Can't sign out properly

[Firstyear]

Discussed in #2760

^{Originally posted by MrSpock May 11, 2024}
Hi,
I'm evaluating kanidm and I stuck with such basic stuff like logout.
When I login to system and click Sign Out I'm getting following log error and web message:
kanidmd | 76071ae1-1f1b-40b6-a9f8-d1d2778420b0 INFO request [ 4.50ms | 9.87% / 100.00% ] method: GET | uri: /v1/logout | version: HTTP/1.1 kanidmd | 76071ae1-1f1b-40b6-a9f8-d1d2778420b0 INFO ┝━ handle_logout [ 4.06ms | 22.44% / 90.13% ] kanidmd | 76071ae1-1f1b-40b6-a9f8-d1d2778420b0 INFO │ ┝━ validate_client_auth_info_to_ident [ 3.05ms | 67.69% ] kanidmd | 76071ae1-1f1b-40b6-a9f8-d1d2778420b0 INFO │ │ ┕━ ｉ [info]: A valid limited session value exists for this token | event_tag_id: 10 kanidmd | 76071ae1-1f1b-40b6-a9f8-d1d2778420b0 INFO │ ┝━ ｉ [info]: modify initiator | event_tag_id: 10 | name: User( spock@*, fc4a6f61-a843-4dbf-bf27-cfc91b0ec0f6 ) (d8ebf915-0b57-4439-b3d9-ea757cf7585e, read write) kanidmd | 76071ae1-1f1b-40b6-a9f8-d1d2778420b0 INFO │ ┝━ ｉ [info]: search | event_tag_id: 10 | initiator: User( spock@idm*, fc4a6f61-a843-4dbf-bf27-cfc91b0ec0f6 ) (d8ebf915-0b57-4439-b3d9-ea757cf7585e, read write) kanidmd | 76071ae1-1f1b-40b6-a9f8-d1d2778420b0 INFO │ ┝━ ｉ [info]: denied ❌ - no entries were released | event_tag_id: 11 kanidmd | 76071ae1-1f1b-40b6-a9f8-d1d2778420b0 ERROR │ ┝━ 🚨 [error]: modify: no candidates match filter, failure Filter(Valid) (not ( (class eq Iutf8("tombstone") or class eq Iutf8("recycled")) ) and (uuid eq Uuid(fc4a6f61-a843-4dbf-bf27-cfc91b0ec0f6) and user_auth_token_session eq Refer(d8ebf915-0b57-4439-b3d9-ea757cf7585e))) kanidmd | | event_tag_id: 4 kanidmd | 76071ae1-1f1b-40b6-a9f8-d1d2778420b0 ERROR │ ┕━ 🚨 [error]: Failed to destroy user auth token NoMatchingEntries | event_tag_id: 1 kanidmd | 76071ae1-1f1b-40b6-a9f8-d1d2778420b0 WARN ┕━ 🚧 [warn]: | latency: 4.545756ms | status_code: 404 | kopid: "76071ae1-1f1b-40b6-a9f8-d1d2778420b0" | msg: "client error"

What Am I doing wrong ? :)

I wonder if in this case since the auth token is within the grace window, and since it's being used to logout, we should just write a session stub with the revoked state which will cause the async write back to be dropped? It would resolve this error.

[yaleman]

[info]: A valid limited session value exists for this token

is that just checking the JWT is valid or is it going into the user's entry to find it? because that'd indicate that the log IN session had synchronized at least - thinking about the "async write race" possibility..

[Firstyear]

I'd need to double check the logs to be sure, but I know I've hit this case in other situations anyway.

[Job79]

We also experienced this issue before switching to the devel container. We could logout with the admin user, but not with the other users we created.

So it might be some sort of permissions issue? And based on our observation, the issue seems to be fixed in the devel version.

[Firstyear]

Were you logging in/out really fast? Or was there a time gap between the login and logout?

[scaredmushroom]

I'm having this issue too.
Tried to logout with an account (w/o any additional roles/permissions) after about 5 minutes, but failed.

May 15 10:49:17 idm kanidmd[808]: 8c65b939-5166-4971-8060-d8c3e07522fd INFO     request [ 738µs | 20.12% / 100.00% ] method: GET | uri: /v1/logout | version: HTTP/1.0
May 15 10:49:17 idm kanidmd[808]: 8c65b939-5166-4971-8060-d8c3e07522fd INFO     ┝━ handle_logout [ 589µs | 39.44% / 79.88% ]
May 15 10:49:17 idm kanidmd[808]: 8c65b939-5166-4971-8060-d8c3e07522fd INFO     │  ┝━ validate_client_auth_info_to_ident [ 298µs | 40.44% ]
May 15 10:49:17 idm kanidmd[808]: 8c65b939-5166-4971-8060-d8c3e07522fd INFO     │  │  ┕━ ｉ [info]: A valid limited session value exists for this token | event_tag_id: 10
May 15 10:49:17 idm kanidmd[808]: 8c65b939-5166-4971-8060-d8c3e07522fd INFO     │  ┝━ ｉ [info]: modify initiator | event_tag_id: 10 | name: User( *****@******, 56240bc7-8f6a-45d5-b66f-09fe0f2e0a83 ) (c9a45c9f-ae42-4d23-a38e-b0fe2c43ddb4, read write)
May 15 10:49:17 idm kanidmd[808]: 8c65b939-5166-4971-8060-d8c3e07522fd INFO     │  ┝━ ｉ [info]: search | event_tag_id: 10 | initiator: User( *****@******, 56240bc7-8f6a-45d5-b66f-09fe0f2e0a83 ) (c9a45c9f-ae42-4d23-a38e-b0fe2c43ddb4, read write)
May 15 10:49:17 idm kanidmd[808]: 8c65b939-5166-4971-8060-d8c3e07522fd INFO     │  ┝━ ｉ [info]: denied ❌ - no entries were released | event_tag_id: 11
May 15 10:49:17 idm kanidmd[808]: 8c65b939-5166-4971-8060-d8c3e07522fd ERROR    │  ┝━ 🚨 [error]: modify: no candidates match filter, failure Filter(Valid) (not ( (class eq Iutf8("tombstone") or class eq Iutf8("recycled")) ) and (uuid eq Uuid(56240bc7-8f6a-45d5-b66f-09fe0f2e0a83) and user_auth_token_session eq Refer(c9a45c9f-ae42-4d23-a38e-b0fe2c43ddb4)))
May 15 10:49:17 idm kanidmd[808]:  | event_tag_id: 4
May 15 10:49:17 idm kanidmd[808]: 8c65b939-5166-4971-8060-d8c3e07522fd ERROR    │  ┕━ 🚨 [error]: Failed to destroy user auth token NoMatchingEntries | event_tag_id: 1
May 15 10:49:17 idm kanidmd[808]: 8c65b939-5166-4971-8060-d8c3e07522fd WARN     ┕━ 🚧 [warn]:  | latency: 763.726µs | status_code: 404 | kopid: "8c65b939-5166-4971-8060-d8c3e07522fd" | msg: "client error"

Version kanidmd: 1.2.0

[Job79]

There where ~10 seconds in between login and logout when I tried, but also had the error when trying to logout with a session that was a couple days old.

request [ 2.69ms | 12.48% / 100.00% ] method: GET | uri: /v1/logout | version: HTTP/1.1
   ┝━ handle_logout [ 2.35ms | 34.30% / 87.52% ]
   │  ┝━ validate_client_auth_info_to_ident [ 1.43ms | 53.22% ]
   │  │  ┕━ ｉ [info]: A valid limited session value exists for this token | event_tag_id: 10
   │  ┝━ ｉ [info]: modify initiator | event_tag_id: 10 | name: User( [email protected], f02b51f8-2b06-4e16-8138-d66eba3fb78d ) (9a182fb2-bf>
   │  ┝━ ｉ [info]: search | event_tag_id: 10 | initiator: User( [email protected], f02b51f8-2b06-4e16-8138-d66eba3fb78d ) (9a182fb2-bfc7-4b>
   │  ┝━ ｉ [info]: denied ❌ - no entries were released | event_tag_id: 11
   │  ┝━ 🚨 [error]: modify: no candidates match filter, failure Filter(Valid) (not ( (class eq Iutf8("tombstone") or class eq Iutf8("recycled")) ) a>
   │  ┕━ 🚨 [error]: Failed to destroy user auth token NoMatchingEntries | event_tag_id: 1
   ┕━ 🚧 [warn]:  | latency: 2.711547ms | status_code: 404 | kopid: "f478b6cf-8834-4cdf-bed7-d3bc02972a45" | msg: "client error"

[yaleman]

There's... also something going on in the CLI, noted in #2741

[zoechi]

That's a bit cumbersome. I have to clear Local storage (bearer_token) manually to log out.
It's one thing that the session is not found in the server, but the error should not prevent the session token to be discarded in the client.

[Firstyear]

I have investigated and submitted a PR. I'm really sorry that this happened, we'll have this backported to 1.2 for everyone.