feat: tpa automatic logout

[kaustavb12]

Description

This PR adds the ability to enable automated TPA logout.

Currently, if a user is logged in through TPA and a logout_url is configured, when logging out, the user is presented with the prompt Click here to delete your single signed-on (SSO) session.

However, some Open edX operators would not want a two-step logout process and instead would prefer the user is logged out of both Open edX and the SSO with a single click. This is especially critical for use-cases such as when the learners might share terminals in their educational institutions in countries/regions with low internet penetration.

This PR adds the TPA_AUTOMATIC_LOGOUT_ENABLED django setting, which when enabled, redirects the user automatically to the TPA logout_url if it is configured.

This new django setting has no effect if logout_url is either not configured and the user is logged in directly though the LMS(using username and password).

Supporting information

Link to other information about the change, such as Jira issues, GitHub issues, or Discourse discussions.
Be sure to check they are publicly readable, or if not, repeat the information here.

Testing instructions

User sign-in using third party SSO

1. Go to the sandbox pr32193.sandbox.do.opencraft.hosting where the changes are deployed
2. Click on Sign In and select Cognito from the sign in with section below. You will now be redirected to the Cognito sign-in page.
3. Login to Cognito using the following credentials:
   Username : openedx
   Email : [email protected]
   Password: openedx
4. You should be redirected to the LMS dashboard automatically and logged in as the openedx user.
5. Open developer tools in your browser, go the Network tab and select Preserve log or Persist logs
6. Click Sign Out from the drop-down menu on the top right.
7. Verify redirects to LMS /logout -> Cognito /logout -> LMS /logout -> LMS /

User sign-in without using third party SSO

1. Go to the sandbox pr32193.sandbox.do.opencraft.hosting where the changes are deployed
2. Click on Sign In and login through the default login form using the following credentials:
   Username : openedx
   Email : [email protected]
   Password: openedx
3. You should be redirected to the LMS dashboard automatically and logged in as the openedx user.
4. Open developer tools in your browser, go the Network tab and select Preserve log or Persist logs
5. Click Sign Out from the drop-down menu on the top right.
6. Verify redirects to LMS /logout -> LMS /.

Deadline

"None" if there's no rush, or provide a specific date or event (and reason) if there is one.

Other information

OpenCraft internal ticket BB-7398

[openedx-webhooks]

Thanks for the pull request, @kaustavb12! Please note that it may take us up to several weeks or months to complete a review and merge your PR.

Feel free to add as much of the following information to the ticket as you can:

• supporting documentation
• Open edX discussion forum threads
• timeline information ("this must be merged by XX date", and why that is)
• partner information ("this is a course on edx.org")
• any other information that can help Product understand the context for the PR

All technical communication about the code itself will be done via the GitHub pull request interface. As a reminder, our process documentation is here.

Please let us know once your PR is ready for our review and all tests are green.

[navinkarkera]

👍 @kaustavb12 Looks good, just added few suggestions related to docs.

• I tested this: Tested logging in and out from sandbox.
• I read through the code
• I checked for accessibility issues
• Includes documentation
• I made sure any change in configuration variables is reflected in the corresponding client's configuration-secure repository.

[e0d]

@timmc-edx I see you as an author of logout.py. Is this something you could review or could you recommend a reviewer. This definitely looks useful.

[timmc-edx]

I'll leave a few comments for the parts I understand, but I'll see if I can find someone on Vanguards to do a proper review. (They're listed as owners for the user_authn Django app.)

[timmc-edx]

We should only have this defined on the LMS side -- the CMS side just redirects to LMS for logout.

[kaustavb12]

@timmc-edx You are right, I added this in the CMS side only because some CMS test cases were failing. In hindsight, that was the incorrect way to go about it, I have now handled it differently and removed it from the CMS side.

[timmc-edx]

I think toggle_tickets is primarily used for temporary toggles, whereas this one would be intended as permanent.

[kaustavb12]

Removed this.

[timmc-edx]

[nit] I believe this would generally be considered an opt_in toggle, although I don't have very strong feelings on this. Docs: https://edx.readthedocs.io/projects/edx-toggles/en/latest/how_to/documenting_new_feature_toggles.html

[kaustavb12]

Thanks for linking the docs.

[timmc-edx]

(Actually, I'll let the usual contributions/maintainership process happen, rather than interfering.)

[mphilbrick211]

Hi @timmc-edx! Just seeing if you were able to find someone on the Vanguards to review/merge this?

[mphilbrick211]

@openedx/vanguards Hi! Could someone please review this, and merge if all looks good? Thanks!

[zainab-amir]

@mphilbrick211 we are already reviewing it. @mubbsharanwar has been assigned this ticket.

Please note that we pick these reviews based on the team's capacity for external requests and delays are to be expected.

[openedx-webhooks]

@kaustavb12 🎉 Your pull request was merged! Please take a moment to answer a two question survey so we can improve your experience in the future.

[edx-pipeline-bot]

EdX Release Notice: This PR has been deployed to the staging environment in preparation for a release to production.

[edx-pipeline-bot]

EdX Release Notice: This PR has been deployed to the production environment.

[kaustavb12]

Thank you @timmc-edx and @mubbsharanwar for the reviews and your help to move this forward.