mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-14 11:58:02 +00:00
041af26917
# Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>
71 lines
3.0 KiB
Go
71 lines
3.0 KiB
Go
package handlers
|
|
|
|
import (
|
|
"context"
|
|
"time"
|
|
|
|
"github.com/go-jose/go-jose/v4"
|
|
"golang.org/x/text/language"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/query"
|
|
)
|
|
|
|
type Queries interface {
|
|
ActiveLabelPolicyByOrg(ctx context.Context, orgID string, withOwnerRemoved bool) (*query.LabelPolicy, error)
|
|
MailTemplateByOrg(ctx context.Context, orgID string, withOwnerRemoved bool) (*query.MailTemplate, error)
|
|
GetNotifyUserByID(ctx context.Context, shouldTriggered bool, userID string) (*query.NotifyUser, error)
|
|
CustomTextListByTemplate(ctx context.Context, aggregateID, template string, withOwnerRemoved bool) (*query.CustomTexts, error)
|
|
SearchInstanceDomains(ctx context.Context, queries *query.InstanceDomainSearchQueries) (*query.InstanceDomains, error)
|
|
SessionByID(ctx context.Context, shouldTriggerBulk bool, id, sessionToken string) (*query.Session, error)
|
|
NotificationPolicyByOrg(ctx context.Context, shouldTriggerBulk bool, orgID string, withOwnerRemoved bool) (*query.NotificationPolicy, error)
|
|
SearchMilestones(ctx context.Context, instanceIDs []string, queries *query.MilestonesSearchQueries) (*query.Milestones, error)
|
|
NotificationProviderByIDAndType(ctx context.Context, aggID string, providerType domain.NotificationProviderType) (*query.DebugNotificationProvider, error)
|
|
SMSProviderConfigActive(ctx context.Context, resourceOwner string) (config *query.SMSConfig, err error)
|
|
SMTPConfigActive(ctx context.Context, resourceOwner string) (*query.SMTPConfig, error)
|
|
GetDefaultLanguage(ctx context.Context) language.Tag
|
|
GetInstanceRestrictions(ctx context.Context) (restrictions query.Restrictions, err error)
|
|
InstanceByID(ctx context.Context, id string) (instance authz.Instance, err error)
|
|
GetActiveSigningWebKey(ctx context.Context) (*jose.JSONWebKey, error)
|
|
ActivePrivateSigningKey(ctx context.Context, t time.Time) (keys *query.PrivateKeys, err error)
|
|
}
|
|
|
|
type NotificationQueries struct {
|
|
Queries
|
|
es *eventstore.Eventstore
|
|
externalDomain string
|
|
externalPort uint16
|
|
externalSecure bool
|
|
fileSystemPath string
|
|
UserDataCrypto crypto.EncryptionAlgorithm
|
|
SMTPPasswordCrypto crypto.EncryptionAlgorithm
|
|
SMSTokenCrypto crypto.EncryptionAlgorithm
|
|
}
|
|
|
|
func NewNotificationQueries(
|
|
baseQueries Queries,
|
|
es *eventstore.Eventstore,
|
|
externalDomain string,
|
|
externalPort uint16,
|
|
externalSecure bool,
|
|
fileSystemPath string,
|
|
userDataCrypto crypto.EncryptionAlgorithm,
|
|
smtpPasswordCrypto crypto.EncryptionAlgorithm,
|
|
smsTokenCrypto crypto.EncryptionAlgorithm,
|
|
) *NotificationQueries {
|
|
return &NotificationQueries{
|
|
Queries: baseQueries,
|
|
es: es,
|
|
externalDomain: externalDomain,
|
|
externalPort: externalPort,
|
|
externalSecure: externalSecure,
|
|
fileSystemPath: fileSystemPath,
|
|
UserDataCrypto: userDataCrypto,
|
|
SMTPPasswordCrypto: smtpPasswordCrypto,
|
|
SMSTokenCrypto: smsTokenCrypto,
|
|
}
|
|
}
|