feat(OIDC): add back channel logout (#8837)

# Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>
2025-08-11 21:07:31 +00:00 · 2024-10-31 15:57:17 +01:00
parent 9cf67f30b8
commit 041af26917
87 changed files with 1778 additions and 280 deletions
--- a/internal/query/projection/app_test.go
+++ b/internal/query/projection/app_test.go
@@ -558,7 +558,8 @@ func TestAppProjection_reduces(t *testing.T) {
                        "idTokenUserinfoAssertion": true,
                        "clockSkew": 1000,
                        "additionalOrigins": ["origin.one.ch", "origin.two.ch"],
-						"skipNativeAppSuccessPage": true
+						"skipNativeAppSuccessPage": true,
+						"backChannelLogoutURI": "back.channel.one.ch"
 		}`),
 					), project.OIDCConfigAddedEventMapper),
 			},
@@ -569,7 +570,7 @@ func TestAppProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.apps7_oidc_configs (app_id, instance_id, version, client_id, client_secret, redirect_uris, response_types, grant_types, application_type, auth_method_type, post_logout_redirect_uris, is_dev_mode, access_token_type, access_token_role_assertion, id_token_role_assertion, id_token_userinfo_assertion, clock_skew, additional_origins, skip_native_app_success_page) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19)",
+							expectedStmt: "INSERT INTO projections.apps7_oidc_configs (app_id, instance_id, version, client_id, client_secret, redirect_uris, response_types, grant_types, application_type, auth_method_type, post_logout_redirect_uris, is_dev_mode, access_token_type, access_token_role_assertion, id_token_role_assertion, id_token_userinfo_assertion, clock_skew, additional_origins, skip_native_app_success_page, back_channel_logout_uri) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20)",
 							expectedArgs: []interface{}{
 								"app-id",
 								"instance-id",
@@ -590,6 +591,7 @@ func TestAppProjection_reduces(t *testing.T) {
 								1 * time.Microsecond,
 								database.TextArray[string]{"origin.one.ch", "origin.two.ch"},
 								true,
+								"back.channel.one.ch",
 							},
 						},
 						{
@@ -630,7 +632,8 @@ func TestAppProjection_reduces(t *testing.T) {
                        "idTokenUserinfoAssertion": true,
                        "clockSkew": 1000,
                        "additionalOrigins": ["origin.one.ch", "origin.two.ch"],
-						"skipNativeAppSuccessPage": true
+						"skipNativeAppSuccessPage": true,
+						"backChannelLogoutURI": "back.channel.one.ch"
 		}`),
 					), project.OIDCConfigAddedEventMapper),
 			},
@@ -641,7 +644,7 @@ func TestAppProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.apps7_oidc_configs (app_id, instance_id, version, client_id, client_secret, redirect_uris, response_types, grant_types, application_type, auth_method_type, post_logout_redirect_uris, is_dev_mode, access_token_type, access_token_role_assertion, id_token_role_assertion, id_token_userinfo_assertion, clock_skew, additional_origins, skip_native_app_success_page) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19)",
+							expectedStmt: "INSERT INTO projections.apps7_oidc_configs (app_id, instance_id, version, client_id, client_secret, redirect_uris, response_types, grant_types, application_type, auth_method_type, post_logout_redirect_uris, is_dev_mode, access_token_type, access_token_role_assertion, id_token_role_assertion, id_token_userinfo_assertion, clock_skew, additional_origins, skip_native_app_success_page, back_channel_logout_uri) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20)",
 							expectedArgs: []interface{}{
 								"app-id",
 								"instance-id",
@@ -662,6 +665,7 @@ func TestAppProjection_reduces(t *testing.T) {
 								1 * time.Microsecond,
 								database.TextArray[string]{"origin.one.ch", "origin.two.ch"},
 								true,
+								"back.channel.one.ch",
 							},
 						},
 						{
@@ -700,8 +704,8 @@ func TestAppProjection_reduces(t *testing.T) {
                        "idTokenUserinfoAssertion": true,
                        "clockSkew": 1000,
                        "additionalOrigins": ["origin.one.ch", "origin.two.ch"],
-						"skipNativeAppSuccessPage": true
-
+						"skipNativeAppSuccessPage": true,
+						"backChannelLogoutURI": "back.channel.one.ch"
 		}`),
 					), project.OIDCConfigChangedEventMapper),
 			},
@@ -712,7 +716,7 @@ func TestAppProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.apps7_oidc_configs SET (version, redirect_uris, response_types, grant_types, application_type, auth_method_type, post_logout_redirect_uris, is_dev_mode, access_token_type, access_token_role_assertion, id_token_role_assertion, id_token_userinfo_assertion, clock_skew, additional_origins, skip_native_app_success_page) = ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15) WHERE (app_id = $16) AND (instance_id = $17)",
+							expectedStmt: "UPDATE projections.apps7_oidc_configs SET (version, redirect_uris, response_types, grant_types, application_type, auth_method_type, post_logout_redirect_uris, is_dev_mode, access_token_type, access_token_role_assertion, id_token_role_assertion, id_token_userinfo_assertion, clock_skew, additional_origins, skip_native_app_success_page, back_channel_logout_uri) = ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16) WHERE (app_id = $17) AND (instance_id = $18)",
 							expectedArgs: []interface{}{
 								domain.OIDCVersionV1,
 								database.TextArray[string]{"redirect.one.ch", "redirect.two.ch"},
@@ -729,6 +733,7 @@ func TestAppProjection_reduces(t *testing.T) {
 								1 * time.Microsecond,
 								database.TextArray[string]{"origin.one.ch", "origin.two.ch"},
 								true,
+								"back.channel.one.ch",
 								"app-id",
 								"instance-id",
 							},