feat(OIDC): add back channel logout (#8837)

# Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>
2025-08-11 19:07:30 +00:00 · 2024-10-31 15:57:17 +01:00
parent 9cf67f30b8
commit 041af26917
87 changed files with 1778 additions and 280 deletions
--- a/internal/command/user_human_test.go
+++ b/internal/command/user_human_test.go
@@ -3123,9 +3123,9 @@ func TestCommandSide_HumanSignOut(t *testing.T) {
 	}
 	type (
 		args struct {
-			ctx     context.Context
-			agentID string
-			userIDs []string
+			ctx      context.Context
+			agentID  string
+			sessions []HumanSignOutSession
 		}
 	)
 	type res struct {
@@ -3144,9 +3144,9 @@ func TestCommandSide_HumanSignOut(t *testing.T) {
 				eventstore: expectEventstore(),
 			},
 			args: args{
-				ctx:     context.Background(),
-				agentID: "",
-				userIDs: []string{"user1"},
+				ctx:      context.Background(),
+				agentID:  "",
+				sessions: []HumanSignOutSession{{ID: "session1", UserID: "user1"}},
 			},
 			res: res{
 				err: zerrors.IsErrorInvalidArgument,
@@ -3158,9 +3158,9 @@ func TestCommandSide_HumanSignOut(t *testing.T) {
 				eventstore: expectEventstore(),
 			},
 			args: args{
-				ctx:     context.Background(),
-				agentID: "agent1",
-				userIDs: []string{},
+				ctx:      context.Background(),
+				agentID:  "agent1",
+				sessions: []HumanSignOutSession{},
 			},
 			res: res{
 				err: zerrors.IsErrorInvalidArgument,
@@ -3174,9 +3174,9 @@ func TestCommandSide_HumanSignOut(t *testing.T) {
 				),
 			},
 			args: args{
-				ctx:     context.Background(),
-				agentID: "agent1",
-				userIDs: []string{"user1"},
+				ctx:      context.Background(),
+				agentID:  "agent1",
+				sessions: []HumanSignOutSession{{ID: "session1", UserID: "user1"}},
 			},
 			res: res{},
 		},
@@ -3204,14 +3204,15 @@ func TestCommandSide_HumanSignOut(t *testing.T) {
 						user.NewHumanSignedOutEvent(context.Background(),
 							&user.NewAggregate("user1", "org1").Aggregate,
 							"agent1",
+							"session1",
 						),
 					),
 				),
 			},
 			args: args{
-				ctx:     context.Background(),
-				agentID: "agent1",
-				userIDs: []string{"user1"},
+				ctx:      context.Background(),
+				agentID:  "agent1",
+				sessions: []HumanSignOutSession{{ID: "session1", UserID: "user1"}},
 			},
 			res: res{
 				want: &domain.ObjectDetails{
@@ -3259,18 +3260,20 @@ func TestCommandSide_HumanSignOut(t *testing.T) {
 						user.NewHumanSignedOutEvent(context.Background(),
 							&user.NewAggregate("user1", "org1").Aggregate,
 							"agent1",
+							"session1",
 						),
 						user.NewHumanSignedOutEvent(context.Background(),
 							&user.NewAggregate("user2", "org1").Aggregate,
 							"agent1",
+							"session2",
 						),
 					),
 				),
 			},
 			args: args{
-				ctx:     context.Background(),
-				agentID: "agent1",
-				userIDs: []string{"user1", "user2"},
+				ctx:      context.Background(),
+				agentID:  "agent1",
+				sessions: []HumanSignOutSession{{ID: "session1", UserID: "user1"}, {ID: "session2", UserID: "user2"}},
 			},
 			res: res{
 				want: &domain.ObjectDetails{
@@ -3284,7 +3287,7 @@ func TestCommandSide_HumanSignOut(t *testing.T) {
 			r := &Commands{
 				eventstore: tt.fields.eventstore(t),
 			}
-			err := r.HumansSignOut(tt.args.ctx, tt.args.agentID, tt.args.userIDs)
+			err := r.HumansSignOut(tt.args.ctx, tt.args.agentID, tt.args.sessions)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}