We’re in the midst of standing up RStudio Server Pro as a campus service. The software presents its share of oddities. For instance, there doesn’t seem to be a comprehensive list of valid tokens for rserver.conf (the primary configuration file); instead, they are scattered throughout the documentation, and I’ve even come across others that aren’t referenced seemingly anywhere in the main docs. But perhaps the most striking omission is that, when using proxied authentication, there doesn’t appear to be a way to configure the Sign Out button to work properly.
The basic configuration to enable proxied authentication is simple. Within rserver.conf, you add the following lines:
auth-proxy=1
auth-proxy-sign-in-url=https://my.sso.login.url
So far, so good. But then, the docs mention something quite odd:
RStudio will redirect to the sign in URL under the following conditions:
- Whenever an HTTP request that lacks the username header is received by the server; and
- When the user clicks the “Sign out” button in the RStudio IDE user interface.
The problem lies with the second condition. Why would I want to redirect someone to the login URL, when I need to direct them to the logout URL? That is, often there are separate URLs for SSO login and logout, since the logout URL typically clears the authentication session (you know…logging someone out). In our experience, clicking the Sign Out button simply spun for a second, returning the user to the exact same session they were trying to close. That’s because it would dutifully send them to the login URL, the active session would still be in place, and the user would pass right through back into their existing session. I can’t understand what kind of design decision this is. Moreover, there is no valid token along the lines of, e.g., auth-proxy-sign-out-url. There *is*, however, auth-sso-signout-url, which I’ve only seen referenced in this blog post from 2014, and in any case it doesn’t work now, at least not for proxied authentication. I even checked with a colleague at another institution, where they have been running RStudio Server Pro for a while now, and he confirmed that they, too, have never had a working Sign Out button and simply rely on users to close the browser window, and the session will get explicitly killed after 48 hours (or whatever value you set for session-timeout-kill-hours in the profiles file).
So what did we do? Well, though inelegant, we configured our Apache proxy to capture the sign out URL and redirect to the proper logout URL (using mod_rewrite):
RewriteEngine on
RewriteRule ^/s/.*/auth-sign-out$ https://my.sso.logout.url
This works fine, though it seems a shame to resort to this kind of solution.