Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling Logouts with Form auth #1

Closed
fjasis opened this issue Jul 28, 2023 · 5 comments
Closed

Handling Logouts with Form auth #1

fjasis opened this issue Jul 28, 2023 · 5 comments

Comments

@fjasis
Copy link

fjasis commented Jul 28, 2023

After some research, there is not a good way to do logouts on Quarkus form authentication, as they aimed the develoment towards OIDC, there are some workarounds, like for example here quarkusio/quarkus#27389 (comment) and https://stackoverflow.com/questions/68640209/quarkus-http-authentication-logout,
after searching the Vaadin documentation, the best bet would be to execute the javascript code with this
https://vaadin.com/docs/latest/advanced/browser-access#executing-javascript-in-the-browser and using the answer on the stack overflow post, i haven't tried it yet, but it shows some promise, another way would be to invalidate the cookie using vertx while tapping into the vaadin sesion or the post requests
@ErrorProne
Copy link
Collaborator

ErrorProne commented Jul 28, 2023
edited
Loading

Now I get the point. What we are doing so far is, when a user presses the logout button, that we call a rest endpoint which indeed expires the cookie.

Roughly something like this:

@ConfigProperty(name = "quarkus.http.auth.form.cookie-name")
	Optional<String> formAuthCookieName;

@GET
	@Produces(MediaType.APPLICATION_JSON)
	@Path(URI_LOGOUT)
	@Authenticated
	public Response logout(@Context SecurityContext security) {
NewCookie cookie = new NewCookie.Builder(formAuthCookieName.get())
				.value("")
				.path("/")
				.domain(null)
				.maxAge(0)
				.expiry(Date.from(Instant.EPOCH))
				.build();
			clientResponse.cookie(cookie);
			return clientResponse.build();
	}

Quarkus does not hold a local session but restores the session upon request from the encrypted cookie.

That beeing said, we did currently not look into if vaadin creates and holds an extra user session which must be invalidated. If you know something about that, please feel free to share.

@fjasis
Copy link
Author

fjasis commented Jul 28, 2023

From what i can see Vaadin can close the seesion, but i dont know if is necesary to do so, i tested like you mentioned and indeed it deletes the quarkus token, how do you call the endpoint? with navigation?

@ErrorProne
Copy link
Collaborator

Pretty simple

Button logout = new Button(new Icon(VaadinIcon.SIGN_OUT),
                e -> UI.getCurrent().getPage().setLocation(Paths.LOGOUT)
        );

I'll see if we can enhance the starter with an example

@fjasis
Copy link
Author

fjasis commented Jul 29, 2023

Thanks, i was doing with navigate and it was not working properly, that would be great! i would try to add the basic JPA auth too, is not hard to implement but would be a bit more clear to new people trying it out, also there could be some hackery that could be done to implement OIDC , as you can tap into the requests vaadin makes, but i do not know how hard it would be to implement

@benjaminrau
Copy link
Contributor

We added logout example to the starter recently

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ErrorProne @benjaminrau @fjasis