Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LOGOUT_URL doesnot work if its not HTTPS & SLO (Single log out) messages not being sent. #60

Open
ghost opened this issue Feb 8, 2018 · 26 comments
Labels

Comments

@ghost
Copy link

ghost commented Feb 8, 2018

Hi, I got Single Sign-On working with different python apps in different virtual environments. Its combination of django-mama-cas as a server, and django-cas-ng on the clients. SSO is piece of cake. 9I referred the documentation and this article as well.

But, I have noticed that on Logout from one app, I am still Signed into the other apps. On the terminal (after running manage.py runserver), I see that the SLO (Single log out) messages are not sent to any other app if the LOGOUT_URL is not HTTPS.

But, when I set LOGOUT_URL = 'https://', it tries to send the Logout message. But, since I am running in development environment, so I get the following error:

requests.exceptions.ProxyError: HTTPSConnectionPool(host='127.0.1.1', port=9898): Max retries exceeded with url: /admin/callback (Caused by ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 403 Forbidden',)))

That most likely due to the self-signed SSL certificates.
Can you please tell me if this is the desired behavior to have LOGOUT_URL as HTTPS? And, any specific procedure to look at the logs of django-mama-cas only which will help to troubleshoot this?

@ghost
Copy link
Author

ghost commented Feb 8, 2018

FYI I am using:

django-mama-cas==2.3.0 (as server)
django-cas-ng==3.5.8 (on the client side)

@manelclos
Copy link
Collaborator

Hi @amanjots,

Of course you want HTTPS every time sensitive information like tokens or cookies travel across the network.

I'd say it is trying to use a proxy and it is not configured correctly, or you are not listening on the 443 port, I mean, it doesn't look like a CAS problem, but a network configuration problem.

@ghost
Copy link
Author

ghost commented Feb 9, 2018

@manelclos I agree that sensitive information should be HTTPS. But my question is that in a development environment, where it may not have HTTPS all the time, does django-mama-cas still needs HTTPS in LOGOUT_URL?

@ghost ghost changed the title LOGOUT_URL doesnot work if its not HTTPS LOGOUT_URL doesnot work if its not HTTPS & SLO messages not being sent. Feb 9, 2018
@ghost ghost changed the title LOGOUT_URL doesnot work if its not HTTPS & SLO messages not being sent. LOGOUT_URL doesnot work if its not HTTPS & SLO (Single log out) messages not being sent. Feb 9, 2018
@ghost
Copy link
Author

ghost commented Feb 9, 2018

I tried to trace all the django requests being sent or received. with django-request. And, I found that when a user clicks on Logout, he is logged out of the app, but there is no POST request sent for SLO messages to the other apps. So, user remains signed in the other apps.

@manelclos
Copy link
Collaborator

I don't think so. I'll try to do some testing using the repository from #59 to check for both issues.

@manelclos
Copy link
Collaborator

Ops, previous response if for previous comment. About your new comment, I think there is some bad configuration on your side.

@manelclos
Copy link
Collaborator

Can you check that in the client you are using

CAS_LOGOUT_COMPLETELY = True
CAS_VERSION = '3'

and that you have this in your urls.py?

from django_cas_ng import views as cas_views

urlpatterns = [
    ...
    url(r'^accounts/login/$', cas_views.login, name='login'),
    url(r'^accounts/logout/$', cas_views.logout, name='logout'),
    url(r'^admin/logout/$', cas_views.logout),
    ....

@ghost
Copy link
Author

ghost commented Feb 10, 2018

@manelclos yes the client has settings (CAS_LOGOUT_COMPLETELY = True & CAS_VERSION = '3'). In the URLs of the first django virtual environment, the Wagtail's admin authentication is to be handled by the django-ng-cas client, so the urls are:

    url(r'^admin/login/$', cas_views.login, name='cas_ng_login'),
    url(r'^admin/logout/$', cas_views.logout, name='cas_ng_logout'),
    url(r'^accounts/callback$', cas_views.callback, name='cas_ng_proxy_callback'),

And, the third virtual environment is having django-helpdesk, and to use CAS for its authentication I have changed the url's to following:

    url(r'^login/$', cas_views.login, name='cas_ng_login'),
    url(r'^logout/$', cas_views.logout, name='cas_ng_logout'),
    url(r'^accounts/callback$', cas_views.callback, name='cas_ng_proxy_callback'),

As per this tutorial , the callback "url processes logout request that comes from the CAS server." That's why I have used it in this way, and have also tried 'admin/callback' or 'accounts/callback' or even commenting it out as well.

In the above config, single sign-on works perfectly fine. But, single log out doesn't work at all.

@manelclos
Copy link
Collaborator

I've never used the callback setting in urls.py.

@ghost
Copy link
Author

ghost commented Feb 12, 2018

@manelclos: I have tried without callback setitngs also, and SLO still doesn't work.

Further, I saw that you had found an issue with SLO before and tested it to work properly in #27

Can you please share the settings (from settings.py) and URLs of django-mama-cas and django-cas-ng that works for you? Thanks.

@manelclos
Copy link
Collaborator

Hi @amanjots, I got some time today for testing this. Maybe you are missing this on the settings.py of the server (mama_cas):

MAMA_CAS_ENABLE_SINGLE_SIGN_OUT = True

I've fixed the SSO and SLO configurations so they are working in this example: https://github.com/manelclos/django-cas-test

See that when you log out from "cas_client" (app1) the cookie for the cas_server is deleted and also the one for "cas_client" (app1). "second_client" (app2) cookie is not deleted until you access "second_client" again.

Let me know if you get it working with the example repository.

@ghost
Copy link
Author

ghost commented Feb 14, 2018

@manelclos Thanks a lot for your reply and providing the example. Have you tested django-mama-cas server with 'MAMA_CAS_SERVICES'
because the way you have configured CAS server it is operating in "open mode".

So can you once check if you configure 'MAMA_CAS_SERVICES' in settings.py of cas server, does it work properly? If you can update the config after testing this, that will really help to resolve the issue. Thanks again. :)

@manelclos
Copy link
Collaborator

manelclos commented Feb 14, 2018 via email

@ghost
Copy link
Author

ghost commented Feb 15, 2018

@manelclos Thanks again. Can you please add 'MAMA_CAS_SERVICES' configuration that you tested to be working to https://github.com/manelclos/django-cas-test ?

@manelclos
Copy link
Collaborator

Sure thing, see here: manelclos/django-cas-test@f1b1dd9

On the server you can check:

$ python manage.py checkservice http://127.0.0.1
Invalid service: http://127.0.0.1

$ python manage.py checkservice http://127.0.0.1:8001
Valid service: http://127.0.0.1:8001
  Proxy allowed: True
  Logout allowed: True
  Logout URL: None
  Callbacks: 

@manelclos
Copy link
Collaborator

@amanjots is this issue fixed?

@ghost
Copy link
Author

ghost commented Mar 1, 2018

@manelclos I will have to do the testing again soon. Actually, the project structure that I was working on is changed completely. So, I will have to setup my separate project to test this issue. Kindly allow me few days to ensure this issue is resolved. Thanks.

@BarnabasSzabolcs
Copy link

BarnabasSzabolcs commented Oct 20, 2019

Thanks for the description - from this thread I figured out how to make this mama-client thing going. For me also does not work the single log out in local development mode if I use http protocol. I'll check on staging, if it works with https.

Manel, ( @manelclos ) I have a multi-language multi-domain site. I have - as you suggested:

settings.py:

MAMA_CAS_ENABLE_SINGLE_SIGN_OUT = True
CAS_LOGOUT_COMPLETELY = True
CAS_VERSION = '3'

urls.py:

    path('accounts/', include('django.contrib.auth.urls')),
    url(r'^cas/', include('mama_cas.urls')),
    path('accounts/login', django_cas_ng.views.LoginView.as_view(), name='cas_ng_login'),
    path('accounts/logout', django_cas_ng.views.LogoutView.as_view(), name='cas_ng_logout'),
    url(r'^admin/logout/$', django_cas_ng.views.LogoutView.as_view()),
  • first I log in on Site1
  • then I go to Site2 and get automatically logged in
  • now I log out on Site2
  • expect to get logged out on Site1 but I stay logged in.

What am I missing?

Probably relevant part of my requirements.txt:

django-cas-ng==3.6.0
django-hosts==3.0
django-mama-cas==2.4.0
django==2.2.2

@BarnabasSzabolcs
Copy link

Ok, now I've figured out. MAMA CAS calls back the relevant CAS clients and says goodbye.
For that MAMA CAS has to be said where to say good bye (it is done using the MAMA_CAS_SERVICES config variable) and the client has to provide a place for calling back (in case of DJANGO_CAS_NG it is CallbackView - they recommend setting "/acconts/callback" as AP).

@lluww
Copy link

lluww commented Dec 27, 2019

@BarnabasSzabolcs do you mean 'LOGOUT_URL': 'http://127.0.1.1:80/accounts/callback' in the MAMA_CAS_SERVICES?

thanks,I have the same problem.

@BarnabasSzabolcs
Copy link

BarnabasSzabolcs commented Dec 28, 2019

@lluww probably yes. My solution was to put my server behind nginx, locally.

@zhao-dapeng
Copy link

截屏2019-12-30下午4 49 06

The fact that request.user is AnonymousUser in the LogoutView function means that the logout_user(request) function will not be executed, resulting in a single logout failure, but I can't find a solution.

@lluww
Copy link

lluww commented Dec 30, 2019

@BarnabasSzabolcs
thanks,I will configure nginx and try again, only change 'LOGOUT_URL' doesn't work.

@BarnabasSzabolcs
Copy link

BarnabasSzabolcs commented Dec 30, 2019

@lluww
Ah, one more thing: with nginx I use mkcert https://github.com/FiloSottile/mkcert to generate local ssh certificates.

ssl_certificate /full/path/to/mypage.test-fullchain.pem;
ssl_certificate_key /full/path/to/mypage.test-key.pem;

and then mama-cas works fine for me. (otherwise I get some weird redirect on logout... something like http://127.0.0.1:8000/http://127.0.0.1:8000/)

@lluww
Copy link

lluww commented Dec 31, 2019

@BarnabasSzabolcs Oh, I know my problem. I guess I forget to add 'django_cas_ng.middleware.CASMiddleware' in client app's setting.MIDDLEWARE. After that I can single-logout.

I haven't install nginx
this is my logout url:
Request URL: http://127.0.0.1:8000/logout?service=http%3A%2F%2F127.0.1.2%3A8000%2F
Request Method: GET
Status Code: 302 Found
Remote Address: 127.0.0.1:8000

#setting.py server
MAMA_CAS_SERVICES = [
{
'SERVICE': 'http://127.0.1.1:8000',
'CALLBACKS': [
'mama_cas.callbacks.user_model_attributes',
],
'LOGOUT_ALLOW': True,
'LOGOUT_URL': 'http://127.0.1.1:8000/accounts/callback',
'PROXY_ALLOW': True,
# 'PROXY_PATTERN': '^https://proxy.example.com',
},
{
'SERVICE': 'http://127.0.1.2:8000',
'CALLBACKS': [
'mama_cas.callbacks.user_model_attributes',
],
'LOGOUT_ALLOW': True,
'LOGOUT_URL': 'http://127.0.1.2:8000/accounts/callback',
'PROXY_ALLOW': True,
# 'PROXY_PATTERN': '^https://proxy.example.com',
}
]
MAMA_CAS_ENABLE_SINGLE_SIGN_OUT = True

#setting.py client
ALLOWED_HOSTS = ['127.0.1.2']

CAS_SERVER_URL = 'http://127.0.0.1:8000'

CAS_VERSION = '3'

CAS_APPLY_ATTRIBUTES_TO_USER = True

CAS_LOGOUT_COMPLETELY = True

AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.ModelBackend',
'django_cas_ng.backends.CASBackend',
)

@girikusuma
Copy link

Hello, I have a problem in making a logout system using mama cas, I can't get service at the login URL after logging out.
How to get service in URL when logout using mama cas?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants