mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-10 15:23:39 +00:00
041af26917
# Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>
105 lines
3.8 KiB
Go
105 lines
3.8 KiB
Go
package command
|
|
|
|
import (
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
)
|
|
|
|
func projectWriteModelToProject(writeModel *ProjectWriteModel) *domain.Project {
|
|
return &domain.Project{
|
|
ObjectRoot: writeModelToObjectRoot(writeModel.WriteModel),
|
|
Name: writeModel.Name,
|
|
ProjectRoleAssertion: writeModel.ProjectRoleAssertion,
|
|
ProjectRoleCheck: writeModel.ProjectRoleCheck,
|
|
HasProjectCheck: writeModel.HasProjectCheck,
|
|
PrivateLabelingSetting: writeModel.PrivateLabelingSetting,
|
|
}
|
|
}
|
|
|
|
func projectGrantWriteModelToProjectGrant(writeModel *ProjectGrantWriteModel) *domain.ProjectGrant {
|
|
return &domain.ProjectGrant{
|
|
ObjectRoot: writeModelToObjectRoot(writeModel.WriteModel),
|
|
GrantID: writeModel.GrantID,
|
|
GrantedOrgID: writeModel.GrantedOrgID,
|
|
RoleKeys: writeModel.RoleKeys,
|
|
State: writeModel.State,
|
|
}
|
|
}
|
|
|
|
func oidcWriteModelToOIDCConfig(writeModel *OIDCApplicationWriteModel) *domain.OIDCApp {
|
|
return &domain.OIDCApp{
|
|
ObjectRoot: writeModelToObjectRoot(writeModel.WriteModel),
|
|
AppID: writeModel.AppID,
|
|
AppName: writeModel.AppName,
|
|
State: writeModel.State,
|
|
ClientID: writeModel.ClientID,
|
|
RedirectUris: writeModel.RedirectUris,
|
|
ResponseTypes: writeModel.ResponseTypes,
|
|
GrantTypes: writeModel.GrantTypes,
|
|
ApplicationType: writeModel.ApplicationType,
|
|
AuthMethodType: writeModel.AuthMethodType,
|
|
PostLogoutRedirectUris: writeModel.PostLogoutRedirectUris,
|
|
OIDCVersion: writeModel.OIDCVersion,
|
|
DevMode: writeModel.DevMode,
|
|
AccessTokenType: writeModel.AccessTokenType,
|
|
AccessTokenRoleAssertion: writeModel.AccessTokenRoleAssertion,
|
|
IDTokenRoleAssertion: writeModel.IDTokenRoleAssertion,
|
|
IDTokenUserinfoAssertion: writeModel.IDTokenUserinfoAssertion,
|
|
ClockSkew: writeModel.ClockSkew,
|
|
AdditionalOrigins: writeModel.AdditionalOrigins,
|
|
SkipNativeAppSuccessPage: writeModel.SkipNativeAppSuccessPage,
|
|
BackChannelLogoutURI: writeModel.BackChannelLogoutURI,
|
|
}
|
|
}
|
|
|
|
func samlWriteModelToSAMLConfig(writeModel *SAMLApplicationWriteModel) *domain.SAMLApp {
|
|
return &domain.SAMLApp{
|
|
ObjectRoot: writeModelToObjectRoot(writeModel.WriteModel),
|
|
AppID: writeModel.AppID,
|
|
AppName: writeModel.AppName,
|
|
State: writeModel.State,
|
|
Metadata: writeModel.Metadata,
|
|
MetadataURL: writeModel.MetadataURL,
|
|
EntityID: writeModel.EntityID,
|
|
}
|
|
}
|
|
|
|
func apiWriteModelToAPIConfig(writeModel *APIApplicationWriteModel) *domain.APIApp {
|
|
return &domain.APIApp{
|
|
ObjectRoot: writeModelToObjectRoot(writeModel.WriteModel),
|
|
AppID: writeModel.AppID,
|
|
AppName: writeModel.AppName,
|
|
State: writeModel.State,
|
|
ClientID: writeModel.ClientID,
|
|
AuthMethodType: writeModel.AuthMethodType,
|
|
}
|
|
}
|
|
|
|
func roleWriteModelToRole(writeModel *ProjectRoleWriteModel) *domain.ProjectRole {
|
|
return &domain.ProjectRole{
|
|
ObjectRoot: writeModelToObjectRoot(writeModel.WriteModel),
|
|
Key: writeModel.Key,
|
|
DisplayName: writeModel.DisplayName,
|
|
Group: writeModel.Group,
|
|
}
|
|
}
|
|
|
|
func memberWriteModelToProjectGrantMember(writeModel *ProjectGrantMemberWriteModel) *domain.ProjectGrantMember {
|
|
return &domain.ProjectGrantMember{
|
|
ObjectRoot: writeModelToObjectRoot(writeModel.WriteModel),
|
|
Roles: writeModel.Roles,
|
|
GrantID: writeModel.GrantID,
|
|
UserID: writeModel.UserID,
|
|
}
|
|
}
|
|
|
|
func applicationKeyWriteModelToKey(wm *ApplicationKeyWriteModel) *domain.ApplicationKey {
|
|
return &domain.ApplicationKey{
|
|
ObjectRoot: writeModelToObjectRoot(wm.WriteModel),
|
|
ApplicationID: wm.AppID,
|
|
ClientID: wm.ClientID,
|
|
KeyID: wm.KeyID,
|
|
Type: wm.KeyType,
|
|
ExpirationDate: wm.ExpirationDate,
|
|
}
|
|
}
|