From ab9f00a02730857dc346b67e28e1ed7769bf42ac Mon Sep 17 00:00:00 2001 From: Gianluca Barbon Date: Thu, 4 Jun 2020 12:26:44 +0200 Subject: [PATCH 1/2] Enabling property to disable the OpenID Connect logout Signed-off-by: Gianluca Barbon --- .../core/client/KapuaCloudConsole.java | 31 +++++++++++-------- .../app/console/core/client/NorthView.java | 25 +++++++++------ .../core/server/GwtSettingsServiceImpl.java | 7 +++-- .../api/setting/ConsoleSettingKeys.java | 1 + docs/developer-guide/en/sso.md | 4 +++ 5 files changed, 43 insertions(+), 25 deletions(-) diff --git a/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/KapuaCloudConsole.java b/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/KapuaCloudConsole.java index 9468a1dfb34..a22aa3368e6 100644 --- a/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/KapuaCloudConsole.java +++ b/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/KapuaCloudConsole.java @@ -370,7 +370,7 @@ private void renderLoginDialog() { String error = Window.Location.getParameter("error"); // Check if coming from failed SSO login (the user exists but she does not have the authorizations) - if (error !=null && !error.isEmpty() && error.equals("access_denied")) { + if (error != null && !error.isEmpty() && error.equals("access_denied")) { logger.info("Access denied, SSO login failed"); ConsoleInfo.display(CORE_MSGS.loginSsoLoginError(), CORE_MSGS.ssoClientAuthenticationFailed()); } @@ -446,18 +446,23 @@ public void onFailure(Throwable caught) { @Override public void onSuccess(final String result) { - logger.info("Waiting for logout."); - - // this timer is needed to give time to the ConsoleInfo.display method (called above) to show - // the message to the user (otherwise the Window.location.assign would reload the page, - // giving no time to the user to read the message). - Timer timer = new Timer() { - @Override - public void run() { - Window.Location.assign(result); - } - }; - timer.schedule(SSO_FAILURE_WAIT_TIME); + if (!result.isEmpty()) { + logger.info("Waiting for logout."); + + // this timer is needed to give time to the ConsoleInfo.display method (called above) to show + // the message to the user (otherwise the Window.location.assign would reload the page, + // giving no time to the user to read the message). + Timer timer = new Timer() { + @Override + public void run() { + Window.Location.assign(result); + } + }; + timer.schedule(SSO_FAILURE_WAIT_TIME); + } else { + // result is empty, thus the OpenID logout is disabled + TokenCleaner.cleanToken(); // removes the access_token from the URL, however it forces the page reload + } } }); } diff --git a/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/NorthView.java b/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/NorthView.java index b082d7a882c..a5de6a3200b 100644 --- a/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/NorthView.java +++ b/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/NorthView.java @@ -197,16 +197,21 @@ public void onSuccess(Void arg0) { gwtSettingService.getSsoLogoutUri(currentSession.getSsoIdToken(), new AsyncCallback() { - @Override - public void onFailure(Throwable caught) { - FailureHandler.handle(caught); - } - - @Override - public void onSuccess(String result) { - Window.Location.assign(result); - } - }); + @Override + public void onFailure(Throwable caught) { + FailureHandler.handle(caught); + } + + @Override + public void onSuccess(String result) { + if (!result.isEmpty()) { + Window.Location.assign(result); + } else { + // result is empty, thus the OpenID logout is disabled + TokenCleaner.cleanToken(); + } + } + }); } else { TokenCleaner.cleanToken(); } diff --git a/console/core/src/main/java/org/eclipse/kapua/app/console/core/server/GwtSettingsServiceImpl.java b/console/core/src/main/java/org/eclipse/kapua/app/console/core/server/GwtSettingsServiceImpl.java index 01473513d1c..a0a87cf7c74 100644 --- a/console/core/src/main/java/org/eclipse/kapua/app/console/core/server/GwtSettingsServiceImpl.java +++ b/console/core/src/main/java/org/eclipse/kapua/app/console/core/server/GwtSettingsServiceImpl.java @@ -52,8 +52,11 @@ public String getSsoLoginUri() throws GwtKapuaException { @Override public String getSsoLogoutUri(String ssoIdToken) throws GwtKapuaException { try { - return SsoLocator.getLocator(this).getService().getLogoutUri(ssoIdToken, - URI.create(SsoHelper.getHomeUri()), UUID.randomUUID().toString()); + if (SETTINGS.getBoolean(ConsoleSettingKeys.SSO_OPENID_LOGOUT_ENABLED, true)) { + return SsoLocator.getLocator(this).getService().getLogoutUri(ssoIdToken, + URI.create(SsoHelper.getHomeUri()), UUID.randomUUID().toString()); + } + return ""; // return empty string instead of using a dedicated callback just to check if the logout is enabled } catch (Throwable t) { KapuaExceptionHandler.handle(t); return null; diff --git a/console/module/api/src/main/java/org/eclipse/kapua/app/console/module/api/setting/ConsoleSettingKeys.java b/console/module/api/src/main/java/org/eclipse/kapua/app/console/module/api/setting/ConsoleSettingKeys.java index 34b977a8b3d..c4c8e24d4af 100644 --- a/console/module/api/src/main/java/org/eclipse/kapua/app/console/module/api/setting/ConsoleSettingKeys.java +++ b/console/module/api/src/main/java/org/eclipse/kapua/app/console/module/api/setting/ConsoleSettingKeys.java @@ -39,6 +39,7 @@ public enum ConsoleSettingKeys implements SettingKey { SSO_REDIRECT_URI("console.sso.redirect.uri"), // SSO_CONSOLE_HOME_URI("console.sso.home.uri"), // + SSO_OPENID_LOGOUT_ENABLED("console.sso.openid.logout.enabled"), // EXPORT_MAX_PAGES("console.export.max.pages"), EXPORT_MAX_PAGE_SIZE("console.export.max.pagesize"); diff --git a/docs/developer-guide/en/sso.md b/docs/developer-guide/en/sso.md index f5df0fb8ed0..89dfc3e9e00 100644 --- a/docs/developer-guide/en/sso.md +++ b/docs/developer-guide/en/sso.md @@ -122,6 +122,10 @@ This is implemented following the OpenID Connect specification for the Note that logging out from the OpenID provider is also possible through the provider OpenID logout endpoint, but the user will remain logged into Kapua until also the logout from Kapua is performed. +The OpenID Connect logout can be disabled by setting the `console.sso.openid.logout.enabled` property to `false` (this property is always set +to `true` by default). Be careful if you choose to disable the OpenID logout, since this will allow the user to login again into the Kapua Console without +the need to provide any credentials. + ## Keycloak Example (Docker based) We detail here the steps to run an SSO Keycloak provider. From 79a49f4222de024085e93f8113a499ed9097bb02 Mon Sep 17 00:00:00 2001 From: Gianluca Barbon Date: Wed, 10 Jun 2020 11:13:14 +0200 Subject: [PATCH 2/2] Updated headers Signed-off-by: Gianluca Barbon --- .../kapua/app/console/core/client/KapuaCloudConsole.java | 2 +- .../org/eclipse/kapua/app/console/core/client/NorthView.java | 2 +- .../kapua/app/console/core/server/GwtSettingsServiceImpl.java | 2 +- .../app/console/module/api/setting/ConsoleSettingKeys.java | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/KapuaCloudConsole.java b/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/KapuaCloudConsole.java index a22aa3368e6..71755d6fd64 100644 --- a/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/KapuaCloudConsole.java +++ b/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/KapuaCloudConsole.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2017, 2018 Eurotech and/or its affiliates and others + * Copyright (c) 2017, 2020 Eurotech and/or its affiliates and others * * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License v1.0 diff --git a/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/NorthView.java b/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/NorthView.java index a5de6a3200b..b96dfbed0fa 100644 --- a/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/NorthView.java +++ b/console/core/src/main/java/org/eclipse/kapua/app/console/core/client/NorthView.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2016, 2019 Eurotech and/or its affiliates and others + * Copyright (c) 2016, 2020 Eurotech and/or its affiliates and others * * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License v1.0 diff --git a/console/core/src/main/java/org/eclipse/kapua/app/console/core/server/GwtSettingsServiceImpl.java b/console/core/src/main/java/org/eclipse/kapua/app/console/core/server/GwtSettingsServiceImpl.java index a0a87cf7c74..4112d6c46e5 100644 --- a/console/core/src/main/java/org/eclipse/kapua/app/console/core/server/GwtSettingsServiceImpl.java +++ b/console/core/src/main/java/org/eclipse/kapua/app/console/core/server/GwtSettingsServiceImpl.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2017 Eurotech and/or its affiliates and others + * Copyright (c) 2017, 2020 Eurotech and/or its affiliates and others * * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License v1.0 diff --git a/console/module/api/src/main/java/org/eclipse/kapua/app/console/module/api/setting/ConsoleSettingKeys.java b/console/module/api/src/main/java/org/eclipse/kapua/app/console/module/api/setting/ConsoleSettingKeys.java index c4c8e24d4af..1e4df71a500 100644 --- a/console/module/api/src/main/java/org/eclipse/kapua/app/console/module/api/setting/ConsoleSettingKeys.java +++ b/console/module/api/src/main/java/org/eclipse/kapua/app/console/module/api/setting/ConsoleSettingKeys.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2017 Eurotech and/or its affiliates and others + * Copyright (c) 2017, 2020 Eurotech and/or its affiliates and others * * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License v1.0