Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-33286

logging-out with google-login-plugin is not work

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      When I logout from a session logged in via google-login-plugin, it still logged in.

      I know anybody can revoke grants from google but this behaviour is not helpful at all.

      I tried with an incognito mode with chrome and the situation is same.

      This means that anybody logged in outside the office, say public place, can leave the browser logged in.

        Attachments

          Issue Links

            Activity

            Hide
            vlatombe Vincent Latombe added a comment -

            Please note that the plugin will never log you out from google. It is your responsibility to do so. If you are in a public place, you shouldn't use options such as 'Remember Me' and when you close the browser session when you are done.

            Show
            vlatombe Vincent Latombe added a comment - Please note that the plugin will never log you out from google. It is your responsibility to do so. If you are in a public place, you shouldn't use options such as 'Remember Me' and when you close the browser session when you are done.
            Hide
            recampbell Ryan Campbell added a comment -

            Fixed in 1.3

            Show
            recampbell Ryan Campbell added a comment - Fixed in 1.3
            Hide
            nadavr Nadav Ruskin added a comment - - edited

            I encounter this bug with version 1.3. I have everything set up according to documentation, but I cannot logout. Clicking logout takes me to http://my_jenkins/securityRealm/loggedOut , but doesn't log out.

             

            This practically renders the plugin useless. Not being able to log out is a giant security breach.

            Show
            nadavr Nadav Ruskin added a comment - - edited I encounter this bug with version 1.3. I have everything set up according to documentation, but I cannot logout. Clicking logout takes me to http://my_jenkins/securityRealm/loggedOut , but doesn't log out.   This practically renders the plugin useless. Not being able to log out is a giant security breach.
            Hide
            nadavr Nadav Ruskin added a comment -

            Apparently my symptom resulted from a funky corner case:
            Using Role-based Authorization Strategy and not giving anonymous users any access combined with the Google Login plugin will make you unable to log out at all.
            Credits to this thread for helping me realize this.

            However I now suffer from a severery worse bug! After logging out, I may click "log in", but it automatically logs back into the previous user.
            Note that I even have "Disable remember me" enabled on security.

            Show
            nadavr Nadav Ruskin added a comment - Apparently my symptom resulted from a funky corner case: Using Role-based Authorization Strategy and not giving anonymous users any access combined with the Google Login plugin will make you unable to log out at all. Credits to this thread for helping me realize this. However I now suffer from a severery worse bug! After logging out, I may click "log in", but it automatically logs back into the previous user. Note that I even have "Disable remember me" enabled on security.
            Hide
            vlatombe Vincent Latombe added a comment -

            Nadav Ruskin Please re-read my first comment. Logging you out from Jenkins doesn't change the fact your browser is still logged to your google account. You need to log out from Google as well separately.

            Show
            vlatombe Vincent Latombe added a comment - Nadav Ruskin Please re-read my first comment. Logging you out from Jenkins doesn't change the fact your browser is still logged to your google account. You need to log out from Google as well separately.
            Hide
            nadavr Nadav Ruskin added a comment - - edited

            Vincent Latombe Thank you for clarifying. I did read that comment, but I didn't realize I was logged into Google: When going to Google.com I was not logged in until I clicked "Sign in", which automatically signed me in. I was then able to "Sign out" from Google.

            I now see that logging out from Google does not log you out from Jenkins as well- The user is required to log out from both google.com and Jenkins.

            My company's users will probably not be thrilled about this process, to say the least. It is especially confusing since Jenkins logs you into Google by itself, but will not log you out by itself. Will you not consider revising this (if possible)?

            Show
            nadavr Nadav Ruskin added a comment - - edited Vincent Latombe Thank you for clarifying. I did read that comment, but I didn't realize I was logged into Google: When going to Google.com I was not logged in until I clicked "Sign in", which automatically signed me in. I was then able to "Sign out" from Google. I now see that logging out from Google does not log you out from Jenkins as well- The user is required to log out from both google.com and Jenkins. My company's users will probably not be thrilled about this process, to say the least. It is especially confusing since Jenkins logs you into Google by itself, but will not log you out by itself. Will you not consider revising this (if possible)?
            Hide
            vlatombe Vincent Latombe added a comment -

            Nadav Ruskin This is up to Google behaviour. You can read more about the subject on https://stackoverflow.com/questions/12909332/how-to-logout-of-an-application-where-i-used-oauth2-to-login-with-google for example.

            Show
            vlatombe Vincent Latombe added a comment - Nadav Ruskin This is up to Google behaviour. You can read more about the subject on https://stackoverflow.com/questions/12909332/how-to-logout-of-an-application-where-i-used-oauth2-to-login-with-google for example.
            Hide
            nadavr Nadav Ruskin added a comment -

            Vincent Latombe Thank you for the quick reply. I now better understand the problem.

            As I understand it now, it is not possible to use use Google's service for checking credentials, but it is fundamental to be actually logged into Google to receive an authorization token. Am I correct? If so, that is unfortunate. I thought this plugin simply asks Google for a token, and does not actually log into Google. I see now that my preconceptions were wrong. Sorry for raising noise about it, maybe the official docs need a note clarifying it at the beginning for people like me who were not knowledgeable in how Google logins work.

            Show
            nadavr Nadav Ruskin added a comment - Vincent Latombe Thank you for the quick reply. I now better understand the problem. As I understand it now, it is not possible to use use Google's service for checking credentials, but it is fundamental to be actually logged into Google to receive an authorization token. Am I correct? If so, that is unfortunate. I thought this plugin simply asks Google for a token, and does not actually log into Google. I see now that my preconceptions were wrong. Sorry for raising noise about it, maybe the official docs need a note clarifying it at the beginning for people like me who were not knowledgeable in how Google logins work.

              People

              • Assignee:
                vlatombe Vincent Latombe
                Reporter:
                jinahya Jin Kwon
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: