Troubleshooting Logout Issues and Session Store Configuration in Azure AD Integration

Original Slack Thread

<@U06TM7M40RK> What is the redirect logout url for Azure AD integration?

For Azure AD integration with DataHub, the “Front-channel logout URL” should be set to https://your-datahub-domain.com/login. This configuration ensures that after a user logs out, they are redirected to the DataHub login page. This setup is crucial for maintaining a seamless user experience and ensuring that the session is properly terminated.

According to the <https://datahubproject.io/docs/0.14.0/authentication/guides/sso/configure-oidc-react|DataHub OIDC Configuration Guide>, you should configure the logout URL in the Azure portal under the Authentication settings of your registered application.

Would you like more detailed steps on how to configure this in the Azure portal or any other related settings?

Sources:

<@U06TM7M40RK> but when the user clicks on Sign Out, he still logged.

The issue where a user remains logged in after clicking “Sign Out” is a known problem with OIDC integration in DataHub. This can occur due to several reasons, such as misconfiguration of the logout endpoints or session management settings.

Here are some steps to troubleshoot and resolve the issue:

  1. Verify OIDC Configuration: Ensure that the post_logout_redirect_uri is correctly set in your Identity Provider (IdP) configuration. This URI should point to the DataHub login page, typically https://your-datahub-domain.com/login.

  2. Check Logout Endpoint: Make sure that the logout endpoint is correctly configured in your DataHub setup. For Azure, the “Front-channel logout URL” should be set to https://your-datahub-domain.com/login.

  3. Session Store Configuration: Verify that the session store is correctly set up to handle state parameters. This is typically configured in the application.conf file of the DataHub frontend.

  4. Enable Verbose Logging: Enable verbose logging to get more detailed information about the issue. You can do this by setting the AUTH_VERBOSE_LOGGING environment variable to true.

  5. Inspect the CentralLogoutController: According to the https://github.com/datahub-project/datahub/blob/master/datahub-frontend/app/controllers/CentralLogoutController.java|CentralLogoutController.java, ensure that the logout logic is correctly implemented and that the executeLogout method is properly handling the session termination.

  6. Check for Known Issues: There are known issues related to logout with OIDC, as discussed in <Issues · datahub-project/datahub · GitHub Issue #8369>. It might be helpful to review this issue for any updates or workarounds.

Would you like more detailed steps on any of these points or further assistance with your configuration?

Sources:

<@U06TM7M40RK> Where do I look if the session store is correctly set up to handle state parameters in application.conf file?

To verify if the session store is correctly set up to handle state parameters in the application.conf file, you should look for the configuration related to the session store and cache settings. Here are the key areas to check:

  1. Session Store Configuration: Ensure that the session store is configured to use play.cache. This is important for handling state parameters in the OIDC authentication flow.

  2. Cache Settings: Check that the cache settings are properly defined to support session management.

Here is an example configuration for the application.conf file:

play {
  cache {
    defaultCache = "play"
    bindCaches = ["session-cache"]
  }
}

session {
  store = "play.cache"
  cookieName = "PLAY_SESSION"
  secure = true
  httpOnly = true
}
  • defaultCache: This should be set to "play", indicating the default cache implementation.
  • bindCaches: This should include "session-cache", which binds the session cache to the application.
  • session.store: This should be set to "play.cache", indicating that the session data is stored in the cache.
  • cookieName: This specifies the name of the session cookie.
  • secure and httpOnly: These settings ensure that the session cookie is secure and not accessible via JavaScript.

These settings ensure that the session store is correctly configured to handle state parameters, which are crucial for maintaining session integrity during the OIDC authentication process.

Would you like more detailed steps on how to configure these settings or any other related information?

Sources:

  • <Slack Thread on Okta Integration Issues> :+1: 0 button :-1: 0 button :bulb: Hint: Mention @runllm in the thread for followups.

<@U06TM7M40RK> give me an example of helm configuration for frontend set up to handle state parameters

To configure the DataHub frontend using Helm to handle state parameters, you need to ensure that the session store and related settings are properly set up in your values.yaml file. Below is an example configuration for the DataHub frontend using Helm:

datahub-frontend:
  enabled: true
  extraEnvs:
    - name: AUTH_OIDC_ENABLED
      value: "true"
    - name: AUTH_OIDC_CLIENT_ID
      value: "<your-client-id>"
    - name: AUTH_OIDC_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          name: datahub-oidc-secret
          key: client-secret
    - name: AUTH_OIDC_DISCOVERY_URI
      value: "https://<your-identity-provider>/.well-known/openid-configuration"
    - name: AUTH_OIDC_BASE_URL
      value: "https://<your-datahub-url>"
    - name: AUTH_VERBOSE_LOGGING
      value: "true"
    - name: PLAY_SESSION_STORE
      value: "play.cache"
    - name: PLAY_SESSION_COOKIE_NAME
      value: "PLAY_SESSION"
    - name: PLAY_SESSION_SECURE
      value: "true"
    - name: PLAY_SESSION_HTTP_ONLY
      value: "true"
  resources:
    limits:
      cpu: 500m
      memory: 1Gi
    requests:
      cpu: 250m
      memory: 512Mi

Key Configuration Points:

  • AUTH_OIDC_ENABLED: Enables OIDC authentication.
  • AUTH_OIDC_CLIENT_ID and AUTH_OIDC_CLIENT_SECRET: Set these to your OIDC client credentials.
  • AUTH_OIDC_DISCOVERY_URI: The discovery URI for your OIDC provider.
  • AUTH_OIDC_BASE_URL: The base URL of your DataHub deployment.
  • AUTH_VERBOSE_LOGGING: Enables verbose logging for debugging purposes.
  • PLAY_SESSION_STORE: Configures the session store to use play.cache.
  • PLAY_SESSION_COOKIE_NAME: Sets the name of the session cookie.
  • PLAY_SESSION_SECURE and PLAY_SESSION_HTTP_ONLY: Ensure the session cookie is secure and not accessible via JavaScript.

This configuration ensures that the DataHub frontend is set up to handle state parameters effectively, which is crucial for maintaining session integrity during the OIDC authentication process.

Would you like more detailed steps on any specific part of this configuration or further assistance?

Sources: