"logout_url" does not seem to be respected from omniauth provider (#24510) · Issues · GitLab.org / GitLab

"logout_url" does not seem to be respected from omniauth provider

Summary

With omniauth enabled, and with a given logout_url, the proper redirection does not take place on sign-out

Steps to reproduce

Configure Gitlab to use a CAS omniauth provider that specifies a logout_url. Sign out. Notice you are not redirected to the URL you specified.

Configuration used

Here is our values config:

omniauth:
  enabled: true
  autoSignInWithProvider: cas3
  syncProfileFromProvider: ['cas3']
  syncProfileAttributes: ['cas3']
  allowSingleSignOn: ['cas3']
  blockAutoCreatedUsers: false
  autoLinkLdapUser: false
  autoLinkSamlUser: false
  externalProviders: []
  providers:
  - secret: gitlab-cas-secret
    name: provider

And here is the CAS json (that is set in the gitlab-cas-secret):

{
  "name": "cas3",
  "label": "My CAS",
  "args": {
      "url": "https://cas.provider.net",
      "login_url": "/cas/login",
      "service_validate_url": "/cas/serviceValidate",
      "logout_url": "/cas/logout",
      "nickname_key": "username"
  }
}

I also tried creating the secret with yaml to see if that made a difference (it didn't):

---
name: cas3
label: My CAS
args:
  url: https://cas.provider.net
  login_url: "/cas/login"
  service_validate_url: "/cas/serviceValidate"
  logout_url: "/cas/logout"
  nickname_key: username

Current behavior

All of the sign-in feature of the provider work perfectly (auto sign-in, the login redirect, etc, are all fine) - but if a user tries to sign out they are automatically signed back in - because the logout url is not redirected to /cas/logout as expected, instead it is just going to /users/sign_in.

Expected behavior

The URL redirection would work as expected. FWIW this same configuration works fine in our omnibus deployment.

Versions

Chart: latest
Platform:
- Self-hosted: IBM Cloud
Kubernetes: (kubectl version)
- Client: 1.10
- Server: 1.11
Helm: (helm version)
- Client: 2.8.2
- Server: 2.8.2

Relevant logs

Here is a kubetail capture of the unicorn log when a user tries to sign out:

[gitlab-unicorn-5d7f59d7c5-wqmgr unicorn] ==> /var/log/gitlab/production.log <== 
[gitlab-unicorn-5d7f59d7c5-wqmgr unicorn] Started GET "/users/sign_out" for xxx.xxx.xxx.xxx at 2018-10-03 16:53:01 +0000 
[gitlab-unicorn-5d7f59d7c5-wqmgr unicorn] Processing by SessionsController#destroy as HTML 
[gitlab-unicorn-5d7f59d7c5-wqmgr unicorn] Redirected to https://gitlab-test.net/users/sign_in 
[gitlab-unicorn-5d7f59d7c5-wqmgr unicorn] Completed 302 Found in 95ms (ActiveRecord: 21.0ms)

## Summary

With omniauth enabled, and with a given `logout_url`, the proper redirection does not take place on sign-out

## Steps to reproduce

Configure Gitlab to use a CAS omniauth provider that specifies a `logout_url`. Sign out. Notice you are not redirected to the URL you specified.

## Configuration used
Here is our values config:
```yaml
omniauth:
  enabled: true
  autoSignInWithProvider: cas3
  syncProfileFromProvider: ['cas3']
  syncProfileAttributes: ['cas3']
  allowSingleSignOn: ['cas3']
  blockAutoCreatedUsers: false
  autoLinkLdapUser: false
  autoLinkSamlUser: false
  externalProviders: []
  providers:
  - secret: gitlab-cas-secret
    name: provider
```
And here is the CAS json (that is set in the `gitlab-cas-secret`):
```json
{
  "name": "cas3",
  "label": "My CAS",
  "args": {
      "url": "https://cas.provider.net",
      "login_url": "/cas/login",
      "service_validate_url": "/cas/serviceValidate",
      "logout_url": "/cas/logout",
      "nickname_key": "username"
  }
}
```
I also tried creating the secret with yaml to see if that made a difference (it didn't):
```yaml
---
name: cas3
label: My CAS
args:
  url: https://cas.provider.net
  login_url: "/cas/login"
  service_validate_url: "/cas/serviceValidate"
  logout_url: "/cas/logout"
  nickname_key: username
```
## Current behavior

All of the sign-in feature of the provider work perfectly (auto sign-in, the login redirect, etc, are all fine) - but if a user tries to sign out they are automatically signed back in - because the logout url is not redirected to `/cas/logout` as expected, instead it is just going to `/users/sign_in`.

## Expected behavior

The URL redirection would work as expected. FWIW this same configuration works fine in our omnibus deployment.

## Versions

- Chart: latest
- Platform: 
  - Self-hosted: IBM Cloud
- Kubernetes: (`kubectl version`)
  - Client: 1.10
  - Server: 1.11
- Helm: (`helm version`)
  - Client: 2.8.2
  - Server: 2.8.2

## Relevant logs

Here is a `kubetail` capture of the unicorn log when a user tries to sign out:
```
[gitlab-unicorn-5d7f59d7c5-wqmgr unicorn] ==> /var/log/gitlab/production.log <== 
[gitlab-unicorn-5d7f59d7c5-wqmgr unicorn] Started GET "/users/sign_out" for xxx.xxx.xxx.xxx at 2018-10-03 16:53:01 +0000 
[gitlab-unicorn-5d7f59d7c5-wqmgr unicorn] Processing by SessionsController#destroy as HTML 
[gitlab-unicorn-5d7f59d7c5-wqmgr unicorn] Redirected to https://gitlab-test.net/users/sign_in 
[gitlab-unicorn-5d7f59d7c5-wqmgr unicorn] Completed 302 Found in 95ms (ActiveRecord: 21.0ms) 
```

Discussion
Designs