Page MenuHomePhabricator

Make "Log Out" on Phacility instances behave in a way better aligned with user expectation
Closed, ResolvedPublic

Description

Because Phacility implements auth by using another Phabricator instance as an OAuth provider, logging out of a Phacility instance does not fully log you out of the cluster (similar to how logging out of Phabricator wouldn't log you out of GitHub if you were using GitHub OAuth).

This is consistent, but somewhat surprising.

I think the best approach here is probably to add an option to the logout workflow to let the user log out of linked providers:

+--------------------------------+
| Log Out                        |
+--------------------------------+
| Are you sure you want          |
| to log out?                    |
|                                |
| [X] Also log out of Phacility. |
+--------------------------------+
|             (Cancel) (Log Out) |
+--------------------------------+

This is a bit involved, but relatively generalizable.

Details

Event Timeline

epriestley raised the priority of this task from to Normal.
epriestley updated the task description. (Show Details)
epriestley added projects: Phacility, Auth.
epriestley moved this task to Do After Launch on the Phacility board.
epriestley added a subscriber: epriestley.

Specifically, to completely log out of Phacility, you must currently:

  1. log out of your instance; then
  2. log out of admin.phacility.com.

If you do only step (1), your session will be destroyed, but OAuth will be able to reestablish it without reentering credentials. This generally provides some protection from common electronic attacks (e.g., session theft or CSRF -- these attackers will likely not be able to acquire a session) but not from sophisticated electronic attacks (where your entire machine is compromised) or physical attacks (like attackers stealing your laptop -- these attackers will be able to establish a session).

If you have MFA configured on your instance, logging out of your instance is sufficient to require your MFA token to be reentered to establish a new session. You may want to configure MFA as a precaution if you are concerned about physical attackers or device theft.

This behavior is generally confusing, it is just somewhat involved to fix in a general way without adding a lot of Phacility-specific code to Phabricator. I plan to address it in the relatively near term, along with other ongoing improvements to Phacility documented in T9303.

epriestley added a revision: Restricted Differential Revision.
epriestley added a commit: Restricted Diffusion Commit.Apr 5 2016, 10:19 PM
epriestley closed this task as Resolved.Apr 9 2016, 10:12 AM
epriestley claimed this task.

This is now deployed and appears to be working.

Note that you may have to log out twice to get it to take effect for the first time: if you still have an old session, it uses the old rules for session management. Logging out, then logging in will get you a new session with the new rules; logging out of that session will completely log you out.

We may refine this at some point in the future (for example, there may be use cases for separating your day job and side project sessions on big-corp.phacility.com and volunteer-bootcamp.phacility.com) but today I believe most users access only a single install and that the current behavior is well-aligned with expectations.