WIP: feat: backchannel logout in tests/app

- TODO: get the SSE sending to the frontend so we get a notification of
   the backend state change.

- TODO: look into the CSRF issue. Are we breaking a major CSRF rule here
   or is sveltkit overly defensive.

add backchannel logout support to our tests/app idp and rp to facilitate
manual end to end testing.

Author: dopry

tests/app/idp/idp/settings.py

@@ -207,6 +207,8 @@
         "openid": "OpenID Connect scope",
     },
     "ALLOWED_SCHEMES": env("OAUTH2_PROVIDER_ALLOWED_SCHEMES"),
+    "OIDC_BACKCHANNEL_LOGOUT_ENABLED": True,
+    "OIDC_ISS_ENDPOINT": "http://localhost:8000",
 }
 # needs to be set to allow cors requests from the test app, along with ALLOWED_SCHEMES=["http"]
 os.environ["OAUTHLIB_INSECURE_TRANSPORT"] = env("OAUTHLIB_INSECURE_TRANSPORT")
@@ -238,3 +240,5 @@
         # },
     },
 }
+
+

tests/app/rp/package-lock.json

@@ -25,6 +25,7 @@
 	},
 	"type": "module",
 	"dependencies": {
-		"@dopry/svelte-oidc": "^1.1.0"
+		"@dopry/svelte-oidc": "^1.1.0",
+		"jose": "^6.1.0"
 	}
 }

tests/app/rp/package.json

@@ -1,5 +1,6 @@
 <script>
 	import { browser } from '$app/environment';
+	import { onMount } from 'svelte';
 	import {
 		OidcContext,
 		LoginButton,
@@ -16,6 +17,23 @@
 	} from '@dopry/svelte-oidc';
 
 	const metadata = {};
+
+	// Listen for SSE logout events if authenticated and sid is available
+
+	let eventSource;
+	onMount(() => {
+		if (browser && $isAuthenticated && $userInfo?.sid) {
+			eventSource = new EventSource(`/api/logout-events?sid=${$userInfo.sid}`);
+			eventSource.addEventListener('logout', (event) => {
+				// Optionally show a message or redirect
+				logout();
+				alert('You have been logged out by the OP (backchannel logout).');
+			});
+		}
+		return () => {
+			if (eventSource) eventSource.close();
+		};
+	});
 </script>
 
 {#if browser}

tests/app/rp/src/routes/+page.svelte

@@ -0,0 +1,87 @@
+// OIDC Backchannel Logout Endpoint for SvelteKit RP
+// Receives POST requests from the OP with a logout_token (JWT)
+
+import { validateLogoutToken } from '../validateLogoutToken.js';
+import { sendLogoutEvent } from '../sseClients.js';
+
+const corsHeaders = {
+	'Access-Control-Allow-Origin': '*',
+	'Access-Control-Allow-Methods': 'POST, OPTIONS',
+	'Access-Control-Allow-Headers': 'Content-Type',
+    'Accept': '*'
+};
+
+/**
+ * POST /api/backchannel-logout
+ * Receives a logout_token from the OP and invalidates the user session.
+ */
+export async function POST({ request, locals }) {
+	try {
+			const headers = {
+				'Content-Type': 'application/json',
+				...corsHeaders
+			};
+			let logout_token;
+			let data;
+			const contentType = request.headers.get('content-type') || '';
+			if (contentType.includes('application/json')) {
+				data = await request.json();
+				logout_token = data.logout_token;
+			} else if (contentType.includes('application/x-www-form-urlencoded')) {
+				const form = await request.formData();
+				logout_token = form.get('logout_token');
+				data = { logout_token };
+			} else {
+				return new Response(JSON.stringify({ error: 'Unsupported content type' }), {
+					status: 415,
+					headers
+				});
+			}
+			console.log('Received backchannel logout request', { data });
+			if (!logout_token) {
+				return new Response(JSON.stringify({ error: 'Missing logout_token' }), {
+					status: 400,
+					headers
+				});
+			}
+
+		// Validate the logout_token (JWT) according to OIDC spec
+		let payload;
+		try {
+			payload = await validateLogoutToken(logout_token);
+		} catch (e) {
+			return new Response(
+				JSON.stringify({ error: 'Invalid logout_token', details: e.message }),
+				{
+					status: 400,
+					headers
+				}
+			);
+		}
+
+		// Notify frontend via SSE if sid is present
+		if (payload.sid) {
+			sendLogoutEvent(payload.sid, { sub: payload.sub, sid: payload.sid, event: 'logout' });
+		}
+		return new Response(
+			JSON.stringify({ status: 'logout processed', sub: payload?.sub, sid: payload?.sid }),
+			{
+				status: 200,
+				headers
+			}
+		);
+	} catch (err) {
+		return new Response(JSON.stringify({ error: 'Invalid request', details: err.message }), {
+			status: 400,
+			headers
+		});
+	}
+}
+
+// Handle preflight OPTIONS requests for CORS
+export async function OPTIONS() {
+	return new Response(null, {
+		status: 204,
+		headers: corsHeaders
+	});
+}

tests/app/rp/src/routes/api/backchannel-logout/+server.js

@@ -0,0 +1,34 @@
+// SSE endpoint for logout events
+import { addClient, removeClient } from '../sseClients.js';
+
+export async function GET({ url }) {
+    // Get sid from query param (e.g., /api/logout-events?sid=123)
+    const sid = url.searchParams.get('sid');
+    if (!sid) {
+        return new Response('Missing sid', { status: 400 });
+    }
+
+    const stream = new ReadableStream({
+        start(controller) {
+            const encoder = new TextEncoder();
+            // Create a fake response object for our in-memory store
+            const res = {
+                write: (data) => controller.enqueue(encoder.encode(data)),
+                close: () => controller.close()
+            };
+            addClient(sid, res);
+            // Remove client on stream close
+            controller.signal?.addEventListener('abort', () => {
+                removeClient(sid, res);
+            });
+        }
+    });
+
+    return new Response(stream, {
+        headers: {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache',
+            'Connection': 'keep-alive'
+        }
+    });
+}

tests/app/rp/src/routes/api/logout-events/+server.js

@@ -0,0 +1,26 @@
+// In-memory store for SSE clients keyed by sid (session id)
+const clients = new Map();
+
+export function addClient(sid, res) {
+    if (!clients.has(sid)) {
+        clients.set(sid, new Set());
+    }
+    clients.get(sid).add(res);
+}
+
+export function removeClient(sid, res) {
+    if (clients.has(sid)) {
+        clients.get(sid).delete(res);
+        if (clients.get(sid).size === 0) {
+            clients.delete(sid);
+        }
+    }
+}
+
+export function sendLogoutEvent(sid, data) {
+    if (clients.has(sid)) {
+        for (const res of clients.get(sid)) {
+            res.write(`event: logout\ndata: ${JSON.stringify(data)}\n\n`);
+        }
+    }
+}

tests/app/rp/src/routes/api/sseClients.js

@@ -0,0 +1,28 @@
+// Utility for OIDC logout token validation using jose
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+
+// Set your OP's JWKS endpoint here
+const JWKS_URI = 'http://localhost:8000/o/.well-known/jwks.json'; // Adjust as needed
+
+const JWKS = createRemoteJWKSet(new URL(JWKS_URI));
+
+export async function validateLogoutToken(token) {
+    try {
+        // Accept only ID Token or Logout Token types
+        const { payload } = await jwtVerify(token, JWKS, {
+            algorithms: ['RS256'],
+            // audience, issuer, etc. can be checked here if needed
+        });
+        // OIDC Backchannel Logout Token must have events.logout
+        if (!payload.events || !payload.events['http://schemas.openid.net/event/backchannel-logout']) {
+            throw new Error('Missing backchannel-logout event');
+        }
+        // sub or sid must be present
+        if (!payload.sub && !payload.sid) {
+            throw new Error('Logout token missing sub and sid');
+        }
+        return payload;
+    } catch (e) {
+        throw new Error('Logout token validation failed: ' + e.message);
+    }
+}

tests/app/rp/src/routes/api/validateLogoutToken.js

@@ -9,7 +9,11 @@ const config = {
 
 	kit: {
 		// build to run in containerized node.js environment
-		adapter: adapter()
+		adapter: adapter(),
+		// added for backchannel logout testing, the idp does a 
+		// form POST to the api/backchannel-logout endpoint
+		// which freaks out CSRF protection unless we disable it here
+		csrf: { checkOrigin: false }
 	}
 };