feat(OIDC): add back channel logout (#8837)

# Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>
2025-08-11 19:17:32 +00:00 · 2024-10-31 15:57:17 +01:00
parent 9cf67f30b8
commit 041af26917
87 changed files with 1778 additions and 280 deletions
--- a/internal/notification/senders/security_event_token.go
+++ b/internal/notification/senders/security_event_token.go
@@ -0,0 +1,49 @@
+package senders
+
+import (
+	"context"
+
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/notification/channels"
+	"github.com/zitadel/zitadel/internal/notification/channels/fs"
+	"github.com/zitadel/zitadel/internal/notification/channels/instrumenting"
+	"github.com/zitadel/zitadel/internal/notification/channels/log"
+	"github.com/zitadel/zitadel/internal/notification/channels/set"
+)
+
+const setSpanName = "security_event_token.NotificationChannel"
+
+func SecurityEventTokenChannels(
+	ctx context.Context,
+	setConfig set.Config,
+	getFileSystemProvider func(ctx context.Context) (*fs.Config, error),
+	getLogProvider func(ctx context.Context) (*log.Config, error),
+	successMetricName,
+	failureMetricName string,
+) (*Chain, error) {
+	if err := setConfig.Validate(); err != nil {
+		return nil, err
+	}
+	channels := make([]channels.NotificationChannel, 0, 3)
+	setChannel, err := set.InitChannel(ctx, setConfig)
+	logging.WithFields(
+		"instance", authz.GetInstance(ctx).InstanceID(),
+		"callurl", setConfig.CallURL,
+	).OnError(err).Debug("initializing SET channel failed")
+	if err == nil {
+		channels = append(
+			channels,
+			instrumenting.Wrap(
+				ctx,
+				setChannel,
+				setSpanName,
+				successMetricName,
+				failureMetricName,
+			),
+		)
+	}
+	channels = append(channels, debugChannels(ctx, getFileSystemProvider, getLogProvider)...)
+	return ChainChannels(channels...), nil
+}