feat(OIDC): add back channel logout (#8837)

# Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>
2025-08-12 03:07:31 +00:00 · 2024-10-31 15:57:17 +01:00
parent 9cf67f30b8
commit 041af26917
87 changed files with 1778 additions and 280 deletions
--- a/proto/zitadel/app.proto
+++ b/proto/zitadel/app.proto
@@ -168,6 +168,12 @@ message OIDCConfig {
            description: "Skip the successful login page on native apps and directly redirect the user to the callback.";
        }
    ];
+    string back_channel_logout_uri = 21 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "[\"https://example.com/auth/backchannel\"]";
+            description: "ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)";
+        }
+    ];
 }

 enum OIDCResponseType {
--- a/proto/zitadel/feature/v2/instance.proto
+++ b/proto/zitadel/feature/v2/instance.proto
@@ -86,6 +86,13 @@ message SetInstanceFeaturesRequest{
      description: "Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins";
    }
  ];
+
+  optional bool enable_back_channel_logout = 12 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "true";
+      description: "If the flag is enabled, you'll be able to use the OIDC Back-Channel Logout to be notified in your application about terminated user sessions.";
+    }
+  ];
 }

 message SetInstanceFeaturesResponse {
@@ -185,4 +192,11 @@ message GetInstanceFeaturesResponse {
      description: "Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins";
    }
  ];
+
+  FeatureFlag enable_back_channel_logout = 13 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "true";
+      description: "If the flag is enabled, you'll be able to use the OIDC Back-Channel Logout to be notified in your application about terminated user sessions.";
+    }
+  ];
 }
--- a/proto/zitadel/feature/v2/system.proto
+++ b/proto/zitadel/feature/v2/system.proto
@@ -75,6 +75,13 @@ message SetSystemFeaturesRequest{
      description: "Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins";
    }
  ];
+
+  optional bool enable_back_channel_logout = 10 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "true";
+      description: "If the flag is enabled, you'll be able to use the OIDC Back-Channel Logout to be notified in your application about terminated user sessions.";
+    }
+  ];
 }

 message SetSystemFeaturesResponse {
@@ -153,4 +160,11 @@ message GetSystemFeaturesResponse {
      description: "Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins";
    }
  ];
+
+  FeatureFlag enable_back_channel_logout = 11 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "true";
+      description: "If the flag is enabled, you'll be able to use the OIDC Back-Channel Logout to be notified in your application about terminated user sessions.";
+    }
+  ];
 }
--- a/proto/zitadel/management.proto
+++ b/proto/zitadel/management.proto
@@ -9802,6 +9802,12 @@ message AddOIDCAppRequest {
            description: "Skip the successful login page on native apps and directly redirect the user to the callback.";
        }
    ];
+    string back_channel_logout_uri = 18 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "[\"https://example.com/auth/backchannel\"]";
+            description: "ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)";
+        }
+    ];
 }

 message AddOIDCAppResponse {
@@ -9977,6 +9983,12 @@ message UpdateOIDCAppConfigRequest {
            description: "Skip the successful login page on native apps and directly redirect the user to the callback.";
        }
    ];
+    string back_channel_logout_uri = 17 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "[\"https://example.com/auth/backchannel\"]";
+            description: "ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)";
+        }
+    ];
 }

 message UpdateOIDCAppConfigResponse {