Skip to content

EDM-2612: Logout method in OCP is POST. Remove cookie on logout#393

Merged
celdrake merged 1 commit into
flightctl:mainfrom
celdrake:EDM-2612-fix-cookie-clear-and-openshift-logout
Dec 3, 2025
Merged

EDM-2612: Logout method in OCP is POST. Remove cookie on logout#393
celdrake merged 1 commit into
flightctl:mainfrom
celdrake:EDM-2612-fix-cookie-clear-and-openshift-logout

Conversation

@celdrake

@celdrake celdrake commented Nov 27, 2025
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Collaborator

Fixes issues on logout:

  1. Cookie not being cleared - this works on Chrome but it doesn't seem to work on Firefox however
  2. An error from OpenShift related to GET /logout not being allowed.

Summary by CodeRabbit

  • Bug Fixes

    • Session cookies are now reliably cleared on logout; the browser is instructed to remove cookie data.

  • Improvements

    • Cookie security attributes now adapt to deployment (Secure flag applied appropriately).
    • OpenShift logout flow simplified — the proxy now handles cookie clearing without external discovery calls.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai

coderabbitai Bot commented Nov 27, 2025
edited
Loading

Copy link
Copy Markdown

Walkthrough

Updates to authentication cookie handling and OpenShift logout behavior: session cookie clearing now sets MaxAge -1 and sends Clear-Site-Data header; setCookie computes a local secure flag. OpenShift logout discovery and remote /logout call were removed; function now returns an empty URL and nil error.

Changes

Cohort / File(s) Change Summary
Cookie handling and session management
proxy/auth/common.go		 setCookie now computes a local secure flag (config.TlsCertPath != "") for the cookie Secure attribute. clearSessionCookie now clears the session cookie by setting MaxAge = -1 and adds a Clear-Site-Data header. clearPKCEVerifierCookie keeps SameSite as Lax.
Logout flow simplification
proxy/auth/openshift.go		 Removed the OpenShift logout discovery and HTTP call logic that built and returned an issuer /logout URL. The function now returns an empty URL and nil error; unused imports related to the removed logic were dropped.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

  • Review clearSessionCookie to ensure correct header value and cookie attributes across environments.
  • Verify removal of issuer /logout call aligns with intended logout behavior and documentation.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly addresses the two main objectives: removing cookies on logout and fixing the OpenShift POST logout method issue. It clearly summarizes the primary changes without being vague or overly broad.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 509253b and 0c2151e.

📒 Files selected for processing (2)
  • proxy/auth/common.go (2 hunks)
  • proxy/auth/openshift.go (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (2)
  • proxy/auth/openshift.go
  • proxy/auth/common.go
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: integration-tests
  • GitHub Check: Build
  • GitHub Check: Build ocp plugin
  • GitHub Check: Lint

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@celdrake celdrake force-pushed the EDM-2612-fix-cookie-clear-and-openshift-logout branch from 509253b to 0c2151e Compare December 3, 2025 10:04
@celdrake celdrake merged commit d3fe50e into flightctl:main Dec 3, 2025
6 checks passed
@celdrake celdrake deleted the EDM-2612-fix-cookie-clear-and-openshift-logout branch December 3, 2025 10:13
@celdrake celdrake mentioned this pull request Dec 3, 2025
Merged
This was referenced Jun 22, 2026
Open
Open
jkilzi added a commit that referenced this pull request Jun 23, 2026
@jkilzi @cursoragent
fix: restore OpenShift OAuth session logout on user sign-out
06117ca 
OpenShiftAuthHandler.Logout was returning ("", nil) since PR #393
(EDM-2612), which cleared only the FlightCtl session cookie but left
the OpenShift OAuth browser session active. Because the login page
auto-redirects when a single non-K8s provider is configured, users
were silently re-authenticated immediately after clicking Logout.

The original discovery-based approach ({apiServerURL}/.well-known/
oauth-authorization-server) was problematic when apiServerURL pointed
to the K8s API server, producing https://api.cluster:6443/logout as
the logout target — an invalid endpoint.

Fix: derive the logout URL directly from authURL (the OAuth
authorization endpoint). authURL always holds the OAuth server host
regardless of how apiServerURL is configured, so taking scheme://host
and appending /logout gives the correct
https://oauth-openshift.apps.{cluster}/logout without any HTTP
round-trip.

Fixes #708

Signed-off-by: Jonathan Kilzi <jkilzi@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Jonathan Kilzi <jkilzi@redhat.com>
jkilzi added a commit that referenced this pull request Jun 23, 2026
@jkilzi
fix: restore OpenShift OAuth session logout on user sign-out
699d102 
OpenShiftAuthHandler.Logout was returning ("", nil) since PR #393
(EDM-2612), which cleared only the FlightCtl session cookie but left
the OpenShift OAuth browser session active. Because the login page
auto-redirects when a single non-K8s provider is configured, users
were silently re-authenticated immediately after clicking Logout.

The original discovery-based approach ({apiServerURL}/.well-known/
oauth-authorization-server) was problematic when apiServerURL pointed
to the K8s API server, producing https://api.cluster:6443/logout as
the logout target — an invalid endpoint.

Fix: derive the logout URL directly from authURL (the OAuth
authorization endpoint). authURL always holds the OAuth server host
regardless of how apiServerURL is configured, so taking scheme://host
and appending /logout gives the correct
https://oauth-openshift.apps.{cluster}/logout without any HTTP
round-trip.

Fixes #708

Assisted-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Jonathan Kilzi <jkilzi@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rawagner rawagner rawagner approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@celdrake @rawagner