[oC10] Logging out of oC classic does not log out of oC web

[kulmann]

Similar to #5886 but the other way around

Steps to reproduce

1. Log in to oC classic UI
2. Switch over to new design (i.e. ownCloud Web)
3. Switch back to classic design
4. Log out in oC classic UI

Expected behaviour

User is fully logged out. Both in classic and in new design

Actual behaviour

Only the session for the classic UI is killed. The access token seems to be still valid.

Notes

This might as well be an oauth2 bug. The ticket here describes the bug behaviour as the user perceives it and should stay in this repo. If the underlying bug is an oauth2 app bug we'll create a separate ticket and link it here.

[kulmann]

For the user, an even weirder and more concerning facet of this issue is that logging in with another user and switching over to the new design still has the old user (logged out in classic ui but never logged out in new web ui). The underlying issue is the same. oC Web only checks the backend for a new login if there is no valid access token. Since it's still cached from the previous login it's continued to be used.

[JammingBen]

This might as well be an oauth2 bug. The ticket here describes the bug behaviour as the user perceives it and should stay in this repo. If the underlying bug is an oauth2 app bug we'll create a separate ticket and link it here.

I'll investigate and see if there is something we can do about it.

[kulmann]

Well about that... e.g. the desktop client needs to stay logged in. So we only want to invalidate the tokens from the web client when logging out of oc10 classic ui. That's probably a feature request for the oauth2 app. :-/

[JammingBen]

I'm not an oauth2 expert (not even close), but don't we have separate tokens for web, desktop etc?

Surely it's possible to invalidate those individually, no?!
Edit: Well, if I'm not missing something, apparently it's indeed not possible :/

[kulmann]

Surely it's possible to invalidate those individually, no?! Edit: Well, if I'm not missing something, apparently it's indeed not possible :/

It would be a new feature of the oauth2 app: new flag for any configured client like "invalidate on logout". The clients are not typed in any way, so you can't tell the oauth2 app to kill all tokens that are related to "the web client". There is no such thing, and shouldn't be. So I guess it has to be a new option of the client.

[JammingBen]

It would be a new feature of the oauth2 app: new flag for any configured client like "invalidate on logout". The clients are not typed in any way, so you can't tell the oauth2 app to kill all tokens that are related to "the web client". There is no such thing, and shouldn't be. So I guess it has to be a new option of the client.

I've created a PoC for this approach, however, I ran into a nasty behavior which makes it very hard to go this way. owncloud/oauth2#335

[pascuflow]

While you iron out a solid approach, what would be a hacky way to log out the user completely, since clearing the cookies is not working for me? Cannot use Web in production right now because of this.

[pascuflow]

Tried calling GET https://my.domain.com/index.php/core/logout from Node but only get back some HTML along with 200 status code, user is not logged out, how can we call the logout method that fires when the user clicks on the logout button in Classic?

[kulmann]

@pascuflow

The issue has two sides.
1: logout in web doesn't log out of oC classic. We've solved this via #6939 but it's not released, yet. I'll check if we can have a final web 5.5.0 release on Tuesday. Then you could configure the oc10 logout URL for doing both logouts when clicking Logout in web (invalidate token + logout in classic UI).
2. logout in oC classic doesn't log out web. That's only natural, because web is an oauth2 (or oidc) client, as soon as it has a valid access token it's not bound to the oc10 classic session anymore (for e.g. the desktop client that's the desired behaviour). Obviously we want to logout web as well, what I said before is only technical reasoning.

As a really hacky way for (2) you could try to call the revokeAuthorization endpoint of the oauth2 app. It is a POST request on https://your-owncloud.tld/index.php/apps/oauth2/clients/{client-id}/revoke, where {client-id} is the one that you also configured in the config.json of web. So it remains unchanged for your instance and you could hardcode it. It needs an active classic ui session though, so you need to do that before the actual logout.

[pascuflow]

@pascuflow

The issue has two sides. 1: logout in web doesn't log out of oC classic. We've solved this via #6939 but it's not released, yet. I'll check if we can have a final web 5.5.0 release on Tuesday. Then you could configure the oc10 logout URL for doing both logouts when clicking Logout in web (invalidate token + logout in classic UI). 2. logout in oC classic doesn't log out web. That's only natural, because web is an oauth2 (or oidc) client, as soon as it has a valid access token it's not bound to the oc10 classic session anymore (for e.g. the desktop client that's the desired behaviour). Obviously we want to logout web as well, what I said before is only technical reasoning.

As a really hacky way for (2) you could try to call the revokeAuthorization endpoint of the oauth2 app. It is a POST request on https://your-owncloud.tld/index.php/apps/oauth2/clients/{client-id}/revoke, where {client-id} is the one that you also configured in the config.json of web. So it remains unchanged for your instance and you could hardcode it. It needs an active classic ui session though, so you need to do that before the actual logout.

Ok, so 1 will be solved around Tuesday, now for 2 I am trying the following as you said:

1: Log in oc Web on the browser
2: Postman POST to https://your-owncloud.tld/index.php/apps/oauth2/clients/{client-id}/revoke --> 200 response
3: Refresh oc Web tab on browser but still logged in

What am I missing? What should be on the POST body? You said I need a classic UI session active, I assume that when I request the url https://your-owncloud.tld/ it shows me https://your-owncloud.tld/index.php/login which is the Classic one, then I log in and since I have 'defaultapp' => 'web' on my config.php it redirects to Web and while still having the Classic session. Don't think this could be a viable approach if I need to have a classic session active just for the admin who does the call plus another for the user that I need to revoke.

[pascuflow]

@kulmann
Actually, forget the above, after you release the logout from Web I can just call that logout endpoint to log out from both, you have the method on the button here web/packages/web-runtime/src/components/Topbar/UserMenu.vue, how would one call it via an ajax request directly?

[AlexAndBear]

Closing as OC10 Support has been discontinued with version 7.1.0