#356 Can't log out from (stg.)pagure.io, can't switch accounts
Opened 3 months ago by kparal. Modified 3 months ago

I already reported this as https://pagure.io/pagure/issue/5191 , they told me it's an Ipsilon problem. I need to switch between several accounts on (stg.)pagure.io. That used to work fine, now it doesn't. If I try to log out from pagure, I get a page refresh, it says " You have been logged out", but I'm still logged in. If I clear id.(stg.)fedoraproject.org cookies, I can log out, but once I log in again, the problem repeats. This means I need to clear the cookies every time I want to switch accounts, which is obviously not great.

This can be easily tested in a private window:
1. Open (stg.)pagure.io
2. Log in
3. Log out
4. See yourself still logged in, even though you can a log out confirmation notice

firefox-89.0.2-2.fc34.x86_64


So, this is because there is no Single Logout implemented in Ipsilon or Pagure, which means you still have an active Ipsilon session.
And when you then log out from Pagure, it redirects you to login, where you'll then be automatically logged in.
This is basically a feature request for single logout, which does not exist for OpenID (which Pagure currently uses).
It's also not yet specified in a stable spec for OpenID Connect, although there is an Implementer's Draft: https://openid.net/specs/openid-connect-session-1_0.html (together with back- and front-channel logout specs).

Metadata Update from @puiterwijk:
- Custom field component adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None

3 months ago

I'm not familiar with "Single Logout", but just to clarify, I don't insist to be logged out from all Fedora services. I just want to log out from Pagure (and then log in into Pagure using a different account).

It seems to me that this problem could be solved if Ipsilon (or FAS or something in the login stack) would show me a login dialog instead of logging me in automatically. Ideally I could either confirm using the account which Ipsilon currently considers active (without entering the password again, perhaps), or select a different account.

I'm quite sure I was able to switch Pagure accounts in the past without issues and cookies magic, so something must have changed.

Is there any way to force Ipsilon to log me out (even from all services, if necessary) without manually removing cookies?

The problem is that Pagure doesn't tell Ipsilon you're trying to log out, so Ipsilon just sees you as trying to log in to a new website, and automatically uses your existing session.

This has always been the case, but the session expires after 5 minutes, so if you log out from Pagure more than 5 minutes after your last use of an Ipsilon session, you'll need to log in again.

You could hit the https://id.fedoraproject.org/logout/ endpoint, which will invalidate your session on Ipsilon.
I have very explicitly not documented that in the Fedora communities because it does not invalidate sessions on other applications, which may confuse people: you can log out from Ipsilon, but if you had previously logged in to (And not logged out of) e.g. pagure.io, someone using the computer later could visit pagure.io and still see your active session there.

Single Logout would make it that logging out from Ipsilon (or any of the other participating applications) logs you out from all Single Logout-participating applications.

The problem is caused by you logging out on some pagure page that requires auth (settings, etc).

So, you logout and pagure says... oh, you need to login to see this page and logs you in again.

It correctly logs me out if I am not on a settings or profile page that requires auth.

The problem is caused by you logging out on some pagure page that requires auth (settings, etc).

Right, I've been trying this from the Pagure homepage, which is https://pagure.io/dashboard/projects , and this automatically logs me back in. If I try to log out from e.g. https://pagure.io/fedora-infra/ansible , I'm logged out correctly. But once I click Login, I'm automatically logged in with the previous account, so this doesn't help me, unfortunately.

You could hit the https://id.fedoraproject.org/logout/ endpoint, which will invalidate your session on Ipsilon.

It says "Successfully logged out", but Pagure still logs me in automatically without asking for username/password. Meaning:
1. Logout from Pagure (on a page that doesn't log you back in immediately)
2. https://id.fedoraproject.org/logout/
3. Log in to Pagure
4. I'm automatically logged in (no username/password prompt)

This has always been the case, but the session expires after 5 minutes, so if you log out from Pagure more than 5 minutes after your last use of an Ipsilon session, you'll need to log in again.

That doesn't seem to work for me either. If I do the steps above, but keep >5 minutes delay between steps 2 and 3, I'm still logged in automatically without authentication.

And just when I submitted my comment, I realized the possible explanation. I deactivated my kerberos ticket, and now I can successfully do the step 1-4 dance, and it asks me for user credentials! Sigh, this is all very obscure :disappointed: But I can finally log in as a different user, when I remember all the steps and workarounds :tada: Thanks. Hopefully this process can be improved in the future.

Login to comment on this ticket.

Metadata