TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 20:47:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(OIDC): add back channel logout (#8837)

Browse Source 
# Which Problems Are Solved

Currently ZITADEL supports RP-initiated logout for clients. Back-channel
logout ensures that user sessions are terminated across all connected
applications, even if the user closes their browser or loses
connectivity providing a more secure alternative for certain use cases.

# How the Problems Are Solved

If the feature is activated and the client used for the authentication
has a back_channel_logout_uri configured, a
`session_logout.back_channel` will be registered. Once a user terminates
their session, a (notification) handler will send a SET (form POST) to
the registered uri containing a logout_token (with the user's ID and
session ID).

- A new feature "back_channel_logout" is added on system and instance
level
- A `back_channel_logout_uri` can be managed on OIDC applications
- Added a `session_logout` aggregate to register and inform about sent
`back_channel` notifications
- Added a `SecurityEventToken` channel and `Form`message type in the
notification handlers
- Added `TriggeredAtOrigin` fields to `HumanSignedOut` and
`TerminateSession` events for notification handling
- Exported various functions and types in the `oidc` package to be able
to reuse for token signing in the back_channel notifier.
- To prevent that current existing session termination events will be
handled, a setup step is added to set the `current_states` for the
`projections.notifications_back_channel_logout` to the current position

- [x] requires https://github.com/zitadel/oidc/pull/671

# Additional Changes

- Updated all OTEL dependencies to v1.29.0, since OIDC already updated
some of them to that version.
- Single Session Termination feature is correctly checked (fixed feature
mapping)

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/8467
- TODO:
  - Documentation
  - UI to be done: https://github.com/zitadel/zitadel/issues/8469

---------

Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>
This commit is contained in:
Livio Spring
2024-10-31 15:57:17 +01:00
committed by GitHub
parent 9cf67f30b8
commit 041af26917
87 changed files with 1778 additions and 280 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
internal/query/app_test.go
View File

@@ -48,6 +48,7 @@ var (
` projections.apps7_oidc_configs.clock_skew,` +
` projections.apps7_oidc_configs.additional_origins,` +
` projections.apps7_oidc_configs.skip_native_app_success_page,` +
` projections.apps7_oidc_configs.back_channel_logout_uri,` +
//saml config
` projections.apps7_saml_configs.app_id,` +
` projections.apps7_saml_configs.entity_id,` +
@@ -91,6 +92,7 @@ var (
` projections.apps7_oidc_configs.clock_skew,` +
` projections.apps7_oidc_configs.additional_origins,` +
` projections.apps7_oidc_configs.skip_native_app_success_page,` +
` projections.apps7_oidc_configs.back_channel_logout_uri,` +
//saml config
` projections.apps7_saml_configs.app_id,` +
` projections.apps7_saml_configs.entity_id,` +
@@ -163,6 +165,7 @@ var (
"clock_skew",
"additional_origins",
"skip_native_app_success_page",
"back_channel_logout_uri",
//saml config
"app_id",
"entity_id",
@@ -234,6 +237,7 @@ func Test_AppsPrepare(t *testing.T) {
nil,
nil,
nil,
nil,
// saml config
nil,
nil,
@@ -300,6 +304,7 @@ func Test_AppsPrepare(t *testing.T) {
nil,
nil,
nil,
nil,
// saml config
nil,
nil,
@@ -369,6 +374,7 @@ func Test_AppsPrepare(t *testing.T) {
nil,
nil,
nil,
nil,
// saml config
"app-id",
"https://test.com/saml/metadata",
@@ -440,6 +446,7 @@ func Test_AppsPrepare(t *testing.T) {
1 * time.Second,
database.TextArray[string]{"additional.origin"},
false,
"back.channel.logout.ch",
// saml config
nil,
nil,
@@ -482,6 +489,7 @@ func Test_AppsPrepare(t *testing.T) {
ComplianceProblems: nil,
AllowedOrigins: database.TextArray[string]{"https://redirect.to", "additional.origin"},
SkipNativeAppSuccessPage: false,
BackChannelLogoutURI: "back.channel.logout.ch",
},
},
},
@@ -526,6 +534,7 @@ func Test_AppsPrepare(t *testing.T) {
1 * time.Second,
database.TextArray[string]{"additional.origin"},
false,
"back.channel.logout.ch",
// saml config
nil,
nil,
@@ -568,6 +577,7 @@ func Test_AppsPrepare(t *testing.T) {
ComplianceProblems: nil,
AllowedOrigins: database.TextArray[string]{"https://redirect.to", "additional.origin"},
SkipNativeAppSuccessPage: false,
BackChannelLogoutURI: "back.channel.logout.ch",
},
},
},
@@ -612,6 +622,7 @@ func Test_AppsPrepare(t *testing.T) {
1 * time.Second,
database.TextArray[string]{"additional.origin"},
false,
"back.channel.logout.ch",
// saml config
nil,
nil,
@@ -654,6 +665,7 @@ func Test_AppsPrepare(t *testing.T) {
ComplianceProblems: nil,
AllowedOrigins: database.TextArray[string]{"https://redirect.to", "additional.origin"},
SkipNativeAppSuccessPage: false,
BackChannelLogoutURI: "back.channel.logout.ch",
},
},
},
@@ -698,6 +710,7 @@ func Test_AppsPrepare(t *testing.T) {
1 * time.Second,
database.TextArray[string]{"additional.origin"},
false,
"back.channel.logout.ch",
// saml config
nil,
nil,
@@ -740,6 +753,7 @@ func Test_AppsPrepare(t *testing.T) {
ComplianceProblems: nil,
AllowedOrigins: database.TextArray[string]{"https://redirect.to", "additional.origin"},
SkipNativeAppSuccessPage: false,
BackChannelLogoutURI: "back.channel.logout.ch",
},
},
},
@@ -784,6 +798,7 @@ func Test_AppsPrepare(t *testing.T) {
1 * time.Second,
database.TextArray[string]{"additional.origin"},
false,
"back.channel.logout.ch",
// saml config
nil,
nil,
@@ -826,6 +841,7 @@ func Test_AppsPrepare(t *testing.T) {
ComplianceProblems: nil,
AllowedOrigins: database.TextArray[string]{"https://redirect.to", "additional.origin"},
SkipNativeAppSuccessPage: false,
BackChannelLogoutURI: "back.channel.logout.ch",
},
},
},
@@ -870,6 +886,7 @@ func Test_AppsPrepare(t *testing.T) {
1 * time.Second,
database.TextArray[string]{"additional.origin"},
true,
"back.channel.logout.ch",
// saml config
nil,
nil,
@@ -912,6 +929,7 @@ func Test_AppsPrepare(t *testing.T) {
ComplianceProblems: nil,
AllowedOrigins: database.TextArray[string]{"https://redirect.to", "additional.origin"},
SkipNativeAppSuccessPage: true,
BackChannelLogoutURI: "back.channel.logout.ch",
},
},
},
@@ -956,6 +974,7 @@ func Test_AppsPrepare(t *testing.T) {
1 * time.Second,
database.TextArray[string]{"additional.origin"},
false,
"back.channel.logout.ch",
// saml config
nil,
nil,
@@ -993,6 +1012,7 @@ func Test_AppsPrepare(t *testing.T) {
nil,
nil,
nil,
nil,
// saml config
nil,
nil,
@@ -1030,6 +1050,7 @@ func Test_AppsPrepare(t *testing.T) {
nil,
nil,
nil,
nil,
// saml config
"saml-app-id",
"https://test.com/saml/metadata",
@@ -1072,6 +1093,7 @@ func Test_AppsPrepare(t *testing.T) {
ComplianceProblems: nil,
AllowedOrigins: database.TextArray[string]{"https://redirect.to", "additional.origin"},
SkipNativeAppSuccessPage: false,
BackChannelLogoutURI: "back.channel.logout.ch",
},
},
{
@@ -1205,6 +1227,7 @@ func Test_AppPrepare(t *testing.T) {
nil,
nil,
nil,
nil,
// saml config
nil,
nil,
@@ -1265,6 +1288,7 @@ func Test_AppPrepare(t *testing.T) {
nil,
nil,
nil,
nil,
// saml config
nil,
nil,
@@ -1330,6 +1354,7 @@ func Test_AppPrepare(t *testing.T) {
1 * time.Second,
database.TextArray[string]{"additional.origin"},
false,
"back.channel.logout.ch",
// saml config
nil,
nil,
@@ -1367,6 +1392,7 @@ func Test_AppPrepare(t *testing.T) {
ComplianceProblems: nil,
AllowedOrigins: database.TextArray[string]{"https://redirect.to", "additional.origin"},
SkipNativeAppSuccessPage: false,
BackChannelLogoutURI: "back.channel.logout.ch",
},
},
},
@@ -1411,6 +1437,7 @@ func Test_AppPrepare(t *testing.T) {
1 * time.Second,
database.TextArray[string]{"additional.origin"},
false,
"back.channel.logout.ch",
// saml config
nil,
nil,
@@ -1448,6 +1475,7 @@ func Test_AppPrepare(t *testing.T) {
ComplianceProblems: nil,
AllowedOrigins: database.TextArray[string]{"https://redirect.to", "additional.origin"},
SkipNativeAppSuccessPage: false,
BackChannelLogoutURI: "back.channel.logout.ch",
},
},
},
@@ -1492,6 +1520,7 @@ func Test_AppPrepare(t *testing.T) {
nil,
nil,
nil,
nil,
// saml config
"app-id",
"https://test.com/saml/metadata",
@@ -1558,6 +1587,7 @@ func Test_AppPrepare(t *testing.T) {
1 * time.Second,
database.TextArray[string]{"additional.origin"},
false,
"back.channel.logout.ch",
// saml config
nil,
nil,
@@ -1595,6 +1625,7 @@ func Test_AppPrepare(t *testing.T) {
ComplianceProblems: nil,
AllowedOrigins: database.TextArray[string]{"https://redirect.to", "additional.origin"},
SkipNativeAppSuccessPage: false,
BackChannelLogoutURI: "back.channel.logout.ch",
},
},
},
@@ -1639,6 +1670,7 @@ func Test_AppPrepare(t *testing.T) {
1 * time.Second,
database.TextArray[string]{"additional.origin"},
false,
"back.channel.logout.ch",
// saml config
nil,
nil,
@@ -1676,6 +1708,7 @@ func Test_AppPrepare(t *testing.T) {
ComplianceProblems: nil,
AllowedOrigins: database.TextArray[string]{"https://redirect.to", "additional.origin"},
SkipNativeAppSuccessPage: false,
BackChannelLogoutURI: "back.channel.logout.ch",
},
},
},
@@ -1720,6 +1753,7 @@ func Test_AppPrepare(t *testing.T) {
1 * time.Second,
database.TextArray[string]{"additional.origin"},
false,
"back.channel.logout.ch",
// saml config
nil,
nil,
@@ -1757,6 +1791,7 @@ func Test_AppPrepare(t *testing.T) {
ComplianceProblems: nil,
AllowedOrigins: database.TextArray[string]{"https://redirect.to", "additional.origin"},
SkipNativeAppSuccessPage: false,
BackChannelLogoutURI: "back.channel.logout.ch",
},
},
},
@@ -1801,6 +1836,7 @@ func Test_AppPrepare(t *testing.T) {
1 * time.Second,
database.TextArray[string]{"additional.origin"},
false,
"back.channel.logout.ch",
// saml config
nil,
nil,
@@ -1838,6 +1874,7 @@ func Test_AppPrepare(t *testing.T) {
ComplianceProblems: nil,
AllowedOrigins: database.TextArray[string]{"https://redirect.to", "additional.origin"},
SkipNativeAppSuccessPage: false,
BackChannelLogoutURI: "back.channel.logout.ch",
},
},
},