cookie from the token state service upon logout (apache#806)
  CDPD-62598, KNOX-2971: Applying word wrapping in the comment and metadata columns on the Token Management UI (apache#807)
  CDPD-62592, KNOX-2969: KnoxSSO Cookies should be ignored while calculating token limit per user (apache#805)
  CDPD-62585, KNOX-2968: Batch token enable action should succeed even if enabled KnoxSSO cookies are selected (apache#804)
  CDPD-61809, KNOX-2961: Knox SSO cookie Invalidation - Phase II (apache#799)
  CDPD-61184, KNOX-2961: Knox SSO cookie Invalidation - Phase I (apache#797)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
homepage javascript Pull requests that update Javascript code SSO Knox SSO
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants