mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-15 20:38:00 +00:00
041af26917
# Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>
139 lines
4.5 KiB
Go
139 lines
4.5 KiB
Go
package query
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/feature"
|
|
feature_v1 "github.com/zitadel/zitadel/internal/repository/feature"
|
|
"github.com/zitadel/zitadel/internal/repository/feature/feature_v2"
|
|
)
|
|
|
|
type InstanceFeaturesReadModel struct {
|
|
*eventstore.ReadModel
|
|
system *SystemFeatures
|
|
instance *InstanceFeatures
|
|
}
|
|
|
|
func NewInstanceFeaturesReadModel(ctx context.Context, system *SystemFeatures) *InstanceFeaturesReadModel {
|
|
instanceID := authz.GetInstance(ctx).InstanceID()
|
|
m := &InstanceFeaturesReadModel{
|
|
ReadModel: &eventstore.ReadModel{
|
|
AggregateID: instanceID,
|
|
ResourceOwner: instanceID,
|
|
},
|
|
instance: new(InstanceFeatures),
|
|
system: system,
|
|
}
|
|
m.populateFromSystem()
|
|
return m
|
|
}
|
|
|
|
func (m *InstanceFeaturesReadModel) Reduce() (err error) {
|
|
for _, event := range m.Events {
|
|
switch e := event.(type) {
|
|
case *feature_v2.ResetEvent:
|
|
m.reduceReset()
|
|
case *feature_v1.SetEvent[feature_v1.Boolean]:
|
|
err = reduceInstanceFeatureSet(
|
|
m.instance,
|
|
feature_v1.DefaultLoginInstanceEventToV2(e),
|
|
)
|
|
case *feature_v2.SetEvent[bool]:
|
|
err = reduceInstanceFeatureSet(m.instance, e)
|
|
case *feature_v2.SetEvent[[]feature.ImprovedPerformanceType]:
|
|
err = reduceInstanceFeatureSet(m.instance, e)
|
|
}
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return m.ReadModel.Reduce()
|
|
}
|
|
|
|
func (m *InstanceFeaturesReadModel) Query() *eventstore.SearchQueryBuilder {
|
|
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
AwaitOpenTransactions().
|
|
AddQuery().
|
|
AggregateTypes(feature_v2.AggregateType).
|
|
EventTypes(
|
|
feature_v1.DefaultLoginInstanceEventType,
|
|
feature_v2.InstanceResetEventType,
|
|
feature_v2.InstanceLoginDefaultOrgEventType,
|
|
feature_v2.InstanceTriggerIntrospectionProjectionsEventType,
|
|
feature_v2.InstanceLegacyIntrospectionEventType,
|
|
feature_v2.InstanceUserSchemaEventType,
|
|
feature_v2.InstanceTokenExchangeEventType,
|
|
feature_v2.InstanceActionsEventType,
|
|
feature_v2.InstanceImprovedPerformanceEventType,
|
|
feature_v2.InstanceWebKeyEventType,
|
|
feature_v2.InstanceDebugOIDCParentErrorEventType,
|
|
feature_v2.InstanceOIDCSingleV1SessionTerminationEventType,
|
|
feature_v2.InstanceDisableUserTokenEvent,
|
|
feature_v2.InstanceEnableBackChannelLogout,
|
|
).
|
|
Builder().ResourceOwner(m.ResourceOwner)
|
|
}
|
|
|
|
func (m *InstanceFeaturesReadModel) reduceReset() {
|
|
if m.populateFromSystem() {
|
|
return
|
|
}
|
|
m.instance = nil
|
|
m.instance = new(InstanceFeatures)
|
|
}
|
|
|
|
func (m *InstanceFeaturesReadModel) populateFromSystem() bool {
|
|
if m.system == nil {
|
|
return false
|
|
}
|
|
m.instance.LoginDefaultOrg = m.system.LoginDefaultOrg
|
|
m.instance.TriggerIntrospectionProjections = m.system.TriggerIntrospectionProjections
|
|
m.instance.LegacyIntrospection = m.system.LegacyIntrospection
|
|
m.instance.UserSchema = m.system.UserSchema
|
|
m.instance.TokenExchange = m.system.TokenExchange
|
|
m.instance.Actions = m.system.Actions
|
|
m.instance.ImprovedPerformance = m.system.ImprovedPerformance
|
|
m.instance.OIDCSingleV1SessionTermination = m.system.OIDCSingleV1SessionTermination
|
|
m.instance.DisableUserTokenEvent = m.system.DisableUserTokenEvent
|
|
m.instance.EnableBackChannelLogout = m.system.EnableBackChannelLogout
|
|
return true
|
|
}
|
|
|
|
func reduceInstanceFeatureSet[T any](features *InstanceFeatures, event *feature_v2.SetEvent[T]) error {
|
|
level, key, err := event.FeatureInfo()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
switch key {
|
|
case feature.KeyUnspecified:
|
|
return nil
|
|
case feature.KeyLoginDefaultOrg:
|
|
features.LoginDefaultOrg.set(level, event.Value)
|
|
case feature.KeyTriggerIntrospectionProjections:
|
|
features.TriggerIntrospectionProjections.set(level, event.Value)
|
|
case feature.KeyLegacyIntrospection:
|
|
features.LegacyIntrospection.set(level, event.Value)
|
|
case feature.KeyUserSchema:
|
|
features.UserSchema.set(level, event.Value)
|
|
case feature.KeyTokenExchange:
|
|
features.TokenExchange.set(level, event.Value)
|
|
case feature.KeyActions:
|
|
features.Actions.set(level, event.Value)
|
|
case feature.KeyImprovedPerformance:
|
|
features.ImprovedPerformance.set(level, event.Value)
|
|
case feature.KeyWebKey:
|
|
features.WebKey.set(level, event.Value)
|
|
case feature.KeyDebugOIDCParentError:
|
|
features.DebugOIDCParentError.set(level, event.Value)
|
|
case feature.KeyOIDCSingleV1SessionTermination:
|
|
features.OIDCSingleV1SessionTermination.set(level, event.Value)
|
|
case feature.KeyDisableUserTokenEvent:
|
|
features.DisableUserTokenEvent.set(level, event.Value)
|
|
case feature.KeyEnableBackChannelLogout:
|
|
features.EnableBackChannelLogout.set(level, event.Value)
|
|
}
|
|
return nil
|
|
}
|