yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1515825] Re: Logging out of horizon does not invalidate IdP session

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steve Martinelli <1515825@xxxxxxxxxxxxxxxxxx>
Date: Tue, 15 Nov 2016 16:02:13 -0000
Reply-to: Bug 1515825 <1515825@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

As noted by many on this bug, this is the expected behaviour when using
a federated identity provider.

** Summary changed:

- Horizon allows login without credential when configured to use WebSSO
+ Logging out of horizon does not invalidate IdP session

** Changed in: keystone
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1515825

Title:
  Logging out of horizon does not invalidate IdP session

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Identity (keystone):
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added to the
  bug as attachments.

  Steps to reproduce

  1) Configure openid connect to use gmail
  2) Configure horizon to use websso
  3) Login via horizon using  openid as IDP
  4) Gmail login screen will appear, you enter credentials and then you will be logged in
  4) Do some thing
  5) Logout of horizion

   -- Do one more login
  6) Login via horizon using open id as IDP (same as step 3)
  7) Gmail login screen doesn't appear and horizon logs in directly  ( step 4) doesn't happen

  Basically when you logout of horizon, the session you had with GMAIL
  is not invalidated.  So after a person has logged out, another person
  can login without entering credentials

  This is true for AFDS too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1515825/+subscriptions