User logout doesn't redirect to login form

[asteriscos]

Wazuh	Elastic	Rev	Security
4.2	7.x	4xxx	Basic, ODFE, Xpack

Browser
Chrome, Firefox, Safari, etc

Description
Whenever a user logs out Kibana randomly pops the "Select tenant" modal instead of redirecting to the login form.

Preconditions

1. Must have a security plugin

Expected Result

1. End session and redirect to login form

Actual Result

1. Pops "Choose tenant" modal

Screenshots

Additional context
Add any other context about the problem here. Here you can paste log entries too or any other useful information that may help with the issue.

[Desvelao]

Research

I was trying to replicate the problem and I could not in the plugin of Wazuh 4.3.0. I tried with a plugin for Kibana of Wazuh 4.2.5 and I could replicate it.

The problem could be related to the listener added to the Log out button. For the case with Open Distro for Elasticsearch:

• Plugin 4.2.5: the click listener is added to 2 span elements when the mouseleave event is triggered of the avatar button in the top right corner of the screen. This could be causing indirectly the user can't logout and redirect to the login page.
  Selector https://github.com/wazuh/wazuh-kibana-app/blob/cloud/4.2.5-7.10.2/public/app.js#L120-L122

$('span:contains(Log out)').on('click', function () {
      WzAuthentication.deleteExistentToken();
    });

• Plugin 4.3.0: the selector to add the click listener to the DOM element was changed to a button element instead of the span. Only a listener is added

I don't know about the cause, but it could be a race condition due to the request to delete the token in parallel.

Problems

• The click listener is added when the mouseleave event is triggered in the button with the user avatar. This means that if the user triggers the mouseleave event, entering and leaving the account button with the mouse cursor, a click listener is added to the Log out button. If the user clicks on the Log out button, all click listeners are executed, doing one request to deprecate the token for each listener. We should be sure only one listener is added to the Log out button and this could overcomplicate the logic but could possibly to reduce o remove the bug of the issue.

• For Kibana with ODFE or the OpenSearch Dashboards with the security plugin, the added listener only deprecates the token of the Wazuh API, and the logic to logout of the platform is managed by the original button rendered by the security plugin. This and the listener added by the Wazuh plugin could run in parallel and maybe we should replace the original listener to apply the same logic used for X-Pack (deprecate the token of the Wazuh API and redirect to the logout).

Logout button in:

• ODFE security plugin:
  • default authentication: https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/blob/v1.13.0.0/public/apps/account/log-out-button.tsx#L47-L54
  • openid and saml authentication: https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/blob/v1.13.0.0/public/apps/account/log-out-button.tsx#L31-L38
• OpenSearch Dashboards security plugin:
  • default authentication: https://github.com/opensearch-project/security-dashboards-plugin/blob/1.2.0.0/public/apps/account/log-out-button.tsx#L47-L54
  • openid and saml authentication: https://github.com/opensearch-project/security-dashboards-plugin/blob/1.2.0.0/public/apps/account/log-out-button.tsx#L31-L38

The logic for the Log out button in ODFE and OpenSearch Dashboards security plugins are equal. Note the buttons for the default and the openid/saml authenticacion uses different properties: onClick vs href of the EuiEmptyButton, this could afffect to the solution to apply or at least, we should have in account these cases.

[Desvelao]

We opened 2 issues in the repositories of Kibana and OpenSearch Dashboards security plugin to request a feature to hook the log out functionality to apply our logic:

• Kibana: [FEATURE] Allow to others plugins run some actions when the user logs out elastic/kibana#130943
• OpenSearch Dashboards security plugin: [FEATURE] Allow to others plugins run some actions when the user logs out opensearch-project/security-dashboards-plugin#969

[AlexRuiz7]

Might be solved by #4779

[yenienserrano]

fixed in 4.3.10, no longer happens from that version on.