mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-13 19:44:21 +00:00
041af26917
# Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl>
103 lines
3.0 KiB
Go
103 lines
3.0 KiB
Go
package query
|
|
|
|
import (
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/feature"
|
|
"github.com/zitadel/zitadel/internal/repository/feature/feature_v2"
|
|
)
|
|
|
|
type SystemFeaturesReadModel struct {
|
|
*eventstore.ReadModel
|
|
system *SystemFeatures
|
|
}
|
|
|
|
func NewSystemFeaturesReadModel() *SystemFeaturesReadModel {
|
|
m := &SystemFeaturesReadModel{
|
|
ReadModel: &eventstore.ReadModel{
|
|
AggregateID: "SYSTEM",
|
|
ResourceOwner: "SYSTEM",
|
|
},
|
|
system: new(SystemFeatures),
|
|
}
|
|
return m
|
|
}
|
|
|
|
func (m *SystemFeaturesReadModel) Reduce() error {
|
|
for _, event := range m.Events {
|
|
switch e := event.(type) {
|
|
case *feature_v2.ResetEvent:
|
|
m.reduceReset()
|
|
case *feature_v2.SetEvent[bool]:
|
|
err := reduceSystemFeatureSet(m.system, e)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
case *feature_v2.SetEvent[[]feature.ImprovedPerformanceType]:
|
|
err := reduceSystemFeatureSet(m.system, e)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
return m.ReadModel.Reduce()
|
|
}
|
|
|
|
func (m *SystemFeaturesReadModel) Query() *eventstore.SearchQueryBuilder {
|
|
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
AwaitOpenTransactions().
|
|
AddQuery().
|
|
AggregateTypes(feature_v2.AggregateType).
|
|
AggregateIDs(m.AggregateID).
|
|
EventTypes(
|
|
feature_v2.SystemResetEventType,
|
|
feature_v2.SystemLoginDefaultOrgEventType,
|
|
feature_v2.SystemTriggerIntrospectionProjectionsEventType,
|
|
feature_v2.SystemLegacyIntrospectionEventType,
|
|
feature_v2.SystemUserSchemaEventType,
|
|
feature_v2.SystemTokenExchangeEventType,
|
|
feature_v2.SystemActionsEventType,
|
|
feature_v2.SystemImprovedPerformanceEventType,
|
|
feature_v2.SystemOIDCSingleV1SessionTerminationEventType,
|
|
feature_v2.SystemDisableUserTokenEvent,
|
|
feature_v2.SystemEnableBackChannelLogout,
|
|
).
|
|
Builder().ResourceOwner(m.ResourceOwner)
|
|
}
|
|
|
|
func (m *SystemFeaturesReadModel) reduceReset() {
|
|
m.system = nil
|
|
m.system = new(SystemFeatures)
|
|
}
|
|
|
|
func reduceSystemFeatureSet[T any](features *SystemFeatures, event *feature_v2.SetEvent[T]) error {
|
|
level, key, err := event.FeatureInfo()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
switch key {
|
|
case feature.KeyUnspecified:
|
|
return nil
|
|
case feature.KeyLoginDefaultOrg:
|
|
features.LoginDefaultOrg.set(level, event.Value)
|
|
case feature.KeyTriggerIntrospectionProjections:
|
|
features.TriggerIntrospectionProjections.set(level, event.Value)
|
|
case feature.KeyLegacyIntrospection:
|
|
features.LegacyIntrospection.set(level, event.Value)
|
|
case feature.KeyUserSchema:
|
|
features.UserSchema.set(level, event.Value)
|
|
case feature.KeyTokenExchange:
|
|
features.TokenExchange.set(level, event.Value)
|
|
case feature.KeyActions:
|
|
features.Actions.set(level, event.Value)
|
|
case feature.KeyImprovedPerformance:
|
|
features.ImprovedPerformance.set(level, event.Value)
|
|
case feature.KeyOIDCSingleV1SessionTermination:
|
|
features.OIDCSingleV1SessionTermination.set(level, event.Value)
|
|
case feature.KeyDisableUserTokenEvent:
|
|
features.DisableUserTokenEvent.set(level, event.Value)
|
|
case feature.KeyEnableBackChannelLogout:
|
|
features.EnableBackChannelLogout.set(level, event.Value)
|
|
}
|
|
return nil
|
|
}
|