feat: backchannel logout in tests/app

add backchannel logout support to our tests/app idp and rp to facilitate
manual end to end testing.

Author: dopry

tests/app/idp/fixtures/seed.json

@@ -1,38 +1,39 @@
-[
-{
-  "model": "auth.user",
-  "fields": {
-    "password": "pbkdf2_sha256$390000$29LoVHfFRlvEOJ9clv73Wx$fx5ejfUJ+nYsnBXFf21jZvDsq4o3p5io3TrAGKAVTq4=",
-    "last_login": "2023-11-11T17:24:19.359Z",
-    "is_superuser": true,
-    "username": "superuser",
-    "first_name": "",
-    "last_name": "",
-    "email": "",
-    "is_staff": true,
-    "is_active": true,
-    "date_joined": "2023-05-01T19:53:59.622Z",
-    "groups": [],
-    "user_permissions": []
-  }
-},
-{
-  "model": "oauth2_provider.application",
-  "fields": {
-    "client_id": "2EIxgjlyy5VgCp2fjhEpKLyRtSMMPK0hZ0gBpNdm",
-    "user": null,
-    "redirect_uris": "http://localhost:5173\r\nhttp://127.0.0.1:5173",
-    "post_logout_redirect_uris": "http://localhost:5173\r\nhttp://127.0.0.1:5173",
-    "client_type": "public",
-    "authorization_grant_type": "authorization-code",
-    "client_secret": "pbkdf2_sha256$600000$HEYByn6WXiQUI1D6ezTnAf$qPLekt0t3ZssnzEOvQkeOSfxx7tbs/gcC3O0CthtP2A=",
-    "hash_client_secret": true,
-    "name": "OIDC - Authorization Code",
-    "skip_authorization": true,
-    "created": "2023-05-01T20:27:46.167Z",
-    "updated": "2023-11-11T17:23:44.643Z",
-    "algorithm": "RS256",
-    "allowed_origins": "http://localhost:5173\r\nhttp://127.0.0.1:5173"
-  }
-}
-]
+[
+{
+  "model": "auth.user",
+  "fields": {
+    "password": "pbkdf2_sha256$600000$8lMa9lh0apkrhQShFyKKBI$MQ4tij3eQhzA3yJF+GPCKCUSIZ7meMJHSxh+ccDF/UI=",
+    "last_login": "2025-11-01T17:57:15.021Z",
+    "is_superuser": true,
+    "username": "superuser",
+    "first_name": "",
+    "last_name": "",
+    "email": "",
+    "is_staff": true,
+    "is_active": true,
+    "date_joined": "2023-05-01T19:53:59.622Z",
+    "groups": [],
+    "user_permissions": []
+  }
+},
+{
+  "model": "oauth2_provider.application",
+  "fields": {
+    "client_id": "2EIxgjlyy5VgCp2fjhEpKLyRtSMMPK0hZ0gBpNdm",
+    "user": null,
+    "redirect_uris": "http://localhost:5173\r\nhttp://127.0.0.1:5173",
+    "post_logout_redirect_uris": "http://localhost:5173\r\nhttp://127.0.0.1:5173",
+    "client_type": "public",
+    "authorization_grant_type": "authorization-code",
+    "client_secret": "pbkdf2_sha256$600000$HEYByn6WXiQUI1D6ezTnAf$qPLekt0t3ZssnzEOvQkeOSfxx7tbs/gcC3O0CthtP2A=",
+    "hash_client_secret": true,
+    "name": "OIDC - Authorization Code",
+    "skip_authorization": true,
+    "created": "2023-05-01T20:27:46.167Z",
+    "updated": "2025-11-01T17:57:59.850Z",
+    "algorithm": "RS256",
+    "allowed_origins": "http://localhost:5173\r\nhttp://127.0.0.1:5173",
+    "backchannel_logout_uri": "http://localhost:5173/api/backchannel-logout"
+  }
+}
+]

tests/app/idp/idp/settings.py

@@ -207,6 +207,8 @@
         "openid": "OpenID Connect scope",
     },
     "ALLOWED_SCHEMES": env("OAUTH2_PROVIDER_ALLOWED_SCHEMES"),
+    "OIDC_BACKCHANNEL_LOGOUT_ENABLED": True,
+    "OIDC_ISS_ENDPOINT": "http://localhost:8000",
 }
 # needs to be set to allow cors requests from the test app, along with ALLOWED_SCHEMES=["http"]
 os.environ["OAUTHLIB_INSECURE_TRANSPORT"] = env("OAUTHLIB_INSECURE_TRANSPORT")
@@ -238,3 +240,5 @@
         # },
     },
 }
+
+

tests/app/rp/src/app.html

@@ -1,8 +1,8 @@
 <!doctype html>
 <html lang="en">
-	<head>
-		<meta charset="utf-8" />
-		<link rel="icon" href="%sveltekit.assets%/favicon.png" />
+<head>
+	<meta charset="utf-8" />
+	<link rel="icon" href="%sveltekit.assets%/favicon.png" />
 		<link rel="stylesheet" href="%sveltekit.assets%/materialize.min.css" />
 		<meta name="viewport" content="width=device-width, initial-scale=1" />
 		<title>Django OAuth Toolkit RP Demo</title>
@@ -38,10 +38,10 @@
 				}
 			}
 		</style>
-		%sveltekit.head%
-	</head>
+	%sveltekit.head%
+</head>
 
-	<body data-sveltekit-preload-data="hover">
+<body data-sveltekit-preload-data="hover">
 		<div class="container">
 			<h2>Django OAuth Toolkit Test RP</h2>
 			<a
@@ -77,5 +77,5 @@ <h2>Django OAuth Toolkit Test RP</h2>
 			></a>
 			<div>%sveltekit.body%</div>
 		</div>
-	</body>
-</html>
+</body>
+</html>

tests/app/rp/src/routes/+page.svelte

@@ -1,5 +1,6 @@
 <script>
 	import { browser } from '$app/environment';
+	import { onDestroy } from 'svelte';
 	import {
 		EventLog,
 		LoginButton,
@@ -15,20 +16,49 @@
 	} from '@dopry/svelte-oidc';
 
 	const metadata = {};
+
+	let eventSource = null;
+
+	$: sid = $userInfo?.sid || $userInfo?.sub;
+
+	$: {
+		// Reactively manage SSE connection when sid or authentication changes
+		if (browser && $isAuthenticated && sid) {
+			if (eventSource) {
+				eventSource.close();
+			}
+			eventSource = new EventSource(`/api/logout-events?sid=${sid}`);
+			eventSource.addEventListener('logout', (event) => {
+				console.log('You have been logged out by the OP (backchannel logout).', event);
+			});
+		} else {
+			if (eventSource) {
+				eventSource.close();
+				eventSource = null;
+			}
+		}
+	}
+
+	onDestroy(() => {
+		if (eventSource) {
+			eventSource.close();
+			eventSource = null;
+		}
+	});
 </script>
 
-{#if browser}
-	<OidcContext
-		issuer="http://localhost:8000/o"
-		client_id="2EIxgjlyy5VgCp2fjhEpKLyRtSMMPK0hZ0gBpNdm"
-		redirect_uri="http://localhost:5173"
-		post_logout_redirect_uri="http://localhost:5173"
-		{metadata}
-		scope="openid"
-		extraOptions={{
-			mergeClaims: true
-		}}
-	>
+	{#if browser}
+		<OidcContext
+			issuer="http://localhost:8000/o"
+			client_id="2EIxgjlyy5VgCp2fjhEpKLyRtSMMPK0hZ0gBpNdm"
+			redirect_uri="http://localhost:5173"
+			post_logout_redirect_uri="http://localhost:5173"
+			{metadata}
+			scope="openid"
+			extraOptions={{
+				mergeClaims: true
+			}}
+		>
 		<div class="row">
 			<div class="col s12">
 				<LoginButton>Login</LoginButton>
@@ -80,5 +110,5 @@
 				<EventLog />
 			</div>
 		</div>
-	</OidcContext>
-{/if}
+		</OidcContext>
+	{/if}

tests/app/rp/src/routes/api/backchannel-logout/+server.js

@@ -0,0 +1,109 @@
+// OIDC Backchannel Logout Endpoint for SvelteKit RP
+// Receives POST requests from the OP with a logout_token (JWT)
+
+import { validateLogoutToken } from '../validateLogoutToken.js';
+import { sendLogoutEvent } from '../sseClients.js';
+
+const corsHeaders = {
+	'Access-Control-Allow-Origin': '*',
+	'Access-Control-Allow-Methods': 'POST, OPTIONS',
+	'Access-Control-Allow-Headers': 'Content-Type',
+	Accept: '*'
+};
+
+/**
+ * POST /api/backchannel-logout
+ * Receives a logout_token from the OP and invalidates the user session.
+ */
+export async function POST({ request, locals }) {
+	const headers = {
+		'Content-Type': 'application/json',
+		...corsHeaders
+	};
+	try {
+		let logout_token;
+		let data;
+		const contentType = request.headers.get('content-type') || '';
+		if (contentType.includes('application/json')) {
+			data = await request.json();
+			logout_token = data.logout_token;
+		} else if (contentType.includes('application/x-www-form-urlencoded')) {
+			const form = await request.formData();
+			logout_token = form.get('logout_token');
+			data = { logout_token };
+		} else {
+			return new Response(JSON.stringify({ error: 'Unsupported content type' }), {
+				status: 415,
+				headers
+			});
+		}
+		console.log('Received backchannel logout request', { data });
+		if (!logout_token) {
+			return new Response(JSON.stringify({ error: 'Missing logout_token' }), {
+				status: 400,
+				headers
+			});
+		}
+
+		// Validate the logout_token (JWT) according to OIDC spec
+		let payload;
+		try {
+			payload = await validateLogoutToken(logout_token);
+		} catch (e) {
+			console.log('Logout token validation error', e);
+			return new Response(
+				JSON.stringify({ error: 'Invalid logout_token', details: e.message }),
+				{
+					status: 400,
+					headers
+				}
+			);
+		}
+
+		// Notify frontend via SSE if sid is present
+		try {
+			if (payload.sid) {
+				console.log('Sending logout event for sid', payload.sid);
+				sendLogoutEvent(payload.sub, {
+					sub: payload.sub,
+					sid: payload.sid,
+					event: 'logout'
+				});
+			}
+			// Notify frontend via SSE if sub is present
+			// dot doesn't support sid claim currently, so use sub claim for testing
+			if (payload.sub) {
+				console.log('Sending logout event for sub', payload.sub);
+				sendLogoutEvent(payload.sub, {
+					sub: payload.sub,
+					sid: payload.sid,
+					event: 'logout'
+				});
+			}
+		} catch (e) {
+			console.log('Error sending logout sse events to frontend', e);
+		}
+		console.log('Processed backchannel logout for', { sub: payload.sub, sid: payload.sid });
+		return new Response(
+			JSON.stringify({ status: 'logout processed', sub: payload?.sub, sid: payload?.sid }),
+			{
+				status: 200,
+				headers
+			}
+		);
+	} catch (err) {
+		console.log('Error processing backchannel logout request', err);
+		return new Response(JSON.stringify({ error: 'Invalid request', details: err.message }), {
+			status: 400,
+			headers
+		});
+	}
+}
+
+// Handle preflight OPTIONS requests for CORS
+export async function OPTIONS() {
+	return new Response(null, {
+		status: 204,
+		headers: corsHeaders
+	});
+}

tests/app/rp/src/routes/api/logout-events/+server.js

@@ -0,0 +1,42 @@
+// SSE endpoint for logout events
+import { addClient, removeClient } from '../sseClients.js';
+
+export async function GET({ url }) {
+    // Get sid from query param (e.g., /api/logout-events?sid=123)
+    const sid = url.searchParams.get('sid');
+    if (!sid) {
+        return new Response('Missing sid', { status: 400 });
+    }
+
+    const stream = new ReadableStream({
+        start(controller) {
+            const encoder = new TextEncoder();
+            // Create a fake response object for our in-memory store
+            const res = {
+                write: (data) => {
+                    try {
+                        controller.enqueue(encoder.encode(data));
+                    } catch (err) {
+                        // Remove client if writing fails
+                        removeClient(sid, res);
+                        throw err;
+                    }
+                },
+                close: () => controller.close()
+            };
+            addClient(sid, res);
+            // Remove client on stream close
+            controller.signal?.addEventListener('abort', () => {
+                removeClient(sid, res);
+            });
+        }
+    });
+
+    return new Response(stream, {
+        headers: {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache',
+            'Connection': 'keep-alive'
+        }
+    });
+}

tests/app/rp/src/routes/api/sseClients.js

@@ -0,0 +1,32 @@
+// In-memory store for SSE clients keyed by sid (session id)
+const clients = new Map();
+
+export function addClient(sid, res) {
+    if (!clients.has(sid)) {
+        clients.set(sid, new Set());
+    }
+    clients.get(sid).add(res);
+}
+
+export function removeClient(sid, res) {
+    if (clients.has(sid)) {
+        clients.get(sid).delete(res);
+        if (clients.get(sid).size === 0) {
+            clients.delete(sid);
+        }
+    }
+}
+
+export function sendLogoutEvent(sid, data) {
+    if (clients.has(sid)) {
+        for (const res of Array.from(clients.get(sid))) {
+            try {
+                res.write(`event: logout\ndata: ${JSON.stringify(data)}\n\n`);
+            } catch (err) {
+                // Remove client if writing fails (stream closed)
+                removeClient(sid, res);
+                console.error('Error sending logout sse events to frontend', err);
+            }
+        }
+    }
+}