I am trying to test group authorizations in spinnaker with multiple accounts but cannot for the life of me figure out the “correct” way of logging out of spinnaker… The “Log Out” button says that it logs me out but the moment I try to go back to my instance, I am automatically logged back in. Even with Incognito windows something somewhere seems to get persisted even when I try to clear application data and cookies… Is there something I am missing?
Which authentication provider are you using? This sounds like a scenario similar to when you use Google OAuth and sign out of Spinnaker, but you are still logged into the Google Account, and when you refresh Spinnaker logs you back in using the existing oauth token.
I am indeed using the Google Oauth provider. Would you consider this to be working as expected then?
Yes, because Spinnaker should not be responsible for logging you out of your OAuth SSO service.
This is in part due to Spinnaker not having non-authenticated pages. That is, it (silently) kicks any page requests to the authn provider, which passes back the validated session. To see this work in slower motion, try logging out of Spinnaker while logged into 2 Google accounts simultaneously.
We discussed this a bit more on ways we could improve this. If you have specific expected behavior or use cases we should consider, please share with us, thanks.