Skip to content
This repository has been archived by the owner on Jun 17, 2024. It is now read-only.

Sign out functionality #91

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Sign out functionality #91

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
48ce4e9
feat: Updated github action versions and add Docker build to e2e work…
ibersanoMS Jan 26, 2023
7b3ed30
feat: Added logout path and prelim handling
ibersanoMS Jan 26, 2023
429bda3
feat: Add logout handler in middleware and change image ref
ibersanoMS Feb 13, 2023
f11ccea
fix: Updated syntax error
ibersanoMS Feb 13, 2023
5ca90ec
fix: Updated repo info for ea proxy
ibersanoMS Feb 13, 2023
721c98a
fix: Removed deleting environment and passed in custom sample image
ibersanoMS Feb 13, 2023
049bdf8
feat: Added signout path to helm charts and appsettings
ibersanoMS Feb 14, 2023
58ebccc
fix: reverted changes made while debugging
ibersanoMS Feb 22, 2023
27d80bd
fixes
jonlester Feb 28, 2023
9733bf0
Added basic test for signout
jonlester Mar 1, 2023
ee44efe
Fixes: Logout Redirects
jonlester Mar 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 26 additions & 2 deletions .github/workflows/E2E.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,13 +52,37 @@ jobs:

- uses: actions/checkout@v2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.IBERSANO_DOCKER_USERNAME }}
password: ${{ secrets.IBERSANO_DOCKER_TOKEN }}

- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v4
with:
images: |
${{ vars.docker_repo }}/easy-auth-proxy

- name: Build and push Docker images
uses: docker/build-push-action@v3
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}

- name: Call the script
continue-on-error: true
run: |
bash main.sh -a "${{ vars.e2ePrefix }}-${{ env.GITHUB_PR_NUMBER }}" -c "${{ vars.e2ePrefix }}-${{ env.GITHUB_PR_NUMBER }}" -r "${{ vars.e2ePrefix }}-${{ env.GITHUB_PR_NUMBER }}" -e ${{ vars.email }} -l ${{ vars.location }}
bash main.sh -i ${{ vars.imageName }} -a "${{ vars.e2ePrefix }}-${{ env.GITHUB_PR_NUMBER }}" -c "${{ vars.e2ePrefix }}-${{ env.GITHUB_PR_NUMBER }}" -r "${{ vars.e2ePrefix }}-${{ env.GITHUB_PR_NUMBER }}" -e ${{ vars.email }} -l ${{ vars.location }}

- name: Delete e2e environment
if: ${{ vars.DeleteOnFailure == 'true' }} || success()
if: ${{ vars.DeleteOnFailure == 'true' }}
run: |
if [ $(az group exists --name ${{ vars.e2ePrefix }}-${{ env.GITHUB_PR_NUMBER }}) == "true" ]; then
az group delete -n ${{ vars.e2ePrefix }}-${{ env.GITHUB_PR_NUMBER }} --yes
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,28 +62,28 @@ jobs:
uses: actions/checkout@v2

- name: Log in to Docker Hub
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USER_ID }}
password: ${{ secrets.DOCKER_REGISTRY_PASS }}

- name: Log in to the Container registry
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
uses: docker/metadata-action@v4
with:
images: |
ghcr.io/${{ github.repository }}/easy-auth-proxy
easyauthfork8s/easy-auth-proxy

- name: Build and push Docker images
uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
uses: docker/build-push-action@v3
with:
context: .
push: true
Expand Down
2 changes: 2 additions & 0 deletions charts/easyauth-proxy/templates/statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,8 @@ spec:
value: "{{ .Values.easyAuthForK8s.dataProtectionFileLocation }}"
- name: EasyAuthForK8s__SigninPath
value: "{{ .Values.basePath }}{{ .Values.easyAuthForK8s.signinPath }}"
- name: EasyAuthForK8s__SignoutPath
value: "{{ .Values.basePath }}{{ .Values.easyAuthForK8s.signoutPath }}"
- name: EasyAuthForK8s__AuthPath
value: "{{ .Values.basePath }}{{ .Values.easyAuthForK8s.authPath }}"
- name: EasyAuthForK8s__AllowBearerToken
Expand Down
1 change: 1 addition & 0 deletions charts/easyauth-proxy/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,7 @@ easyAuthForK8s:
# such as another easyauth proxy using the same host name
signinPath: "/login"
authPath: "/auth"
signoutPath: "/logout"
# use bearer token as a fall back for cookies
# normally for API web applications only
allowBearerToken: "false"
Expand Down
2 changes: 1 addition & 1 deletion sample/EasyAuthForK8s.Sample/Pages/Shared/_Layout.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
<a class="nav-link" href="/Graph">Graph Query</a>
</li>
<li class="nav-item">
<a class="nav-link" href="/Anonymous" onclick="alert('Please open a GitHub issue if you need a sign out example.')">Sign Out</a>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/Anonymous is a valid path that we should keep. I'm not sure why it was labeled as "Sign-Out", but we should keep it as <a class="nav-link" href="/Anonymous">Anonymous</a> and Sign-out would be a separate nav link.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a button on line 26 for Anonymous. I've got one for signout and one for Anonymous

<a class="nav-link" href="/easyauth/logout" >Sign Out</a>
</li>
</ul>
</div>
Expand Down
1 change: 0 additions & 1 deletion sample/templates/sample-ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ spec:
name: easyauth-sample-pod
port:
number: 80

---
apiVersion: networking.k8s.io/v1
kind: Ingress
Expand Down
1 change: 1 addition & 0 deletions src/EasyAuthForK8s.Web/EasyAuthConfigurationOptions.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ public class EasyAuthConfigurationOptions
{
public string DataProtectionFileLocation { get; set; } = "C:\\mnt\\dp";
public string SigninPath { get; set; } = "/easyauth/login";
public string SignoutPath { get; set; } = "/easyauth/logout";
public string AuthPath { get; set; } = "/easyauth/auth";
public bool AllowBearerToken { get; set; } = false;
/// <summary>
Expand Down
19 changes: 19 additions & 0 deletions src/EasyAuthForK8s.Web/EasyAuthMiddleWare.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net.Http;
using System.Security.Claims;
using System.Text;
using System.Threading.Tasks;
Expand Down Expand Up @@ -58,6 +59,11 @@ public async Task InvokeAsync(HttpContext context)
await HandleAuth(context);
return;
}
else if (_configureOptions.SignoutPath == context.Request.Path)
{
await HandleLogout(context);
return;
}

// Call the next delegate/middleware in the pipeline
await _next(context);
Expand Down Expand Up @@ -236,6 +242,19 @@ public async Task HandleAuth(HttpContext context)

}

public async Task HandleLogout(HttpContext context)
{
EasyAuthState state = context.EasyAuthStateFromHttpContext();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unnecessary. Can remove


LogRequestHeaders("HandleLogout", context.Request);

// Delete the cookie
context.Response.Cookies.Delete(Constants.CookieName);

// Re route the user to Azure AD to logout
await context.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties { RedirectUri = _configureOptions.DefaultRedirectAfterSignin }) ;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should allow the default redirect uri to be overridden by reading the Contstants.RedirectParameterName query param. We should also allow the literal value of "_blank" to be provided, which would not do a redirect at all, and just leave you at the AAD signout page. This would be the case when there is no path that allows anonymous access. I'm also wondering if we should use a value other than the DefaultRedirectAfterSignin, and render our own razor page after signing out. I need to think about that.

}

private void LogRequestHeaders(string prefix, HttpRequest request)
{
StringBuilder sb = new StringBuilder();
Expand Down
1 change: 1 addition & 0 deletions src/EasyAuthForK8s.Web/appsettings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
"EasyAuthForK8s": {
"DataProtectionFileLocation": "/mnt/dp",
"SigninPath": "/easyauth/login",
"SignoutPath": "/easyauth/logout",
"AuthPath": "/easyauth/auth",
"AllowBearerToken": false,
"DefaultRedirectAfterSignin": "/",
Expand Down