feat(OIDC): add back channel logout (#8837)

# Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>
2025-08-11 21:27:42 +00:00 · 2024-10-31 15:57:17 +01:00
parent 9cf67f30b8
commit 041af26917
87 changed files with 1778 additions and 280 deletions
--- a/internal/repository/sessionlogout/events.go
+++ b/internal/repository/sessionlogout/events.go
@@ -0,0 +1,79 @@
+package sessionlogout
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+const (
+	eventTypePrefix                 = "session_logout."
+	backChannelEventTypePrefix      = eventTypePrefix + "back_channel."
+	BackChannelLogoutRegisteredType = backChannelEventTypePrefix + "registered"
+	BackChannelLogoutSentType       = backChannelEventTypePrefix + "sent"
+)
+
+type BackChannelLogoutRegisteredEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+
+	OIDCSessionID        string `json:"oidc_session_id"`
+	UserID               string `json:"user_id"`
+	ClientID             string `json:"client_id"`
+	BackChannelLogoutURI string `json:"back_channel_logout_uri"`
+}
+
+// Payload implements eventstore.Command.
+func (e *BackChannelLogoutRegisteredEvent) Payload() any {
+	return e
+}
+
+func (e *BackChannelLogoutRegisteredEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func (e *BackChannelLogoutRegisteredEvent) SetBaseEvent(b *eventstore.BaseEvent) {
+	e.BaseEvent = b
+}
+
+func NewBackChannelLogoutRegisteredEvent(ctx context.Context, aggregate *eventstore.Aggregate, oidcSessionID, userID, clientID, backChannelLogoutURI string) *BackChannelLogoutRegisteredEvent {
+	return &BackChannelLogoutRegisteredEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			BackChannelLogoutRegisteredType,
+		),
+		OIDCSessionID:        oidcSessionID,
+		UserID:               userID,
+		ClientID:             clientID,
+		BackChannelLogoutURI: backChannelLogoutURI,
+	}
+}
+
+type BackChannelLogoutSentEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	OIDCSessionID string `json:"oidc_session_id"`
+}
+
+func (e *BackChannelLogoutSentEvent) Payload() interface{} {
+	return e
+}
+
+func (e *BackChannelLogoutSentEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func (e *BackChannelLogoutSentEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = *event
+}
+
+func NewBackChannelLogoutSentEvent(ctx context.Context, aggregate *eventstore.Aggregate, oidcSessionID string) *BackChannelLogoutSentEvent {
+	return &BackChannelLogoutSentEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			BackChannelLogoutSentType,
+		),
+		OIDCSessionID: oidcSessionID,
+	}
+}