Ensure that the OpenShift OAuth logout URL is set

An XCCDF Rule

Description

The user can be redirected to a configured URL upon logout
This is achievable via the OAuth object by setting the logoutRedirect attribute. Refer to the relevant documentation

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/config.openshift.io/v1/consoles/cluster API endpoint to the local /apis/config.openshift.io/v1/consoles/cluster file.

Rationale

The web console's default logout will invalidate the user's session token and redirect back to the console page, which will redirect the user to the authentication page. There is no explicit logout message. And in addition, if the IdP provider type is OIDC, the session token from the SSO provider will remain valid, which would effectively keep the user logged in. To correct this, the web console needs to be configured to redirect the user to a logout page. If using an OIDC provider, this would be the logout page for that provider.

ID: xccdf_org.ssgproject.content_rule_oauth_logout_url_set
Severity: Medium
References: AC-12(1)

SRG-APP-000297-CTR-000705

CCE-90780-8
Updated: about 1 year ago