Migrate login endpoint to v1-public

[rak-phillip]

Summary

This migrates the login from v3-public to v1-public.

Fixes # 15326
Contributes to #15326

Occurred changes and/or fixed issues

• migrate v3-public/authProviders to v1-public/authproviders
• use v1-public/login to login

Technical notes summary

This will be easier to work with if #15613 merges first.

Areas or cases that should be tested

You can test with https://hub.docker.com/r/rancher/rancher/tags?name=e9cf13a or later and use the v3-public feature flag to disable /v3-public endpoints.

We will need to validate the following:

• Local login
• LDAP
• OAuth
• OIDC
• SAML

Areas which could experience regressions

The login methods described above.

Screenshot/Video

NA

Checklist

• The PR is linked to an issue and the linked issue has a Milestone, or no issue is needed
• The PR has a Milestone
• The PR template has been filled out
• The PR has been self reviewed
• The PR has a reviewer assigned
• The PR has automated tests or clear instructions for manual tests and the linked issue has appropriate QA labels, or tests are not needed
• The PR has reviewed with UX and tested in light and dark mode, or there are no UX changes
• The PR has been reviewed in terms of Accessibility
• The PR has considered, and if applicable tested with, the three Global Roles Admin, Standard User and User Base

[rak-phillip]

There seems to be an issue with the Inactivity ::: can update the setting "auth-user-session-idle-ttl-minutes" and should show the the inactivity modal test that is related to this change. Working on a fix.

[rak-phillip]

@aalves08 CI gates are passing. This is ready for review

[aalves08]

I've tested these "normal" logins:
local
LDAP - OpenLDAP
OIDC - Amazon Cognito
SAML - Okta

and all worked fine.

I ran into trouble when doing a "full logout" and logging back in (SLO feature):
OIDC - Amazon Cognito
OIDC - keycloak
SAML - Okta

when I clicked to log out of the provider as well, it did log out, but logging back in, in either cases, it did not prompt me to input the credentials again. I think that's what usually happens.

No errors on the console regarding this... check screenshot above of logout URL XHR

[rak-phillip]

@aalves08 we were supposed to migrate to all from logoutAll, but this didn't happen in #15613. I suspect that the change was overwritten in a rebase.

This should be fixed now and ready fore review.

[aalves08]

@rak-phillip with your change we got Amazon Cognito and Keycloak (both OIDC) to logout "all" just fine.

I did try Okta SAML again and I got this error:

When I click "log out from all", It does log out the user (only from Rancher, not from the auth provider) and he can log back in again, but throws this error when logging out.

If I do "only log out from Rancher", no errors thrown, all works fine.

I don't think it's UI related, but definitely something to be fixed.

Let me know if you want to move this forward anyway. I can give you the thumbs up.

[rak-phillip]

Let me know if you want to move this forward anyway. I can give you the thumbs up.

No, let's do our due diligence and sync with the backend team first. We'll want to ensure that we're aligned before merging, otherwise people testing Rancher can run into undefined behavior.

[rak-phillip]

I get the following when I attempt to repro with Okta: POST https://54.189.167.38/v1/logout?all: 401 Unauthorized. I see similar behavior, we log out of Rancher, but remain logged into Okta. @pmatseykanets do you have any input on what the issue might be regarding Okta?

[pmatseykanets]

get the following when I attempt to repro with Okta: POST https://54.189.167.38/v1/logout?all: 401 Unauthorized.

@rak-phillip It's not clear how the repro is done. Do you pass in the the session token?

Works for me just fine

curl -L -v -X POST 'https://<rancher_url>/v1/logout?all' -k \
-b 'R_SESS=<...>' \
-d '{"finalRedirectUrl":"https://<rancher_url>/dashboard/auth/verify?is-slo&logged-out"}'

{
    "baseType": "authConfigLogoutOutput",
    "idpRedirectUrl": "https://integrator-XXX.okta.com/app/integrator-XXX_ranchersaml_1/exkxbtmonw8mOEZAt697/slo/saml?SAMLRequest=...",
    "type": "authConfigLogoutOutput"
}

[rak-phillip]

@aalves08 The Okta issue isn't related to this change and I can confirm that this is existing behavior present in 2.13.0. I created a follow-up issue to better investigate and address rancher/rancher#53944

[aalves08]

LGTM

[richard-cox]

pretty sure this is still needed, which will prevent the ui trying to go to a 404 page if the user 401 fails single-sign on?

dashboard/shell/plugins/steve/actions.js

Line 209 in 1472be4

if ( opt.redirectUnauthorized !== false && res.status === 401 ) {

[rak-phillip]

Indeed, you are correct. Thanks, it initially wasn't clear how redirectUnauthorized: false mapped from the previous doAction() abstraction to management/request.

[rak-phillip]

@aalves08 @richard-cox I addressed the redirectUnauthorized comment. This is ready for another review.

[aalves08]

LGTM. @richard-cox what about you?

[rak-phillip]

This should be ready to merge based on oob discussions with @richard-cox