mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-13 19:44:21 +00:00
041af26917
# Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>
66 lines
2.2 KiB
Go
66 lines
2.2 KiB
Go
package feature
|
|
|
|
import "slices"
|
|
|
|
//go:generate enumer -type Key -transform snake -trimprefix Key
|
|
type Key int
|
|
|
|
const (
|
|
KeyUnspecified Key = iota
|
|
KeyLoginDefaultOrg
|
|
KeyTriggerIntrospectionProjections
|
|
KeyLegacyIntrospection
|
|
KeyUserSchema
|
|
KeyTokenExchange
|
|
KeyActions
|
|
KeyImprovedPerformance
|
|
KeyWebKey
|
|
KeyDebugOIDCParentError
|
|
KeyOIDCSingleV1SessionTermination
|
|
KeyDisableUserTokenEvent
|
|
KeyEnableBackChannelLogout
|
|
)
|
|
|
|
//go:generate enumer -type Level -transform snake -trimprefix Level
|
|
type Level int
|
|
|
|
const (
|
|
LevelUnspecified Level = iota
|
|
LevelSystem
|
|
LevelInstance
|
|
LevelOrg
|
|
LevelProject
|
|
LevelApp
|
|
LevelUser
|
|
)
|
|
|
|
type Features struct {
|
|
LoginDefaultOrg bool `json:"login_default_org,omitempty"`
|
|
TriggerIntrospectionProjections bool `json:"trigger_introspection_projections,omitempty"`
|
|
LegacyIntrospection bool `json:"legacy_introspection,omitempty"`
|
|
UserSchema bool `json:"user_schema,omitempty"`
|
|
TokenExchange bool `json:"token_exchange,omitempty"`
|
|
Actions bool `json:"actions,omitempty"`
|
|
ImprovedPerformance []ImprovedPerformanceType `json:"improved_performance,omitempty"`
|
|
WebKey bool `json:"web_key,omitempty"`
|
|
DebugOIDCParentError bool `json:"debug_oidc_parent_error,omitempty"`
|
|
OIDCSingleV1SessionTermination bool `json:"oidc_single_v1_session_termination,omitempty"`
|
|
DisableUserTokenEvent bool `json:"disable_user_token_event,omitempty"`
|
|
EnableBackChannelLogout bool `json:"enable_back_channel_logout,omitempty"`
|
|
}
|
|
|
|
type ImprovedPerformanceType int32
|
|
|
|
const (
|
|
ImprovedPerformanceTypeUnknown = iota
|
|
ImprovedPerformanceTypeOrgByID
|
|
ImprovedPerformanceTypeProjectGrant
|
|
ImprovedPerformanceTypeProject
|
|
ImprovedPerformanceTypeUserGrant
|
|
ImprovedPerformanceTypeOrgDomainVerified
|
|
)
|
|
|
|
func (f Features) ShouldUseImprovedPerformance(typ ImprovedPerformanceType) bool {
|
|
return slices.Contains(f.ImprovedPerformance, typ)
|
|
}
|