Make all providers to preserve original URL when session expires. #84229
Conversation
azasypkin
added
release_note:enhancement
Team:Security
azasypkin
force-pushed
the
issue-70398-preserve-url-during-logout
branch
from
70a2558
to
5e9dce1
Compare
| @@ -19,3 +19,5 @@ export const APPLICATION_PREFIX = 'kibana-'; | |||
| export const RESERVED_PRIVILEGES_APPLICATION_WILDCARD = 'kibana-*'; | |||
|
|
|||
| export const AUTH_PROVIDER_HINT_QUERY_STRING_PARAMETER = 'auth_provider_hint'; | |||
| export const LOGOUT_REASON_QUERY_STRING_PARAMETER = 'msg'; | |||
There was a problem hiding this comment.
note: I'm not a fan of moving params to the consts since it usually makes it harder to find the code that uses them. But in this specific case these parameter names are so generic that it's much easier to rely on the unique const names to find all relevant places.
| const suggestedProviderName = | ||
| sessionValue?.provider.name ?? | ||
| request.url.searchParams.get(AUTH_PROVIDER_HINT_QUERY_STRING_PARAMETER); | ||
| if (suggestedProviderName) { | ||
| await this.session.clear(request); |
There was a problem hiding this comment.
note: it's a no-op in case session doesn't exist
azasypkin
force-pushed
the
issue-70398-preserve-url-during-logout
branch
2 times, most recently
from
78b1508
to
87a7f75
Compare
azasypkin
force-pushed
the
issue-70398-preserve-url-during-logout
branch
from
87a7f75
to
1d8f121
Compare
| // logout reason that login page may need to know. | ||
| return this.options.config.authc.selector.enabled || shouldProviderUseLoginForm(providerType) | ||
| ? `${this.options.basePath.serverBasePath}/login?${searchParams.toString()}` | ||
| : `${this.options.basePath.serverBasePath}/security/logged_out?${searchParams.toString()}`; |
There was a problem hiding this comment.
note: logged_out should support not only next, but also msg to eventually display different error messages for the normal logout and the logout caused by the session timeout #84200.
|
Pinging @elastic/kibana-security (Team:Security) |
| /** | ||
| * Type and name tuple to identify provider used to authenticate user. | ||
| */ | ||
| export interface AuthenticationProvider { |
There was a problem hiding this comment.
question I'm 100% fine with the move, but I'm just curious: what was the motivation for moving this interface out of types and into its own file?
There was a problem hiding this comment.
Mostly because I wanted to group interface with the relevant helper function shouldProviderUseLoginForm (like we do for the AuthenticatedUser) and having function in types.ts would look a bit weird.
| @@ -4,7 +4,7 @@ | |||
| * you may not use this file except in compliance with the Elastic License. | |||
| */ | |||
|
|
|||
| import { AuthenticationProvider } from '../../common/types'; | |||
| import type { AuthenticationProvider } from '../../common/model'; | |||
There was a problem hiding this comment.
question: you've been great about updating these import statements to import type. Is this a hint that WebStorm provides, or are you just naturally more observant than I am? 😄
There was a problem hiding this comment.
Haha, nope, WebStorm doesn't suggest that change yet. I think I just shuffled import's so many times that now I know where I can add that type 🙈
| }; | ||
|
|
||
| const getProviderParameter = (tenant: string) => { | ||
| const key = `${tenant}/session_provider`; | ||
| const providerName = sessionStorage.getItem(key); | ||
| return providerName ? `&provider=${encodeURIComponent(providerName)}` : ''; | ||
| return providerName | ||
| ? `&${AUTH_PROVIDER_HINT_QUERY_STRING_PARAMETER}=${encodeURIComponent(providerName)}` |
There was a problem hiding this comment.
note this change initially confused me. I thought this was going to end up automatically logging the user back in for providers that don't require user interaction (anonymous, pki, kerberos, etc). Once I traced through the code, I understood that this was instead being used to inform the logout routine about which provider should handle the logout.
I'm ok with this change, but now we have two distinct uses for auth_provider_hint: One is meant for public consumption, and will become part of our public API, and this new case is more if an implementation detail that's unrelated to the public API.
Was consistency the motivation for this change, or was there another reason we changed the parameter name?
There was a problem hiding this comment.
Was consistency the motivation for this change, or was there another reason we changed the parameter name?
Yeah, just wanted to use less query string parameters and decided to re-use this one since its name isn't strictly bound to its current purpose yet and is more or less relevant to both cases. I don't have a strong on this though, if it feels confusing to you (and I see where the confusion is coming from) I can switch back to provider (or something even more descriptive). What do you think?
There was a problem hiding this comment.
I have a slight preference for provider over auth_provider_hint, but I don't feel strongly enough to have you change it. Happy for you to merge as-is
There was a problem hiding this comment.
Good 👍 I'll reverted back to provider. If it confused you then it can confuse someone else who reads this code in the future too
💚 Build SucceededMetrics [docs]Module Count
Async chunks
Distributable file count
Page load bundle
History
To update your PR or re-run it, just comment with: |
…astic#84229) # Conflicts: # x-pack/plugins/security/server/authentication/authenticator.ts
|
7.x/7.11.0: 4b7e868 |
* master: (72 commits) Make alert status fetching more resilient (elastic#84676) [APM] Refactor hooks and context (elastic#84615) Added word break styles to the texts in the item details card. (elastic#84654) [Search] Disable "send to background" when auto-refresh is enabled (elastic#84106) Add readme for new palette service (elastic#84512) Make all providers to preserve original URL when session expires. (elastic#84229) [Lens] Show color in flyout instead of auto (elastic#84532) [Lens] Use index pattern through service instead of reading saved object (elastic#84432) Make it possible to use Kibana anonymous authentication provider with ES anonymous access. (elastic#84074) TelemetryCollectionManager: Use X-Pack strategy as an OSS overwrite (elastic#84477) migrate away from rest_total_hits_as_int (elastic#84508) [Input Control] Custom renderer (elastic#84423) Attempt to more granularly separate App Search vs Workplace Search vs shared GitHub notifications (elastic#84713) [Security Solutino][Case] Case connector alert UI (elastic#82405) [Maps] Support runtime fields in tooltips (elastic#84377) [CCR] Fix row actions in follower index and auto-follow pattern tables (elastic#84433) [Enterprise Search] Migrate shared Indexing Status component (elastic#84571) [maps] remove fields from index-pattern test artifacts (elastic#84379) Add routes for use in Sources Schema (elastic#84579) Changes UI links for drilldowns (elastic#83971) ...
Summary
This PR makes SAML/OIDC/PKI/Kerberos/Anonymous providers to remember current URL when session expires and user is redirected to the Login Selector or Logged Out pages. With this when user logs in again they will end up at the same page they were when the session expired.
Notable exception: if SAML SLO is enabled then during logout user will be redirected to the IdP and the current URL will be lost. We may tackle this in the scope of #69506 since we'll likely be creating an unauthenticated session during logout to store SAML Logout Request ID and hence may store current URL as well.
Release note
Previously when SAML/OIDC/PKI/Kerberos session expired users were logged out and redirected to the login screen to re-login losing their original URL. With this change users will be now redirected back to the original URL after they log in again.
Fixes: #70398