Skip to content

[Security] Custom Logout listeners #25212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
magnusnordlander opened this issue Nov 29, 2017 · 2 comments · Fixed by #36243
Closed

[Security] Custom Logout listeners #25212

magnusnordlander opened this issue Nov 29, 2017 · 2 comments · Fixed by #36243
Labels
Feature Security Status: Needs Review

Comments

@magnusnordlander
Copy link
Contributor

magnusnordlander commented Nov 29, 2017
edited
Loading

Q A
Bug report? no
Feature request? yes
BC Break report? no
RFC? yes
Symfony version 4.1

I've been implementing SSO logout in a public bundle, and it's struck me that there's no really good way for a public bundle to provide logout customizations.

In this bundle (HappyrAuth0Bundle), after logging out in Symfony, I'd like to pass the user on to an endpoint on the SSO server to be logged out there, and pass the final target on to them, so the user is redirected first to the SSO server, then back to my Symfony application.

If I was just writing a regular Symfony application, this would be trivially solvable with either a logout handler, or a logout success handler, but in a public bundle, I don't want to burden my users by having them configure or possibly write those. Ideally (and what I ended up implementing in the changeset) I'd want my users to be able to just write something like the following in their security.yml.

security:
    firewalls:
        secured_area:
            pattern: ^/
            auth0_sso:
                check_path: login_check
            auth0_logout:
                path: logout
                target: /

This is somewhat doable (see the changeset above), but in order to do so, I had to create a fake provider, use an interface for something it clearly wasn't meant to (SecurityFactoryInterface), and even then, there's no way to fully replicate the behavior as in logout, because I cannot get a hold of which firewall context is currently used when creating the services.

There's also the possibility of wanting to disable functionality in the logout listener. In my auth0_logout section I don't allow for a logout success handler, because it doesn't make sense in an SSO context to allow a custom response; the response always has to be a redirect to the SSO service.

Discussion points

  • Am I wrong in thinking that it's necessary for good DX to provide a special auth0_logout key in the firewall configuration?
  • If not, what is the preferable approach in making Symfony allow bundles to provide custom logouters? Should I focus on making it possible for SecurityFactories to not return providers and entrypoints, or should I create a new interface specifically for allowing custom logout providers?
@ro0NL
Copy link
Contributor

ro0NL commented Nov 29, 2017
edited
Loading

You're talking about this simplification right?

+            auth0_logout:
-            logout:
                path: logout
                target: /
-               handlers: [your.service.id]

If so i think current DX is fine actually =/ Having both would be more confusing no? Given this a fixed scenario, perhaps automate the logout config per firewall.

it doesn't make sense in an SSO context to allow a custom response

You can't really tell i guess. Custom headers maybe?

@magnusnordlander
Copy link
Contributor Author

magnusnordlander commented Nov 29, 2017
edited
Loading

Not exactly, but pretty much. Obviously the implementation would have to be different if it was implemented in just a logout handler, but yes, that is the alternative.

You can't really tell i guess. Custom headers maybe?

Actually, the default logout success handler is fine (it returns a RedirectResponse, which is what I want anyway). It's just that in an ideal world if you're using auth0 logout, you shouldn't even be able to configure a logout success handler, because there's no use for it and it can only interfere with the logout process.

@chalasr chalasr added Feature and removed Bug labels Dec 4, 2017
@wouterj wouterj mentioned this issue Mar 27, 2020
Merged
@fabpot fabpot closed this as completed in 1fc7b86 Apr 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security] Refactor logout listener to dispatch an event instead wouterj/symfony
5 participants
@magnusnordlander @ro0NL @xabbuh @chalasr @carsonbot