mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 15:13:50 -06:00
Force a logout in KerberosSession if a login is needed
Remove the client side cookie if a user possesses an IPA session cookie and the associated credentials can't be found on the server. This handles the case where the ccaches are removed for some reason (maybe cleanup, maybe a container was restarted) and allows for a successful SSO if the user's Kerberos ticket is still valid. Without this change the user is always dropped into a the username/password dialog. The only workaround is to remove the cookie on the client side. Fixes: https://pagure.io/freeipa/issue/9624 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
parent
aadb8051d4
commit
ffba69648a
@ -664,6 +664,10 @@ class KerberosSession(HTTP_Status):
|
|||||||
headers = []
|
headers = []
|
||||||
response = b''
|
response = b''
|
||||||
|
|
||||||
|
logout_cookie = getattr(context, 'logout_cookie', None)
|
||||||
|
if logout_cookie is not None:
|
||||||
|
headers.append(('IPASESSION', logout_cookie))
|
||||||
|
|
||||||
logger.debug('%s need login', status)
|
logger.debug('%s need login', status)
|
||||||
|
|
||||||
start_response(status, headers)
|
start_response(status, headers)
|
||||||
@ -689,6 +693,7 @@ class KerberosSession(HTTP_Status):
|
|||||||
creds = get_credentials_if_valid(name=gss_name,
|
creds = get_credentials_if_valid(name=gss_name,
|
||||||
ccache_name=ccache_name)
|
ccache_name=ccache_name)
|
||||||
if not creds:
|
if not creds:
|
||||||
|
setattr(context, 'logout_cookie', 'MagBearerToken=')
|
||||||
logger.debug(
|
logger.debug(
|
||||||
'ccache expired or invalid, deleting session, need login')
|
'ccache expired or invalid, deleting session, need login')
|
||||||
return None
|
return None
|
||||||
|
Loading…
Reference in New Issue
Block a user