Description
Clicking "Logout" in the FlightCtl UI has no visible effect when using the OpenShift OAuth provider. The session cookie is cleared, but the user is silently re-authenticated within seconds and lands back on the dashboard as if nothing happened.
Steps to reproduce
- Deploy the FlightCtl UI with an OpenShift OAuth provider configured as the only (or default) auth provider.
- Log in as cluster admin.
- Open the user menu (top-right) and click Logout.
Expected behavior
The user is logged out and must enter credentials again to regain access.
Actual behavior
The page briefly shows a loading spinner, then the user is returned to the dashboard, still logged in.
Root cause
PR #393 (EDM-2612, December 2025) removed OpenShift OAuth session termination from OpenShiftAuthHandler.Logout. The original code called {apiServerURL}/.well-known/oauth-authorization-server to discover the issuer and redirected to {issuer}/logout. This was removed because when apiServerURL was the K8s API server (https://api.cluster:6443), the discovery returned that same URL as the issuer, resulting in a redirect to https://api.cluster:6443/logout — which is not a valid endpoint.
Rather than fixing the URL derivation, the removal eliminated OpenShift session termination entirely. As a result:
- FlightCtl session cookie is cleared ✓
- Page reloads → 401 → redirects to
/login
- Login page detects a single non-K8s provider and immediately re-initiates the OAuth flow
- OpenShift OAuth session is still active → new auth code issued silently
- New token is stored → user is back on the dashboard
Fix
Derive the logout URL directly from authURL (the OAuth authorization endpoint), which always points to the OAuth server — not the K8s API server. Taking scheme://host from authURL and appending /logout gives the correct https://oauth-openshift.apps.{cluster}/logout in all valid configurations, without any HTTP discovery round-trip.
A fix with regression tests is available: [link to PR].
Environment
- Cluster type: Single Node OpenShift (SNO), ephemeral
- FlightCtl UI version:
66e5e623 (Helm chart installed from main at that commit)
- Auth provider: OpenShift OAuth, configured as the only provider
- User: cluster-admin
Description
Clicking "Logout" in the FlightCtl UI has no visible effect when using the OpenShift OAuth provider. The session cookie is cleared, but the user is silently re-authenticated within seconds and lands back on the dashboard as if nothing happened.
Steps to reproduce
Expected behavior
The user is logged out and must enter credentials again to regain access.
Actual behavior
The page briefly shows a loading spinner, then the user is returned to the dashboard, still logged in.
Root cause
PR #393 (EDM-2612, December 2025) removed OpenShift OAuth session termination from
OpenShiftAuthHandler.Logout. The original code called{apiServerURL}/.well-known/oauth-authorization-serverto discover the issuer and redirected to{issuer}/logout. This was removed because whenapiServerURLwas the K8s API server (https://api.cluster:6443), the discovery returned that same URL as the issuer, resulting in a redirect tohttps://api.cluster:6443/logout— which is not a valid endpoint.Rather than fixing the URL derivation, the removal eliminated OpenShift session termination entirely. As a result:
/loginFix
Derive the logout URL directly from
authURL(the OAuth authorization endpoint), which always points to the OAuth server — not the K8s API server. Takingscheme://hostfromauthURLand appending/logoutgives the correcthttps://oauth-openshift.apps.{cluster}/logoutin all valid configurations, without any HTTP discovery round-trip.A fix with regression tests is available: [link to PR].
Environment
66e5e623(Helm chart installed frommainat that commit)