mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-14 20:08:02 +00:00
041af26917
# Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>
104 lines
3.7 KiB
Go
104 lines
3.7 KiB
Go
package oidc
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"slices"
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/oidc"
|
|
"github.com/zitadel/oidc/v3/pkg/op"
|
|
|
|
"github.com/zitadel/zitadel/internal/command"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
func (s *Server) RefreshToken(ctx context.Context, r *op.ClientRequest[oidc.RefreshTokenRequest]) (_ *op.Response, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() {
|
|
span.EndWithError(err)
|
|
err = oidcError(err)
|
|
}()
|
|
|
|
client, ok := r.Client.(*Client)
|
|
if !ok {
|
|
return nil, zerrors.ThrowInternal(nil, "OIDC-ga0EP", "Error.Internal")
|
|
}
|
|
|
|
session, err := s.command.ExchangeOIDCSessionRefreshAndAccessToken(ctx, r.Data.RefreshToken, r.Data.Scopes, refreshTokenComplianceChecker())
|
|
if err == nil {
|
|
return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion))
|
|
} else if errors.Is(err, zerrors.ThrowPreconditionFailed(nil, "OIDCS-JOI23", "Errors.OIDCSession.RefreshTokenInvalid")) {
|
|
// We try again for v1 tokens when we encountered specific parsing error
|
|
return s.refreshTokenV1(ctx, client, r)
|
|
}
|
|
return nil, err
|
|
}
|
|
|
|
// refreshTokenV1 verifies a v1 refresh token.
|
|
// When valid a v2 OIDC session is created and v2 tokens are returned.
|
|
// This "upgrades" existing v1 sessions to v2 session without requiring users to re-login.
|
|
//
|
|
// This function can be removed when we retire the v1 token repo.
|
|
func (s *Server) refreshTokenV1(ctx context.Context, client *Client, r *op.ClientRequest[oidc.RefreshTokenRequest]) (_ *op.Response, err error) {
|
|
refreshToken, err := s.repo.RefreshTokenByToken(ctx, r.Data.RefreshToken)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
scope, err := validateRefreshTokenScopes(refreshToken.Scopes, r.Data.Scopes)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
session, err := s.command.CreateOIDCSession(ctx,
|
|
refreshToken.UserID,
|
|
refreshToken.ResourceOwner,
|
|
refreshToken.ClientID,
|
|
"", // backChannelLogoutURI is not in refresh token view
|
|
scope,
|
|
refreshToken.Audience,
|
|
AMRToAuthMethodTypes(refreshToken.AuthMethodsReferences),
|
|
refreshToken.AuthTime,
|
|
"",
|
|
nil, // Preferred language not in refresh token view
|
|
&domain.UserAgent{
|
|
FingerprintID: &refreshToken.UserAgentID,
|
|
Description: &refreshToken.UserAgentID,
|
|
},
|
|
domain.TokenReasonRefresh,
|
|
refreshToken.Actor,
|
|
true,
|
|
"",
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// make sure the v1 refresh token can't be reused.
|
|
_, err = s.command.RevokeRefreshToken(ctx, refreshToken.UserID, refreshToken.ResourceOwner, refreshToken.ID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion))
|
|
}
|
|
|
|
// refreshTokenComplianceChecker validates that the requested scope is a subset of the original auth request scope.
|
|
func refreshTokenComplianceChecker() command.RefreshTokenComplianceChecker {
|
|
return func(_ context.Context, model *command.OIDCSessionWriteModel, requestedScope []string) ([]string, error) {
|
|
return validateRefreshTokenScopes(model.Scope, requestedScope)
|
|
}
|
|
}
|
|
|
|
func validateRefreshTokenScopes(currentScope, requestedScope []string) ([]string, error) {
|
|
if len(requestedScope) == 0 {
|
|
return currentScope, nil
|
|
}
|
|
for _, s := range requestedScope {
|
|
if !slices.Contains(currentScope, s) {
|
|
return nil, oidc.ErrInvalidScope()
|
|
}
|
|
}
|
|
return requestedScope, nil
|
|
}
|