feat(OIDC): add back channel logout (#8837)

# Which Problems Are Solved

Currently ZITADEL supports RP-initiated logout for clients. Back-channel
logout ensures that user sessions are terminated across all connected
applications, even if the user closes their browser or loses
connectivity providing a more secure alternative for certain use cases.

# How the Problems Are Solved

If the feature is activated and the client used for the authentication
has a back_channel_logout_uri configured, a
`session_logout.back_channel` will be registered. Once a user terminates
their session, a (notification) handler will send a SET (form POST) to
the registered uri containing a logout_token (with the user's ID and
session ID).

- A new feature "back_channel_logout" is added on system and instance
level
- A `back_channel_logout_uri` can be managed on OIDC applications
- Added a `session_logout` aggregate to register and inform about sent
`back_channel` notifications
- Added a `SecurityEventToken` channel and `Form`message type in the
notification handlers
- Added `TriggeredAtOrigin` fields to `HumanSignedOut` and
`TerminateSession` events for notification handling
- Exported various functions and types in the `oidc` package to be able
to reuse for token signing in the back_channel notifier.
- To prevent that current existing session termination events will be
handled, a setup step is added to set the `current_states` for the
`projections.notifications_back_channel_logout` to the current position

- [x] requires https://github.com/zitadel/oidc/pull/671

# Additional Changes

- Updated all OTEL dependencies to v1.29.0, since OIDC already updated
some of them to that version.
- Single Session Termination feature is correctly checked (fixed feature
mapping)

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/8467
- TODO:
  - Documentation
  - UI to be done: https://github.com/zitadel/zitadel/issues/8469

---------

Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>

internal/api/oidc/auth_request.go

@@ -215,18 +215,18 @@ func (o *OPStorage) TerminateSession(ctx context.Context, userID, clientID strin
 		logging.Error("no user agent id")
 		return zerrors.ThrowPreconditionFailed(nil, "OIDC-fso7F", "no user agent id")
 	}
-	userIDs, err := o.repo.UserSessionUserIDsByAgentID(ctx, userAgentID)
+	sessions, err := o.repo.UserSessionsByAgentID(ctx, userAgentID)
 	if err != nil {
 		logging.WithError(err).Error("error retrieving user sessions")
 		return err
 	}
-	if len(userIDs) == 0 {
+	if len(sessions) == 0 {
 		return nil
 	}
 	data := authz.CtxData{
 		UserID: userID,
 	}
-	err = o.command.HumansSignOut(authz.SetCtxData(ctx, data), userAgentID, userIDs)
+	err = o.command.HumansSignOut(authz.SetCtxData(ctx, data), userAgentID, sessions)
 	logging.OnError(err).Error("error signing out")
 	return err
 }
@@ -278,18 +278,18 @@ func (o *OPStorage) terminateV1Session(ctx context.Context, userID, sessionID st
 		if err != nil {
 			return err
 		}
-		return o.command.HumansSignOut(ctx, userAgentID, []string{userID})
+		return o.command.HumansSignOut(ctx, userAgentID, []command.HumanSignOutSession{{ID: sessionID, UserID: userID}})
 	}
 	// otherwise we search for all active sessions within the same user agent of the current session id
-	userAgentID, userIDs, err := o.repo.ActiveUserIDsBySessionID(ctx, sessionID)
+	userAgentID, sessions, err := o.repo.ActiveUserSessionsBySessionID(ctx, sessionID)
 	if err != nil {
 		logging.WithError(err).Error("error retrieving user sessions")
 		return err
 	}
-	if len(userIDs) == 0 {
+	if len(sessions) == 0 {
 		return nil
 	}
-	return o.command.HumansSignOut(ctx, userAgentID, userIDs)
+	return o.command.HumansSignOut(ctx, userAgentID, sessions)
 }
 
 func (o *OPStorage) RevokeToken(ctx context.Context, token, userID, clientID string) (err *oidc.Error) {
@@ -588,6 +588,7 @@ func (s *Server) authResponseToken(authReq *AuthRequest, authorizer op.Authorize
 		authReq.UserID,
 		authReq.UserOrgID,
 		client.client.ClientID,
+		client.client.BackChannelLogoutURI,
 		scope,
 		authReq.Audience,
 		authReq.AuthMethods(),

internal/api/oidc/key.go

@@ -348,7 +348,7 @@ func (o *OPStorage) getSigningKey(ctx context.Context) (op.SigningKey, error) {
 		return nil, err
 	}
 	if len(keys.Keys) > 0 {
-		return o.privateKeyToSigningKey(selectSigningKey(keys.Keys))
+		return PrivateKeyToSigningKey(SelectSigningKey(keys.Keys), o.encAlg)
 	}
 	var position float64
 	if keys.State != nil {
@@ -377,8 +377,8 @@ func (o *OPStorage) ensureIsLatestKey(ctx context.Context, position float64) (bo
 	return position >= maxSequence, nil
 }
 
-func (o *OPStorage) privateKeyToSigningKey(key query.PrivateKey) (_ op.SigningKey, err error) {
-	keyData, err := crypto.Decrypt(key.Key(), o.encAlg)
+func PrivateKeyToSigningKey(key query.PrivateKey, algorithm crypto.EncryptionAlgorithm) (_ op.SigningKey, err error) {
+	keyData, err := crypto.Decrypt(key.Key(), algorithm)
 	if err != nil {
 		return nil, err
 	}
@@ -430,7 +430,7 @@ func (o *OPStorage) getMaxKeySequence(ctx context.Context) (float64, error) {
 	)
 }
 
-func selectSigningKey(keys []query.PrivateKey) query.PrivateKey {
+func SelectSigningKey(keys []query.PrivateKey) query.PrivateKey {
 	return keys[len(keys)-1]
 }
 

internal/api/oidc/op.go

@@ -42,6 +42,7 @@ type Config struct {
 	DefaultLoginURLV2                 string
 	DefaultLogoutURLV2                string
 	PublicKeyCacheMaxAge              time.Duration
+	DefaultBackChannelLogoutLifetime  time.Duration
 }
 
 type EndpointConfig struct {

internal/api/oidc/server.go

@@ -167,6 +167,7 @@ func (s *Server) EndSession(ctx context.Context, r *op.Request[oidc.EndSessionRe
 
 func (s *Server) createDiscoveryConfig(ctx context.Context, supportedUILocales oidc.Locales) *oidc.DiscoveryConfiguration {
 	issuer := op.IssuerFromContext(ctx)
+	backChannelLogoutSupported := authz.GetInstance(ctx).Features().EnableBackChannelLogout
 
 	return &oidc.DiscoveryConfiguration{
 		Issuer:                      issuer,
@@ -199,6 +200,8 @@ func (s *Server) createDiscoveryConfig(ctx context.Context, supportedUILocales o
 		CodeChallengeMethodsSupported:                      op.CodeChallengeMethods(s.Provider()),
 		UILocalesSupported:                                 supportedUILocales,
 		RequestParameterSupported:                          s.Provider().RequestObjectSupported(),
+		BackChannelLogoutSupported:                         backChannelLogoutSupported,
+		BackChannelLogoutSessionSupported:                  backChannelLogoutSupported,
 	}
 }
 

internal/api/oidc/token.go

@@ -60,12 +60,19 @@ func (s *Server) accessTokenResponseFromSession(ctx context.Context, client op.C
 	return resp, err
 }
 
-// signerFunc is a getter function that allows add-hoc retrieval of the instance's signer.
-type signerFunc func(ctx context.Context) (jose.Signer, jose.SignatureAlgorithm, error)
+// SignerFunc is a getter function that allows add-hoc retrieval of the instance's signer.
+type SignerFunc func(ctx context.Context) (jose.Signer, jose.SignatureAlgorithm, error)
 
-// getSignerOnce returns a function which retrieves the instance's signer from the database once.
+func (s *Server) getSignerOnce() SignerFunc {
+	return GetSignerOnce(s.query.GetActiveSigningWebKey, s.Provider().Storage().SigningKey)
+}
+
+// GetSignerOnce returns a function which retrieves the instance's signer from the database once.
 // Repeated calls of the returned function return the same results.
-func (s *Server) getSignerOnce() signerFunc {
+func GetSignerOnce(
+	getActiveSigningWebKey func(ctx context.Context) (*jose.JSONWebKey, error),
+	getSigningKey func(ctx context.Context) (op.SigningKey, error),
+) SignerFunc {
 	var (
 		once    sync.Once
 		signer  jose.Signer
@@ -79,7 +86,7 @@ func (s *Server) getSignerOnce() signerFunc {
 
 			if authz.GetFeatures(ctx).WebKey {
 				var webKey *jose.JSONWebKey
-				webKey, err = s.query.GetActiveSigningWebKey(ctx)
+				webKey, err = getActiveSigningWebKey(ctx)
 				if err != nil {
 					return
 				}
@@ -88,7 +95,7 @@ func (s *Server) getSignerOnce() signerFunc {
 			}
 
 			var signingKey op.SigningKey
-			signingKey, err = s.Provider().Storage().SigningKey(ctx)
+			signingKey, err = getSigningKey(ctx)
 			if err != nil {
 				return
 			}
@@ -126,7 +133,7 @@ func (s *Server) getUserInfo(userID, projectID string, projectRoleAssertion, use
 	}
 }
 
-func (*Server) createIDToken(ctx context.Context, client op.Client, getUserInfo userInfoFunc, roleAssertion bool, getSigningKey signerFunc, sessionID, accessToken string, audience []string, authMethods []domain.UserAuthMethodType, authTime time.Time, nonce string, actor *domain.TokenActor) (idToken string, exp uint64, err error) {
+func (*Server) createIDToken(ctx context.Context, client op.Client, getUserInfo userInfoFunc, roleAssertion bool, getSigningKey SignerFunc, sessionID, accessToken string, audience []string, authMethods []domain.UserAuthMethodType, authTime time.Time, nonce string, actor *domain.TokenActor) (idToken string, exp uint64, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
@@ -170,7 +177,7 @@ func timeToOIDCExpiresIn(exp time.Time) uint64 {
 	return uint64(time.Until(exp) / time.Second)
 }
 
-func (s *Server) createJWT(ctx context.Context, client op.Client, session *command.OIDCSession, getUserInfo userInfoFunc, assertRoles bool, getSigner signerFunc) (_ string, err error) {
+func (s *Server) createJWT(ctx context.Context, client op.Client, session *command.OIDCSession, getUserInfo userInfoFunc, assertRoles bool, getSigner SignerFunc) (_ string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 

internal/api/oidc/token_client_credentials.go

@@ -35,6 +35,7 @@ func (s *Server) ClientCredentialsExchange(ctx context.Context, r *op.ClientRequ
 		client.userID,
 		client.resourceOwner,
 		client.clientID,
+		"", // backChannelLogoutURI not needed for service user session
 		scope,
 		domain.AddAudScopeToAudience(ctx, nil, r.Data.Scope),
 		[]domain.UserAuthMethodType{domain.UserAuthMethodTypePassword},

internal/api/oidc/token_code.go

@@ -75,6 +75,7 @@ func (s *Server) codeExchangeV1(ctx context.Context, client *Client, req *oidc.A
 		authReq.UserID,
 		authReq.UserOrgID,
 		client.client.ClientID,
+		client.client.BackChannelLogoutURI,
 		scope,
 		authReq.Audience,
 		authReq.AuthMethods(),

internal/api/oidc/token_exchange.go

@@ -288,6 +288,7 @@ func (s *Server) createExchangeAccessToken(
 		userID,
 		resourceOwner,
 		client.client.ClientID,
+		client.client.BackChannelLogoutURI,
 		scope,
 		audience,
 		authMethods,
@@ -315,7 +316,7 @@ func (s *Server) createExchangeJWT(
 	client *Client,
 	getUserInfo userInfoFunc,
 	roleAssertion bool,
-	getSigner signerFunc,
+	getSigner SignerFunc,
 	userID,
 	resourceOwner string,
 	audience,
@@ -333,6 +334,7 @@ func (s *Server) createExchangeJWT(
 		userID,
 		resourceOwner,
 		client.client.ClientID,
+		client.client.BackChannelLogoutURI,
 		scope,
 		audience,
 		authMethods,

internal/api/oidc/token_jwt_profile.go

@@ -45,6 +45,7 @@ func (s *Server) JWTProfile(ctx context.Context, r *op.Request[oidc.JWTProfileGr
 		client.userID,
 		client.resourceOwner,
 		client.clientID,
+		"", // backChannelLogoutURI not needed for service user session
 		scope,
 		domain.AddAudScopeToAudience(ctx, nil, r.Data.Scope),
 		[]domain.UserAuthMethodType{domain.UserAuthMethodTypePrivateKey},

internal/api/oidc/token_refresh.go

@@ -54,6 +54,7 @@ func (s *Server) refreshTokenV1(ctx context.Context, client *Client, r *op.Clien
 		refreshToken.UserID,
 		refreshToken.ResourceOwner,
 		refreshToken.ClientID,
+		"", // backChannelLogoutURI is not in refresh token view
 		scope,
 		refreshToken.Audience,
 		AMRToAuthMethodTypes(refreshToken.AuthMethodsReferences),