zitadel/internal/command/logout_session_model.go

75 lines
1.9 KiB
Go
Raw Normal View History

feat(OIDC): add back channel logout (#8837) # Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>
2024-10-31 15:57:17 +01:00
package command
import (
"github.com/zitadel/zitadel/internal/eventstore"
"github.com/zitadel/zitadel/internal/repository/sessionlogout"
)
type SessionLogoutWriteModel struct {
eventstore.WriteModel
UserID string
OIDCSessionID string
ClientID string
BackChannelLogoutURI string
BackChannelLogoutSent bool
aggregate *eventstore.Aggregate
}
func NewSessionLogoutWriteModel(id string, instanceID string, sessionID string) *SessionLogoutWriteModel {
return &SessionLogoutWriteModel{
WriteModel: eventstore.WriteModel{
AggregateID: id,
ResourceOwner: instanceID,
InstanceID: instanceID,
},
aggregate: &sessionlogout.NewAggregate(id, instanceID).Aggregate,
OIDCSessionID: sessionID,
}
}
func (wm *SessionLogoutWriteModel) Reduce() error {
for _, event := range wm.Events {
switch e := event.(type) {
case *sessionlogout.BackChannelLogoutRegisteredEvent:
wm.reduceRegistered(e)
case *sessionlogout.BackChannelLogoutSentEvent:
wm.reduceSent(e)
}
}
return wm.WriteModel.Reduce()
}
func (wm *SessionLogoutWriteModel) Query() *eventstore.SearchQueryBuilder {
query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
AddQuery().
AggregateTypes(sessionlogout.AggregateType).
AggregateIDs(wm.AggregateID).
EventTypes(
sessionlogout.BackChannelLogoutRegisteredType,
sessionlogout.BackChannelLogoutSentType,
).
EventData(map[string]interface{}{
"oidc_session_id": wm.OIDCSessionID,
}).
Builder()
return query
}
func (wm *SessionLogoutWriteModel) reduceRegistered(e *sessionlogout.BackChannelLogoutRegisteredEvent) {
if wm.OIDCSessionID != e.OIDCSessionID {
return
}
wm.UserID = e.UserID
wm.ClientID = e.ClientID
wm.BackChannelLogoutURI = e.BackChannelLogoutURI
}
func (wm *SessionLogoutWriteModel) reduceSent(e *sessionlogout.BackChannelLogoutSentEvent) {
if wm.OIDCSessionID != e.OIDCSessionID {
return
}
wm.BackChannelLogoutSent = true
}