[ocis] SSE-Event when logged out

[kulmann]

Description

At the moment the web-ui doesn't get notified when the user logs out via a different channel (backchannel logout from another non-ocis application / sessions being killed in the IdP / user logged out in the web-ui in a different tab or on a different device). This leaves the impression for the user that the web-ui can still be used, while they should be redirected to the logged out page instead.

Context: https://github.com/owncloud/enterprise/issues/6705#issuecomment-2160078679 - a user tried to upload files and got errors (401) which couldn't be explained. We assume that the user triggered a backchannel logout in a different application and wasn't aware, that they would be logged out from oCIS as well.

More context: We tried to send the user to the logged out page in the web-ui when polling notifications resulted in a 401 (that was back then before we had SSE). However, this lead to false positives in situations with bad timing of the notifications request (used old token in the second it expired). We had to remove that again.

User Stories

• As a user who triggered a backchannel logout from a different application, I want to be logged out in the ocis web-ui as well so that I am aware that I can't continue my work without logging in again before.

Value

Less support requests ;-)

Acceptance Criteria

• Introduce logout event
• trigger event in all situations where the user gets logged out (even if the logout came from the web-ui... the user might have multiple tabs open or might use multiple devices at the same time, we need to set all of them to logged out) should be a dedicated story
• [...] more acceptance critiera needed? 🙈

Definition of ready

• Everybody needs to understand the value written in the user story
• Acceptance criteria have to be defined
• All dependencies of the user story need to be identified
• Feature should be seen from an end user perspective
• Story has to be estimated
• Story points need to be less than 20

Definition of done

• Functional requirements
  • Functionality described in the user story works
  • Acceptance criteria are fulfilled
• Quality
  • Code review happened
  • CI is green (that includes new and existing automated tests)
  • Critical code received unit tests by the developer
• Non-functional requirements
  • No sonar cloud issues
• Configuration changes
  • The next branch of the ocis charts is compatible

[kulmann]

trigger event in all situations where the user gets logged out (even if the logout came from the web-ui... the user might have multiple tabs open or might use multiple devices at the same time, we need to set all of them to logged out) has been crossed out from the acceptance criteria. Whoever did this (@tbsbdr you executed it), what's the reasoning behind this?

[tbsbdr]

Iirc someone ( @kobergj ?) mentioned in the refinement that this ac could be complicated and should be a dedicated story. Could some more technical person elaborate please ?

[kobergj]

what's the reasoning behind this?

The webui sends the logout request directly to the idp. This is why ocis doesn't know that it has been logged out and cannot emit an event. We could implement that for the internal idp but replacing it with keycloak will lead to the same problem.

Ocis only knows that it has been logged out when the backchannel logout endpoint is called.

[2403905]

trigger event in all situations where the user gets logged out (even if the logout came from the web-ui... the user might have multiple tabs open or might use multiple devices at the same time, we need to set all of them to logged out) has been crossed out from the acceptance criteria. Whoever did this (@tbsbdr you executed it), what's the reasoning behind this?

Should we differentiate the log-out current session and log-out all user sessions?

[kobergj]

We cannot. As I stated above we do not know when we get logged out, except through backchannel logout.

[micbar]

From my POV, the work within original scope of that ticket has been finished.