[BUG] Opensearch-dashboards logout not working when logout is initiated from keycloak

[aggarwalShivani]

Describe the bug
( Recreating bug in opensearch project as same issue would be observed as with opendistro - opendistro-for-elasticsearch/security-kibana-plugin#17)

Issue: Opensearch-dashboards logout not working with single-sign out and with OP (keycloak) initiated logout.
Scenario -
Opensearch-dashboards is installed with openid_auth enabled. If we login to Opensearch-dashboards and logout from it, it works fine.
However, if we login to the Opensearch-dashboards UI (say as testuser) and then logout/terminate the active sessions of this user from keycloak admin console, keycloak does not show any active sessions for the user, however, Opensearch-dashboards UI does not logout, stays logged in and remains accessible.

Only (a) if we explicitly log out from Opensearch-dashboards UI by clicking on its logout button or
(b) if we delete the security_authentication cookies created by Opensearch-dashboards in the browser,
only then Opensearch-dashboards logs out and redirects to authentication page.

Tried two approaches :

1. Configuring opensearch_security.openid.logout_url:
   opensearch_security.openid.logout_url | The logout URL of your IdP. Optional. Only necessary if your IdP does not publish the logout URL in its metadata.
   The metadata endpoint url of my keycloak server does publish the end_session_endpoint" as https://{{ip}}/auth/realms//protocol/openid-connect/logout".
   As per the document, tried explicitly configuring:
   opensearch_security.openid.logout_url: https://{{ip}}/auth/realms/{{realm}}/protocol/openid-connect/logout ,
   but this did not help.

2. Configuring Backchannel Logout URL for the client in keycloak
   As per keycloak, Backchannel logout url is URL that will cause the client to log itself out when a logout request is sent to this realm (via end_session_endpoint). If omitted, no logout request will be sent to the client in this case.
   Configured the backchannel logout url as opensearch-dashboards logout url
   i.e. backchannel logout url: https://{{Opensearch-dashboards:5601}}/api/v1/auth/logout
   With this too, the behaviour remains same and Opensearch-dashboards does not log out.

Kibana logs on clicking logout from keycloak admin console:
{"type":"response","@timestamp":"2021-10-27T08:38:36Z","tags":[],"pid":10,"method":"post","statusCode":400,"req":{"url":"/api/v1/auth/logout","method":"post","headers":{"content-length":"859","content-type":"application/x-www-form-urlencoded; charset=UTF-8","host":"w.x.y.z:30603","connection":"Keep-Alive","user-agent":"Apache-HttpClient/4.5.13 (Java/11.0.12)","accept-encoding":"gzip,deflate"},"remoteAddress":"w.x.y.z","userAgent":"w.x.y.z"},"res":{"statusCode":400,"responseTime":17,"contentLength":9},"message":"POST /api/v1/auth/logout 400 17ms - 9.0B"}

This is a major bug in Opensearch-dashboards security openid_auth authentication.
Any ideas on the root cause and how this can be mitigated?

To Reproduce
Steps to reproduce the behavior:

1. Integrate opensearch-dashboards with keycloak using openid_auth_domain
2. Login to opensearch-dashboards UI as (say) testuser
3. Login to keycloak admin console, click on sessions under Users and click on terminate/logout all sessions for testuser
4. Check opensearch-dashboards UI

Expected behavior
After terminating session for the user from keycloak admin console, the opensearch-dashboards UI should have automatically logged out.

[aggarwalShivani]

Any updates on this issue? Support is needed for keycloak-initiated logouts.

[aggarwalShivani]

Any updates on this issue and if this bug would be addressed in upcoming versions of opensearch dashboards? This is a major issue blocking single-signout functionality of keycloak IdP.

[dblock]

AFAIK nobody is working on this, if someone wants to pick it up we’d be glad to help, please contribute
Cc: @davidlago

[allanian]

+1

[aggarwalShivani]

Hi,
I have re-verified the behaviour with Opensearch & Opensearch-dashboards 2.9.0 and the issue persists.
Looks like even though improvements were made wrt session managemen (in 1311) in 2.7.0, this issue continues to be there.

Is there a plan to fix this issue with single-sign out?
Is there a known workaround that we could use, at the IdP side (keycloak) or at Opensearch-dashboards side?

[viniokil]

+1

[aggarwalShivani]

Hi,
Update:
I have re-verified this case on v2.11.0 and the issue is not observed. 😄
Upon clearing the session in keycloak admin console, when I try to access anything new on the opensearch-dashboards UI, it redirects to login page for authentication. The expectation is met.

There was a configuration mistake in my earlier validations done for 2.9.0, so its possible that the issue was not there in that version too.
I am not exactly sure since when the issue is fixed in opensearch-dashboards, as I have only verified for these two versions.
If other users still face the issue, kindly share your feedback. If not, I think we can close it.

[davidlago]

Thanks for circling back with your findings, @aggarwalShivani! I'm closing this, we can re-open if new reports come in.

[Jayashree-Rajendran]

Hi @aggarwalShivani

Little out of topic.
If you have documentation for configuring the opensearch-dashboards certificate in the keycloak to send Backchannel logout with SSL, Could you please share it here? It will be helpful.

I am getting below error in keycloak, while sending backchannel logout to opensearch-dashboard

Thanks in advance

[aggarwalShivani]

Hi @Jayashree-Rajendran,
That experiment on Backchannel logouts was done very long ago, I unfortunately dont have the config files for reference.

But yes, I also had faced exactly the same ssl-handshake error. To bypass the keycloak error, I had disabled SSL on Opensearch-dashboards (so it was accessible on HTTP), while security(authentication/authorization) was still enabled.
With this, the keycloak error was avoided, but the logout still didnt work.

[Jayashree-Rajendran]

Oh ok.
you mentioned SSL disabled on OSD, then authn/authz is also via HTTP?

[aggarwalShivani]

Not sure if I understood your question. I had only disabled SSL on OSD, to bypass the cert-validation error keycloak was throwing while performing backchannel logouts.
For authc/authz, I still had openid_auth_domain enabled (i.e. via keycloak) - which is the use-case described in this ticket.
So OSD was accessible on HTTP, but its authentication happened via keycloak.