[BUG] - Conda-store log out does not work

[kcpevey]

Describe the bug

Conda-store log out functionality does not work on Nebari in the both the react app and the jupyterlab plugin. Users can click the "log out" button, but they remain logged in.

The conda-store devs are reporting that this functionality works on main (commit 97dccd41b9fa5bbc9d2bfb5580429caeadc4b28a -
conda-incubator/conda-store#684. This leaves me to believe its likely some issue with how Nebari is routing the authentication.

When you log into conda-store, you get routed to the keycloak auth interface for login, and back again (to either the conda-store react app or jupyterlab). My guess is that routing isn't happening with the logout button.

Expected behavior

I expect to be able to log out of conda-store.

OS and architecture in which you are running Nebari

AWS/GCP

How to Reproduce the problem?

• Log into either conda-store interface on nebari.
• Click the log out button in conda-store
• View that the page remains the same, user is not logged out

Command output

No response

Versions and dependencies used.

No response

Compute environment

None

Integrations

No response

Anything else?

This is particularly important now that we have fine-grained permissions implemented in Nebari. If I change a user's conda-store permissions, they must log out of conda-store in order for them to take effect.

The workaround is to ask users to clear their browser cache or use incognito to effectively log them out 😓

[viniciusdc]

Keycloak generates an access token that is stored in the cookies of the browser, each token is generated for a given domain (e.g /hub and /hub/lab/<user> ) might get the same token names, but they will difer. It might be that in our conda-store oauth class could be looking to the wrong token when removing the session, and a leftover is kept.

I've seen a similar problem with authentication when refactoring the jupyterhub tests recently. Also the way the extension and the main app page works might need to be changed in terms of authentication. (editado)

[dcmcand]

I believe the issue here is actually with jupyterhub-cond-store. It allows setting a login page variable, but not a logout page variable. As an example, on https://nebari.quansight.com, if I set a breakpoint on the logout js function, I see

The login page url is properly set, but the logout page is using the default value.

Currently Nebari specifies the login page in src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterlab/overrides.json, but there is no such option for specifying the logout page according to https://github.com/conda-incubator/jupyterlab-conda-store/blob/main/schema/plugin.json. I believe that the logout page needs to be exposed in the jupyterhub-conda-store plugin before this will work.

[kcpevey]

The inability to log out affects both the jupyterlab plugin and the react app for conda-store so that may be an important point, but I'm not sure that's the whole story.

If you're running the conda-store-ui standalone, it sets the login and logout urls via a .env file. But I don't understand how those env vars are related to the conda-store config that's in src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/conda-store/config/conda_store_config.py - which is also driving the need to review and document conda-store things.

[dcmcand]

I opened a PR on the conda-store side which I believe will fix this issue.