Geo: Single Sign Out
Implements Single Sign Out for Geo (#76 (closed)).
Initial proposal was to generate a hash based on the access_token
, but that created a O(N) cost against a desirable O(1), as a new access_token
is generated for each new login. To overcome that cost we would need to send a "public identifier" to help retrieve the correct access_token
and provide that during login process.
This is also how most Single Sign On implementations works (they provide some sort of session_id, that we notify every node to invalidate, during sign out process).
As I don't want to modify our OAuth table (that is managed by doorkeeper) nor change the way our login process work, the solution is to encrypt the access_token
using a symmetric key known by both nodes, and expire the access_token
after the logout to prevent replay attacks (otherwise we would need to send a nounce
and store that on primary).
The key is based on Gitlab::Application.secrets.db_key_base
which we already use to encrypt database attributes and is synced between both nodes. We communicate sending a state
parameter which is known terminology in OAuth protocol.
Although this is implemented with Geo only in mind, we can backport to CE (with minimal changes) and provide as a "non-standard" way of single sign off for applications that integrate with GitLab.
Fixes #522 (closed)