Skip to content

fix: reset token-cookie on logout (oidc) #7092

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 27, 2021
Merged

fix: reset token-cookie on logout (oidc) #7092

merged 3 commits into from
Aug 27, 2021

Conversation

jimtoniq
Copy link
Contributor

Situation

We are running ArgoCD on a subpath (/argo-cd) and connected to OIDC.
--basehref is therefore set to /argo-cd, --rootpath is not set.

When logging out via UI, it's impossible to login again.

cookies

Problem

On Logout, an empty-value cookie is sent, but the path does not match the argocd.token cookie that was saved on login. Therefore the saved token is not overwritten. Login is not possible anymore because the token from the cookie would be used and is already revoked.

Solution

With OIDC-Logins, the basehref is used as cookie-path (https://github.com/argoproj/argo-cd/blob/master/util/oidc/oidc.go#L313).
With non-OIDC logins, the value of --rootpath is used as cookie-path (https://github.com/argoproj/argo-cd/blob/master/server/server.go#L635).
Therefore I added a check when sending the empty-value cookie, if it is oidc-login.

An option would be to set the cookie-paths from direct-logins to the basehref as well, but I'm not sure about that.

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • Optional. My organization is added to USERS.md.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).

alexmt
alexmt requested changes Aug 26, 2021
View reviewed changes
Copy link
Collaborator

@alexmt alexmt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @jimtoniq ! added one minor comment

server/logout/logout.go Outdated
@@ -85,11 +87,18 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if !strings.HasPrefix(cookie.Name, common.AuthCookieName) {
continue
}

argocdCookiePath := h.rootPath
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to always use baseHRef for cookie path. Server ensures that both --rootPath and baseHRef are in sync durign start:

argo-cd/cmd/argocd-server/commands/argocd_server.go

Lines 119 to 124 in 44520ea

if rootPath != "" {
if baseHRef != "" && baseHRef != rootPath {
log.Warnf("--basehref and --rootpath had conflict: basehref: %s rootpath: %s", baseHRef, rootPath)
}
baseHRef = rootPath
}

So it is safe to assume that is rootPath is set then baseHRef is set as well.

Copy link
Contributor Author

@jimtoniq jimtoniq Aug 26, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, thanks @alexmt!

So I would assume it would be better to change it here to a.ArgoCDServerOpts.baseHRef as well? Then all token-cookies would be issued on the base-path.

argo-cd/server/server.go

Lines 634 to 639 in abba8dd

func (a *ArgoCDServer) setTokenCookie(token string, w http.ResponseWriter) error {
cookiePath := fmt.Sprintf("path=/%s", strings.TrimRight(strings.TrimLeft(a.ArgoCDServerOpts.RootPath, "/"), "/"))
flags := []string{cookiePath, "SameSite=lax", "httpOnly"}
if !a.Insecure {
flags = append(flags, "Secure")
}

Copy link
Collaborator

@alexmt alexmt Aug 27, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you are right. Current behavior looks like a bug. Just in case - let address it in a separate PR please.

@codecov
Copy link

codecov bot commented Aug 26, 2021
edited
Loading

Codecov Report

Merging #7092 (d92f7f9) into master (ae803a2) will increase coverage by 0.00%.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #7092   +/-   ##
=======================================
  Coverage   41.08%   41.09%           
=======================================
  Files         158      158           
  Lines       21349    21350    +1     
=======================================
+ Hits         8772     8773    +1     
  Misses      11311    11311           
  Partials     1266     1266
Impacted Files Coverage Δ
server/logout/logout.go 77.77% <100.00%> (+0.41%) ⬆️
server/server.go 54.85% <100.00%> (ø)
util/settings/settings.go 47.15% <0.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ae803a2...d92f7f9. Read the comment docs.

@jimtoniq
fix: logout cookie use basehref with oidc
309a645 
Signed-off-by: jimtoniq <thomasmuenzl@icloud.com>
@jimtoniq
fix NewHandler signature in logout_test
f08b6e1 
Signed-off-by: jimtoniq <thomasmuenzl@icloud.com>
@jimtoniq
use basehref as cookie-path
d92f7f9 
Signed-off-by: jimtoniq <thomasmuenzl@icloud.com>
alexmt
alexmt approved these changes Aug 27, 2021
View reviewed changes
Copy link
Collaborator

@alexmt alexmt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jimtoniq jimtoniq mentioned this pull request Aug 27, 2021
Merged
10 tasks
@alexmt alexmt merged commit 700806f into argoproj:master Aug 27, 2021
@jimtoniq jimtoniq deleted the fix/logout-cookie-reset branch August 27, 2021 18:09
plakyda-codefresh pushed a commit to plakyda-codefresh/argo-cd that referenced this pull request Sep 28, 2021
@jimtoniq @plakyda1
fix: reset token-cookie on logout (oidc) (argoproj#7092)
8ab74c8 
fix: reset token-cookie on logout (oidc) (argoproj#7092)

Signed-off-by: jimtoniq <thomasmuenzl@icloud.com>
Signed-off-by: viktorplakida <plakyda1@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexmt alexmt alexmt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jimtoniq @alexmt