Univention Bugzilla – Bug 57467
Automatic refresh after logout
Last modified: 2024-08-21 15:34:56 CEST
Currently a logout, regardless of if it's plain auth or SLO, does not trigger a reload of open tabs, meaning that as long as the user does not interact with the page it still looks like he is logged in - Triggering an action will then lead to various unwanted conditions, f.e. clicking on an UMC tile redirects to the login, opening a self-service module displays an error, ... This is especially valid for the scenario of backchannel logouts where the user does not trigger the logout from the web interface of UCS but instead from a connected application. The desired behavior would be that, upon logout or with only a small delay, all opened instances of the web interface reload their state in order to show that nobody is logged in anymore.
This new feature works by creating a new endpoint in the UMC '/logout-sse'. This is a server-sent event compatabile endpoint that will send the client a message with the content of 'logout' when the specific session ends. On the frontend the Portal starts a SharedWorker. This SharedWorker will connect to this endpoint once and when it receives the logout message will send a message to all attached open Portals and tells them to refresh. Using SharedWorkers here comes with the limitation that this feature will not work on Safari < 16. In this case the feature will simply not be available. Performance considerations: Every browser having an instance of the Portal open will need a long lived TCP connection to Apache2. There is however basically 0 network traffic in that connection. On initial connection and on every additional automatic reconnect a simple HTTP message is sent. Apart from that only the final 'logout' message is sent. This should be more performant than polling. This feature is enabled by default and can be disabled via UCR variable 'portal/reload-tabs-on-logout'. univention-portal.yaml cd1b7fb490c5 | feat: Reload all logged in Portal browser tabs on logout univention-portal (4.0.17-2) cd1b7fb490c5 | feat: Reload all logged in Portal browser tabs on logout univention-management-console.yaml cd1b7fb490c5 | feat: Reload all logged in Portal browser tabs on logout univention-management-console (12.0.34-4) cd1b7fb490c5 | feat: Reload all logged in Portal browser tabs on logout ucs-test (10.0.22-51) 0bae3d47c0dc | test(keycloak): adjust logout notifier tests to work with OIDC logout ucs-test (10.0.22-50) cd1b7fb490c5 | feat: Reload all logged in Portal browser tabs on logout
QA: OK: manual test - manual logout from SAML/OIDC/plain auth sessions trigger browser tab refresh of all tabs that have the Portal open - session timeouts also refresh the tabs - new UCR variable can enable/disable this feature OK: performance impact OK: docs/yaml/changelog OK: new tests OK: Jenkins test runs (Keycloak jobs) OK: UCS 5.0 + UCS 5.2
<https://errata.software-univention.de/#/?erratum=5.0x1104> <https://errata.software-univention.de/#/?erratum=5.0x1105>