I have a PR that addresses a logout issue with OIDC: https://github.com/datahub-project/datahub/pull/5691

Responded! And also commented on the isusue

I'll check it out tomorrow tnx

Yeah so the routes on the backend and on the frontend differ

Cool, let me know if you need me to modify anything

@busy-dusk-4970 @big-carpet-38439 What’s the status on this? I see that the PR is awaiting review. We just discovered this the other day when we enabled OAuth

@tall-butcher-30509 the PR still needs some work there is an issue where it breaks the regular java auth when using this method apparently and I don't know java so we need someone from DH to look into the issue further to ensure it works for both java and OIDC

Got it. Thanks @busy-dusk-4970 Currently we are working around it with private windows.

Can you elaborate on what exactly you are doing?

Yeah sure. We are a large enterprise, and we have many of our systems set up on cloud providers. Also we have federated our corporate domain with those providers’ IAM services. Since most of our applications are SSO, and many make use of IAM/OIDC for RBAC, we wanted to enable the same for datahub. This has basically been successful in testing, but as you know we can’t log out. This is not necessarily a huge problem since other security factors are in place, and the session should timeout anyway. However, we are currently keeping the default ‘datahub’ admin account as a backup. If we want to use it interactively (make new API key, check come permissions, etc.), we need to use a new private window in our browser (which also forces us to re-authenticate with sso). So, this is more of a nuisance for dev/integration teams, but to be honest it doesn’t inspire confidence in the overall security design and would be hard to explain to our security team.

Agreed on the security aspect of it and yes regular users will most likely not encounter this issue but if you are doing any integrations with others apps using SSO and SLO it's a big problem and security risk of possible data exposure

@busy-dusk-4970 What error did you get when you tried your PR? I had a quick look. It looks like you modified the react app to directly call a “/log*o*ut” endpoint. There is actually an existing “/log*O*ut” endpoint configured: https://github.com/datahub-project/datahub/blob/6f09f1025e5c0f9b96b3d09434d3d8e96fe27348/datahub-frontend/conf/routes#L21 I’m not sure if the case has anything to do with it, but my understanding is that you shouldn’t get an error because the API endpoint is the same. I’m guessing that it’s the “executeLogout()” method behind that endpoint needs to be updated. Looking at the Java code it is using the default out the box procedure. https://github.com/datahub-project/datahub/blob/6f09f1025e5c0f9b96b3d09434d3d8e96f[…]8/datahub-frontend/app/controllers/CentralLogoutController.java

So it's most likely a routing issue because the java backend is served on the same url port as the frontend react is trying to route to a non-existing endpoint I believe I was getting a cors issue with the backend whenever I tried to do the fetch to the

/logOut

Java route I’ll see if I can mess with it some more over the weekend