forked from zitadel/zitadel
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(OIDC): add back channel logout (zitadel#8837)
# Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires zitadel/oidc#671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes zitadel#8467 - TODO: - Documentation - UI to be done: zitadel#8469 --------- Co-authored-by: Hidde Wieringa <[email protected]>
- Loading branch information
Showing
87 changed files
with
1,778 additions
and
280 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
package setup | ||
|
||
import ( | ||
"context" | ||
_ "embed" | ||
|
||
"github.com/zitadel/zitadel/internal/database" | ||
"github.com/zitadel/zitadel/internal/eventstore" | ||
) | ||
|
||
var ( | ||
//go:embed 37.sql | ||
addBackChannelLogoutURI string | ||
) | ||
|
||
type Apps7OIDConfigsBackChannelLogoutURI struct { | ||
dbClient *database.DB | ||
} | ||
|
||
func (mig *Apps7OIDConfigsBackChannelLogoutURI) Execute(ctx context.Context, _ eventstore.Event) error { | ||
_, err := mig.dbClient.ExecContext(ctx, addBackChannelLogoutURI) | ||
return err | ||
} | ||
|
||
func (mig *Apps7OIDConfigsBackChannelLogoutURI) String() string { | ||
return "37_apps7_oidc_configs_add_back_channel_logout_uri" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
ALTER TABLE IF EXISTS projections.apps7_oidc_configs ADD COLUMN IF NOT EXISTS back_channel_logout_uri TEXT; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
package setup | ||
|
||
import ( | ||
"context" | ||
_ "embed" | ||
|
||
"github.com/zitadel/zitadel/internal/database" | ||
"github.com/zitadel/zitadel/internal/eventstore" | ||
) | ||
|
||
var ( | ||
//go:embed 38.sql | ||
backChannelLogoutCurrentState string | ||
) | ||
|
||
type BackChannelLogoutNotificationStart struct { | ||
dbClient *database.DB | ||
esClient *eventstore.Eventstore | ||
} | ||
|
||
func (mig *BackChannelLogoutNotificationStart) Execute(ctx context.Context, e eventstore.Event) error { | ||
_, err := mig.dbClient.ExecContext(ctx, backChannelLogoutCurrentState, e.Sequence(), e.CreatedAt(), e.Position()) | ||
return err | ||
} | ||
|
||
func (mig *BackChannelLogoutNotificationStart) String() string { | ||
return "38_back_channel_logout_notification_start_" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
INSERT INTO projections.current_states ( | ||
instance_id | ||
, projection_name | ||
, last_updated | ||
, sequence | ||
, event_date | ||
, position | ||
, filter_offset | ||
) | ||
SELECT instance_id | ||
, 'projections.notifications_back_channel_logout' | ||
, now() | ||
, $1 | ||
, $2 | ||
, $3 | ||
, 0 | ||
FROM eventstore.events2 | ||
WHERE aggregate_type = 'instance' | ||
AND event_type = 'instance.added' | ||
ON CONFLICT DO NOTHING; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.