feat(OIDC): add back channel logout (#8837)

# Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>
2025-08-11 18:17:35 +00:00 · 2024-10-31 15:57:17 +01:00
parent 9cf67f30b8
commit 041af26917
87 changed files with 1778 additions and 280 deletions
--- a/internal/repository/feature/feature_v2/eventstore.go
+++ b/internal/repository/feature/feature_v2/eventstore.go
@@ -16,6 +16,7 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, SystemImprovedPerformanceEventType, eventstore.GenericEventMapper[SetEvent[[]feature.ImprovedPerformanceType]])
 	eventstore.RegisterFilterEventMapper(AggregateType, SystemOIDCSingleV1SessionTerminationEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, SystemDisableUserTokenEvent, eventstore.GenericEventMapper[SetEvent[bool]])
+	eventstore.RegisterFilterEventMapper(AggregateType, SystemEnableBackChannelLogout, eventstore.GenericEventMapper[SetEvent[bool]])

 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceResetEventType, eventstore.GenericEventMapper[ResetEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceLoginDefaultOrgEventType, eventstore.GenericEventMapper[SetEvent[bool]])
@@ -29,4 +30,5 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceDebugOIDCParentErrorEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceOIDCSingleV1SessionTerminationEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceDisableUserTokenEvent, eventstore.GenericEventMapper[SetEvent[bool]])
+	eventstore.RegisterFilterEventMapper(AggregateType, InstanceEnableBackChannelLogout, eventstore.GenericEventMapper[SetEvent[bool]])
 }
--- a/internal/repository/feature/feature_v2/feature.go
+++ b/internal/repository/feature/feature_v2/feature.go
@@ -21,6 +21,7 @@ var (
 	SystemImprovedPerformanceEventType             = setEventTypeFromFeature(feature.LevelSystem, feature.KeyImprovedPerformance)
 	SystemOIDCSingleV1SessionTerminationEventType  = setEventTypeFromFeature(feature.LevelSystem, feature.KeyOIDCSingleV1SessionTermination)
 	SystemDisableUserTokenEvent                    = setEventTypeFromFeature(feature.LevelSystem, feature.KeyDisableUserTokenEvent)
+	SystemEnableBackChannelLogout                  = setEventTypeFromFeature(feature.LevelSystem, feature.KeyEnableBackChannelLogout)

 	InstanceResetEventType                           = resetEventTypeFromFeature(feature.LevelInstance)
 	InstanceLoginDefaultOrgEventType                 = setEventTypeFromFeature(feature.LevelInstance, feature.KeyLoginDefaultOrg)
@@ -34,6 +35,7 @@ var (
 	InstanceDebugOIDCParentErrorEventType            = setEventTypeFromFeature(feature.LevelInstance, feature.KeyDebugOIDCParentError)
 	InstanceOIDCSingleV1SessionTerminationEventType  = setEventTypeFromFeature(feature.LevelInstance, feature.KeyOIDCSingleV1SessionTermination)
 	InstanceDisableUserTokenEvent                    = setEventTypeFromFeature(feature.LevelInstance, feature.KeyDisableUserTokenEvent)
+	InstanceEnableBackChannelLogout                  = setEventTypeFromFeature(feature.LevelInstance, feature.KeyEnableBackChannelLogout)
 )

 const (
--- a/internal/repository/project/oidc_config.go
+++ b/internal/repository/project/oidc_config.go
@@ -43,6 +43,7 @@ type OIDCConfigAddedEvent struct {
 	ClockSkew                time.Duration              `json:"clockSkew,omitempty"`
 	AdditionalOrigins        []string                   `json:"additionalOrigins,omitempty"`
 	SkipNativeAppSuccessPage bool                       `json:"skipNativeAppSuccessPage,omitempty"`
+	BackChannelLogoutURI     string                     `json:"backChannelLogoutURI,omitempty"`
 }

 func (e *OIDCConfigAddedEvent) Payload() interface{} {
@@ -74,6 +75,7 @@ func NewOIDCConfigAddedEvent(
 	clockSkew time.Duration,
 	additionalOrigins []string,
 	skipNativeAppSuccessPage bool,
+	backChannelLogoutURI string,
 ) *OIDCConfigAddedEvent {
 	return &OIDCConfigAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -99,6 +101,7 @@ func NewOIDCConfigAddedEvent(
 		ClockSkew:                clockSkew,
 		AdditionalOrigins:        additionalOrigins,
 		SkipNativeAppSuccessPage: skipNativeAppSuccessPage,
+		BackChannelLogoutURI:     backChannelLogoutURI,
 	}
 }

@@ -184,7 +187,10 @@ func (e *OIDCConfigAddedEvent) Validate(cmd eventstore.Command) bool {
 			return false
 		}
 	}
-	return e.SkipNativeAppSuccessPage == c.SkipNativeAppSuccessPage
+	if e.SkipNativeAppSuccessPage != c.SkipNativeAppSuccessPage {
+		return false
+	}
+	return e.BackChannelLogoutURI == c.BackChannelLogoutURI
 }

 func OIDCConfigAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
@@ -219,6 +225,7 @@ type OIDCConfigChangedEvent struct {
 	ClockSkew                *time.Duration              `json:"clockSkew,omitempty"`
 	AdditionalOrigins        *[]string                   `json:"additionalOrigins,omitempty"`
 	SkipNativeAppSuccessPage *bool                       `json:"skipNativeAppSuccessPage,omitempty"`
+	BackChannelLogoutURI     *string                     `json:"backChannelLogoutURI,omitempty"`
 }

 func (e *OIDCConfigChangedEvent) Payload() interface{} {
@@ -345,6 +352,12 @@ func ChangeSkipNativeAppSuccessPage(skipNativeAppSuccessPage bool) func(event *O
 	}
 }

+func ChangeBackChannelLogoutURI(backChannelLogoutURI string) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.BackChannelLogoutURI = &backChannelLogoutURI
+	}
+}
+
 func OIDCConfigChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
 	e := &OIDCConfigChangedEvent{
 		BaseEvent: *eventstore.BaseEventFromRepo(event),
--- a/internal/repository/session/session.go
+++ b/internal/repository/session/session.go
@@ -659,6 +659,8 @@ func NewLifetimeSetEvent(

 type TerminateEvent struct {
 	eventstore.BaseEvent `json:"-"`
+
+	TriggerOrigin string `json:"triggerOrigin,omitempty"`
 }

 func (e *TerminateEvent) Payload() interface{} {
--- a/internal/repository/sessionlogout/aggregate.go
+++ b/internal/repository/sessionlogout/aggregate.go
@@ -0,0 +1,26 @@
+package sessionlogout
+
+import (
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+const (
+	AggregateType    = "session_logout"
+	AggregateVersion = "v1"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
+
+func NewAggregate(id, instanceID string) *Aggregate {
+	return &Aggregate{
+		Aggregate: eventstore.Aggregate{
+			Type:          AggregateType,
+			Version:       AggregateVersion,
+			ID:            id,
+			ResourceOwner: instanceID,
+			InstanceID:    instanceID,
+		},
+	}
+}
--- a/internal/repository/sessionlogout/events.go
+++ b/internal/repository/sessionlogout/events.go
@@ -0,0 +1,79 @@
+package sessionlogout
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+const (
+	eventTypePrefix                 = "session_logout."
+	backChannelEventTypePrefix      = eventTypePrefix + "back_channel."
+	BackChannelLogoutRegisteredType = backChannelEventTypePrefix + "registered"
+	BackChannelLogoutSentType       = backChannelEventTypePrefix + "sent"
+)
+
+type BackChannelLogoutRegisteredEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+
+	OIDCSessionID        string `json:"oidc_session_id"`
+	UserID               string `json:"user_id"`
+	ClientID             string `json:"client_id"`
+	BackChannelLogoutURI string `json:"back_channel_logout_uri"`
+}
+
+// Payload implements eventstore.Command.
+func (e *BackChannelLogoutRegisteredEvent) Payload() any {
+	return e
+}
+
+func (e *BackChannelLogoutRegisteredEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func (e *BackChannelLogoutRegisteredEvent) SetBaseEvent(b *eventstore.BaseEvent) {
+	e.BaseEvent = b
+}
+
+func NewBackChannelLogoutRegisteredEvent(ctx context.Context, aggregate *eventstore.Aggregate, oidcSessionID, userID, clientID, backChannelLogoutURI string) *BackChannelLogoutRegisteredEvent {
+	return &BackChannelLogoutRegisteredEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			BackChannelLogoutRegisteredType,
+		),
+		OIDCSessionID:        oidcSessionID,
+		UserID:               userID,
+		ClientID:             clientID,
+		BackChannelLogoutURI: backChannelLogoutURI,
+	}
+}
+
+type BackChannelLogoutSentEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	OIDCSessionID string `json:"oidc_session_id"`
+}
+
+func (e *BackChannelLogoutSentEvent) Payload() interface{} {
+	return e
+}
+
+func (e *BackChannelLogoutSentEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func (e *BackChannelLogoutSentEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = *event
+}
+
+func NewBackChannelLogoutSentEvent(ctx context.Context, aggregate *eventstore.Aggregate, oidcSessionID string) *BackChannelLogoutSentEvent {
+	return &BackChannelLogoutSentEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			BackChannelLogoutSentType,
+		),
+		OIDCSessionID: oidcSessionID,
+	}
+}
--- a/internal/repository/sessionlogout/eventstore.go
+++ b/internal/repository/sessionlogout/eventstore.go
@@ -0,0 +1,15 @@
+package sessionlogout
+
+import (
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+var (
+	BackChannelLogoutRegisteredEventMapper = eventstore.GenericEventMapper[BackChannelLogoutRegisteredEvent]
+	BackChannelLogoutSentEventMapper       = eventstore.GenericEventMapper[BackChannelLogoutSentEvent]
+)
+
+func init() {
+	eventstore.RegisterFilterEventMapper(AggregateType, BackChannelLogoutRegisteredType, BackChannelLogoutRegisteredEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, BackChannelLogoutSentType, BackChannelLogoutSentEventMapper)
+}
--- a/internal/repository/user/human.go
+++ b/internal/repository/user/human.go
@@ -517,7 +517,9 @@ func NewHumanInviteCheckFailedEvent(ctx context.Context, aggregate *eventstore.A
 type HumanSignedOutEvent struct {
 	eventstore.BaseEvent `json:"-"`

-	UserAgentID string `json:"userAgentID"`
+	UserAgentID       string `json:"userAgentID"`
+	SessionID         string `json:"sessionID,omitempty"`
+	TriggeredAtOrigin string `json:"triggerOrigin,omitempty"`
 }

 func (e *HumanSignedOutEvent) Payload() interface{} {
@@ -528,10 +530,15 @@ func (e *HumanSignedOutEvent) UniqueConstraints() []*eventstore.UniqueConstraint
 	return nil
 }

+func (e *HumanSignedOutEvent) TriggerOrigin() string {
+	return e.TriggeredAtOrigin
+}
+
 func NewHumanSignedOutEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
-	userAgentID string,
+	userAgentID,
+	sessionID string,
 ) *HumanSignedOutEvent {
 	return &HumanSignedOutEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -539,7 +546,9 @@ func NewHumanSignedOutEvent(
 			aggregate,
 			HumanSignedOutType,
 		),
-		UserAgentID: userAgentID,
+		UserAgentID:       userAgentID,
+		SessionID:         sessionID,
+		TriggeredAtOrigin: http.DomainContext(ctx).Origin(),
 	}
 }