Page MenuHomePhabricator
Create Task
Maniphest T7673

Make "Log Out" on Phacility instances behave in a way better aligned with user expectation
Closed, ResolvedPublic
Actions

Description

Because Phacility implements auth by using another Phabricator instance as an OAuth provider, logging out of a Phacility instance does not fully log you out of the cluster (similar to how logging out of Phabricator wouldn't log you out of GitHub if you were using GitHub OAuth).

This is consistent, but somewhat surprising.

I think the best approach here is probably to add an option to the logout workflow to let the user log out of linked providers:

+--------------------------------+
| Log Out                        |
+--------------------------------+
| Are you sure you want          |
| to log out?                    |
|                                |
| [X] Also log out of Phacility. |
+--------------------------------+
|             (Cancel) (Log Out) |
+--------------------------------+

This is a bit involved, but relatively generalizable.

Revisions and Commits

Restricted Differential RevisionRestricted Diffusion Commit
rP Phabricator
D15629rP46881c4ce507 Add a session engine extension point
D15594rPe55522cade3f Implement "auth.logout" Conduit API method

Related Objects
Search...

Event Timeline

epriestley created this task.Mar 27 2015, 12:04 PM
epriestley raised the priority of this task from to Normal.
epriestley updated the task description. (Show Details)
epriestley added projects: Phacility, Auth.
epriestley moved this task to Do After Launch on the Phacility board.
epriestley mentioned this in T7522: Add tooling to backpopulate instance accounts into the cluster.
epriestley added a subscriber: epriestley.
epriestley moved this task from Do After Launch to Onboarding/NUX on the Phacility board.Sep 1 2015, 3:09 PM
epriestley added a parent task: T9303: Improve Phacility Onboarding/NUX.Sep 1 2015, 3:13 PM
epriestley merged a task: T9349: Assure user can properly log out of Phabricator (on Phacility instance).Sep 5 2015, 5:09 PM
epriestley added subscribers: chad, CaptSpot.
epriestley added a comment.Sep 11 2015, 5:51 PM

Specifically, to completely log out of Phacility, you must currently:

  1. log out of your instance; then
  2. log out of admin.phacility.com.

If you do only step (1), your session will be destroyed, but OAuth will be able to reestablish it without reentering credentials. This generally provides some protection from common electronic attacks (e.g., session theft or CSRF -- these attackers will likely not be able to acquire a session) but not from sophisticated electronic attacks (where your entire machine is compromised) or physical attacks (like attackers stealing your laptop -- these attackers will be able to establish a session).

If you have MFA configured on your instance, logging out of your instance is sufficient to require your MFA token to be reentered to establish a new session. You may want to configure MFA as a precaution if you are concerned about physical attackers or device theft.

This behavior is generally confusing, it is just somewhat involved to fix in a general way without adding a lot of Phacility-specific code to Phabricator. I plan to address it in the relatively near term, along with other ongoing improvements to Phacility documented in T9303.

epriestley added a subtask: T7303: Provide OAuth access to Conduit.Apr 3 2016, 1:31 PM
epriestley mentioned this in T7303: Provide OAuth access to Conduit.Apr 3 2016, 1:50 PM
epriestley added a revision: D15594: Implement "auth.logout" Conduit API method.Apr 3 2016, 4:13 PM
epriestley added a commit: rPe55522cade3f: Implement "auth.logout" Conduit API method.Apr 4 2016, 4:12 PM
epriestley added a revision: D15629: Add a session engine extension point.Apr 5 2016, 10:03 PM
epriestley added a revision: Restricted Differential Revision.
epriestley added a commit: Restricted Diffusion Commit.Apr 5 2016, 10:19 PM
epriestley added a commit: rP46881c4ce507: Add a session engine extension point.
epriestley closed this task as Resolved.Apr 9 2016, 10:12 AM
epriestley claimed this task.

This is now deployed and appears to be working.

Note that you may have to log out twice to get it to take effect for the first time: if you still have an old session, it uses the old rules for session management. Logging out, then logging in will get you a new session with the new rules; logging out of that session will completely log you out.

We may refine this at some point in the future (for example, there may be use cases for separating your day job and side project sessions on big-corp.phacility.com and volunteer-bootcamp.phacility.com) but today I believe most users access only a single install and that the current behavior is well-aligned with expectations.

GoogleLegacy added a subscriber: GoogleLegacy.Sep 10 2018, 9:33 AM
Phabricator · Built by Phacility