LOGOUT_URL doesnot work if its not HTTPS & SLO (Single log out) messages not being sent.
Opened this issue · 26 comments
Hi, I got Single Sign-On working with different python apps in different virtual environments. Its combination of django-mama-cas as a server, and django-cas-ng on the clients. SSO is piece of cake. 9I referred the documentation and this article as well.
But, I have noticed that on Logout from one app, I am still Signed into the other apps. On the terminal (after running manage.py runserver), I see that the SLO (Single log out) messages are not sent to any other app if the LOGOUT_URL is not HTTPS.
But, when I set LOGOUT_URL = 'https://', it tries to send the Logout message. But, since I am running in development environment, so I get the following error:
requests.exceptions.ProxyError: HTTPSConnectionPool(host='127.0.1.1', port=9898): Max retries exceeded with url: /admin/callback (Caused by ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 403 Forbidden',)))
That most likely due to the self-signed SSL certificates.
Can you please tell me if this is the desired behavior to have LOGOUT_URL as HTTPS? And, any specific procedure to look at the logs of django-mama-cas only which will help to troubleshoot this?
FYI I am using:
django-mama-cas==2.3.0 (as server)
django-cas-ng==3.5.8 (on the client side)
Hi @amanjots,
Of course you want HTTPS every time sensitive information like tokens or cookies travel across the network.
I'd say it is trying to use a proxy and it is not configured correctly, or you are not listening on the 443 port, I mean, it doesn't look like a CAS problem, but a network configuration problem.
@manelclos I agree that sensitive information should be HTTPS. But my question is that in a development environment, where it may not have HTTPS all the time, does django-mama-cas still needs HTTPS in LOGOUT_URL?
I tried to trace all the django requests being sent or received. with django-request. And, I found that when a user clicks on Logout, he is logged out of the app, but there is no POST request sent for SLO messages to the other apps. So, user remains signed in the other apps.
I don't think so. I'll try to do some testing using the repository from #59 to check for both issues.
Ops, previous response if for previous comment. About your new comment, I think there is some bad configuration on your side.
Can you check that in the client you are using
CAS_LOGOUT_COMPLETELY = True
CAS_VERSION = '3'
and that you have this in your urls.py?
from django_cas_ng import views as cas_views
urlpatterns = [
...
url(r'^accounts/login/$', cas_views.login, name='login'),
url(r'^accounts/logout/$', cas_views.logout, name='logout'),
url(r'^admin/logout/$', cas_views.logout),
....
@manelclos yes the client has settings (CAS_LOGOUT_COMPLETELY = True & CAS_VERSION = '3'). In the URLs of the first django virtual environment, the Wagtail's admin authentication is to be handled by the django-ng-cas client, so the urls are:
url(r'^admin/login/$', cas_views.login, name='cas_ng_login'),
url(r'^admin/logout/$', cas_views.logout, name='cas_ng_logout'),
url(r'^accounts/callback$', cas_views.callback, name='cas_ng_proxy_callback'),
And, the third virtual environment is having django-helpdesk, and to use CAS for its authentication I have changed the url's to following:
url(r'^login/$', cas_views.login, name='cas_ng_login'),
url(r'^logout/$', cas_views.logout, name='cas_ng_logout'),
url(r'^accounts/callback$', cas_views.callback, name='cas_ng_proxy_callback'),
As per this tutorial , the callback "url processes logout request that comes from the CAS server." That's why I have used it in this way, and have also tried 'admin/callback' or 'accounts/callback' or even commenting it out as well.
In the above config, single sign-on works perfectly fine. But, single log out doesn't work at all.
I've never used the callback setting in urls.py.
@manelclos: I have tried without callback setitngs also, and SLO still doesn't work.
Further, I saw that you had found an issue with SLO before and tested it to work properly in #27
Can you please share the settings (from settings.py) and URLs of django-mama-cas and django-cas-ng that works for you? Thanks.
Hi @amanjots, I got some time today for testing this. Maybe you are missing this on the settings.py of the server (mama_cas):
MAMA_CAS_ENABLE_SINGLE_SIGN_OUT = True
I've fixed the SSO and SLO configurations so they are working in this example: https://github.com/manelclos/django-cas-test
See that when you log out from "cas_client" (app1) the cookie for the cas_server is deleted and also the one for "cas_client" (app1). "second_client" (app2) cookie is not deleted until you access "second_client" again.
Let me know if you get it working with the example repository.
@manelclos Thanks a lot for your reply and providing the example. Have you tested django-mama-cas server with 'MAMA_CAS_SERVICES'
because the way you have configured CAS server it is operating in "open mode".
So can you once check if you configure 'MAMA_CAS_SERVICES' in settings.py of cas server, does it work properly? If you can update the config after testing this, that will really help to resolve the issue. Thanks again. :)
@manelclos Thanks again. Can you please add 'MAMA_CAS_SERVICES' configuration that you tested to be working to https://github.com/manelclos/django-cas-test ?
Sure thing, see here: manelclos/django-cas-test@f1b1dd9
On the server you can check:
$ python manage.py checkservice http://127.0.0.1
Invalid service: http://127.0.0.1
$ python manage.py checkservice http://127.0.0.1:8001
Valid service: http://127.0.0.1:8001
Proxy allowed: True
Logout allowed: True
Logout URL: None
Callbacks:
@manelclos I will have to do the testing again soon. Actually, the project structure that I was working on is changed completely. So, I will have to setup my separate project to test this issue. Kindly allow me few days to ensure this issue is resolved. Thanks.
Thanks for the description - from this thread I figured out how to make this mama-client thing going. For me also does not work the single log out in local development mode if I use http protocol. I'll check on staging, if it works with https.
Manel, ( @manelclos ) I have a multi-language multi-domain site. I have - as you suggested:
settings.py:
MAMA_CAS_ENABLE_SINGLE_SIGN_OUT = True
CAS_LOGOUT_COMPLETELY = True
CAS_VERSION = '3'
urls.py:
path('accounts/', include('django.contrib.auth.urls')),
url(r'^cas/', include('mama_cas.urls')),
path('accounts/login', django_cas_ng.views.LoginView.as_view(), name='cas_ng_login'),
path('accounts/logout', django_cas_ng.views.LogoutView.as_view(), name='cas_ng_logout'),
url(r'^admin/logout/$', django_cas_ng.views.LogoutView.as_view()),
- first I log in on Site1
- then I go to Site2 and get automatically logged in
- now I log out on Site2
- expect to get logged out on Site1 but I stay logged in.
What am I missing?
Probably relevant part of my requirements.txt:
django-cas-ng==3.6.0
django-hosts==3.0
django-mama-cas==2.4.0
django==2.2.2
Ok, now I've figured out. MAMA CAS calls back the relevant CAS clients and says goodbye.
For that MAMA CAS has to be said where to say good bye (it is done using the MAMA_CAS_SERVICES config variable) and the client has to provide a place for calling back (in case of DJANGO_CAS_NG it is CallbackView - they recommend setting "/acconts/callback" as AP).
@BarnabasSzabolcs do you mean 'LOGOUT_URL': 'http://127.0.1.1:80/accounts/callback' in the MAMA_CAS_SERVICES?
thanks,I have the same problem.
@lluww probably yes. My solution was to put my server behind nginx, locally.
The fact that request.user is AnonymousUser in the LogoutView function means that the logout_user(request) function will not be executed, resulting in a single logout failure, but I can't find a solution.
@BarnabasSzabolcs
thanks,I will configure nginx and try again, only change 'LOGOUT_URL' doesn't work.
@lluww
Ah, one more thing: with nginx I use mkcert https://github.com/FiloSottile/mkcert to generate local ssh certificates.
ssl_certificate /full/path/to/mypage.test-fullchain.pem;
ssl_certificate_key /full/path/to/mypage.test-key.pem;
and then mama-cas works fine for me. (otherwise I get some weird redirect on logout... something like http://127.0.0.1:8000/http://127.0.0.1:8000/)
@BarnabasSzabolcs Oh, I know my problem. I guess I forget to add 'django_cas_ng.middleware.CASMiddleware' in client app's setting.MIDDLEWARE. After that I can single-logout.
I haven't install nginx
this is my logout url:
Request URL: http://127.0.0.1:8000/logout?service=http%3A%2F%2F127.0.1.2%3A8000%2F
Request Method: GET
Status Code: 302 Found
Remote Address: 127.0.0.1:8000
#setting.py server
MAMA_CAS_SERVICES = [
{
'SERVICE': 'http://127.0.1.1:8000',
'CALLBACKS': [
'mama_cas.callbacks.user_model_attributes',
],
'LOGOUT_ALLOW': True,
'LOGOUT_URL': 'http://127.0.1.1:8000/accounts/callback',
'PROXY_ALLOW': True,
# 'PROXY_PATTERN': '^https://proxy.example.com',
},
{
'SERVICE': 'http://127.0.1.2:8000',
'CALLBACKS': [
'mama_cas.callbacks.user_model_attributes',
],
'LOGOUT_ALLOW': True,
'LOGOUT_URL': 'http://127.0.1.2:8000/accounts/callback',
'PROXY_ALLOW': True,
# 'PROXY_PATTERN': '^https://proxy.example.com',
}
]
MAMA_CAS_ENABLE_SINGLE_SIGN_OUT = True
#setting.py client
ALLOWED_HOSTS = ['127.0.1.2']
CAS_SERVER_URL = 'http://127.0.0.1:8000'
CAS_VERSION = '3'
CAS_APPLY_ATTRIBUTES_TO_USER = True
CAS_LOGOUT_COMPLETELY = True
AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.ModelBackend',
'django_cas_ng.backends.CASBackend',
)
Hello, I have a problem in making a logout system using mama cas, I can't get service at the login URL after logging out.
How to get service in URL when logout using mama cas?