element-hq
diff --git a/‎crates/cli/src/sync.rs‎
Lines changed: 10 additions & 0 deletions b/‎crates/cli/src/sync.rs‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎crates/config/src/sections/mod.rs‎
Lines changed: 4 additions & 2 deletions b/‎crates/config/src/sections/mod.rs‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎crates/config/src/sections/upstream_oauth2.rs‎
Lines changed: 25 additions & 0 deletions b/‎crates/config/src/sections/upstream_oauth2.rs‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎crates/data-model/src/lib.rs‎
Lines changed: 3 additions & 3 deletions b/‎crates/data-model/src/lib.rs‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎crates/data-model/src/upstream_oauth2/mod.rs‎
Lines changed: 1 addition & 0 deletions b/‎crates/data-model/src/upstream_oauth2/mod.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎crates/data-model/src/upstream_oauth2/provider.rs‎
Lines changed: 40 additions & 0 deletions b/‎crates/data-model/src/upstream_oauth2/provider.rs‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎crates/handlers/src/admin/v1/upstream_oauth_links/mod.rs‎
Lines changed: 3 additions & 1 deletion b/‎crates/handlers/src/admin/v1/upstream_oauth_links/mod.rs‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎crates/handlers/src/upstream_oauth2/cache.rs‎
Lines changed: 3 additions & 1 deletion b/‎crates/handlers/src/upstream_oauth2/cache.rs‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎crates/handlers/src/upstream_oauth2/link.rs‎
Lines changed: 2 additions & 0 deletions b/‎crates/handlers/src/upstream_oauth2/link.rs‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎crates/handlers/src/views/login.rs‎
Lines changed: 4 additions & 1 deletion b/‎crates/handlers/src/views/login.rs‎
Lines changed: 4 additions & 1 deletion
@@ -276,6 +276,15 @@ pub async fn config_sync(
                 }
             };
 
+            let on_backchannel_logout = match provider.on_backchannel_logout {
+                mas_config::UpstreamOAuth2OnBackchannelLogout::DoNothing => {
+                    mas_data_model::UpstreamOAuthProviderOnBackchannelLogout::DoNothing
+                }
+                mas_config::UpstreamOAuth2OnBackchannelLogout::LogoutBrowserOnly => {
+                    mas_data_model::UpstreamOAuthProviderOnBackchannelLogout::LogoutBrowserOnly
+                }
+            };
+
             repo.upstream_oauth_provider()
                 .upsert(
                     clock,
@@ -306,6 +315,7 @@ pub async fn config_sync(
                             .collect(),
                         forward_login_hint: provider.forward_login_hint,
                         ui_order,
+                        on_backchannel_logout,
                     },
                 )
                 .await?;
 
@@ -52,8 +52,10 @@ pub use self::{
     upstream_oauth2::{
         ClaimsImports as UpstreamOAuth2ClaimsImports, DiscoveryMode as UpstreamOAuth2DiscoveryMode,
         EmailImportPreference as UpstreamOAuth2EmailImportPreference,
-        ImportAction as UpstreamOAuth2ImportAction, PkceMethod as UpstreamOAuth2PkceMethod,
-        Provider as UpstreamOAuth2Provider, ResponseMode as UpstreamOAuth2ResponseMode,
+        ImportAction as UpstreamOAuth2ImportAction,
+        OnBackchannelLogout as UpstreamOAuth2OnBackchannelLogout,
+        PkceMethod as UpstreamOAuth2PkceMethod, Provider as UpstreamOAuth2Provider,
+        ResponseMode as UpstreamOAuth2ResponseMode,
         TokenAuthMethod as UpstreamOAuth2TokenAuthMethod, UpstreamOAuth2Config,
     },
 };
 
@@ -408,6 +408,25 @@ fn is_default_scope(scope: &str) -> bool {
     scope == default_scope()
 }
 
+/// What to do when receiving an OIDC Backchannel logout request.
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, JsonSchema, Default)]
+#[serde(rename_all = "snake_case")]
+pub enum OnBackchannelLogout {
+    /// Do nothing
+    #[default]
+    DoNothing,
+
+    /// Only log out the MAS 'browser session' started by this OIDC session
+    LogoutBrowserOnly,
+}
+
+impl OnBackchannelLogout {
+    #[allow(clippy::trivially_copy_pass_by_ref)]
+    const fn is_default(&self) -> bool {
+        matches!(self, OnBackchannelLogout::DoNothing)
+    }
+}
+
 /// Configuration for one upstream OAuth 2 provider.
 #[skip_serializing_none]
 #[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
@@ -583,4 +602,10 @@ pub struct Provider {
     /// Defaults to `false`.
     #[serde(default)]
     pub forward_login_hint: bool,
+
+    /// What to do when receiving an OIDC Backchannel logout request.
+    ///
+    /// Defaults to "do_nothing".
+    #[serde(default, skip_serializing_if = "OnBackchannelLogout::is_default")]
+    pub on_backchannel_logout: OnBackchannelLogout,
 }
@@ -42,9 +42,9 @@ pub use self::{
         UpstreamOAuthAuthorizationSession, UpstreamOAuthAuthorizationSessionState,
         UpstreamOAuthLink, UpstreamOAuthProvider, UpstreamOAuthProviderClaimsImports,
         UpstreamOAuthProviderDiscoveryMode, UpstreamOAuthProviderImportAction,
-        UpstreamOAuthProviderImportPreference, UpstreamOAuthProviderPkceMode,
-        UpstreamOAuthProviderResponseMode, UpstreamOAuthProviderSubjectPreference,
-        UpstreamOAuthProviderTokenAuthMethod,
+        UpstreamOAuthProviderImportPreference, UpstreamOAuthProviderOnBackchannelLogout,
+        UpstreamOAuthProviderPkceMode, UpstreamOAuthProviderResponseMode,
+        UpstreamOAuthProviderSubjectPreference, UpstreamOAuthProviderTokenAuthMethod,
     },
     user_agent::{DeviceType, UserAgent},
     users::{
 
@@ -15,6 +15,7 @@ pub use self::{
         DiscoveryMode as UpstreamOAuthProviderDiscoveryMode,
         ImportAction as UpstreamOAuthProviderImportAction,
         ImportPreference as UpstreamOAuthProviderImportPreference,
+        OnBackchannelLogout as UpstreamOAuthProviderOnBackchannelLogout,
         PkceMode as UpstreamOAuthProviderPkceMode,
         ResponseMode as UpstreamOAuthProviderResponseMode,
         SubjectPreference as UpstreamOAuthProviderSubjectPreference,
 
@@ -216,6 +216,45 @@ impl std::str::FromStr for TokenAuthMethod {
 #[error("Invalid upstream OAuth 2.0 token auth method: {0}")]
 pub struct InvalidUpstreamOAuth2TokenAuthMethod(String);
 
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "snake_case")]
+pub enum OnBackchannelLogout {
+    DoNothing,
+    LogoutBrowserOnly,
+}
+
+impl OnBackchannelLogout {
+    #[must_use]
+    pub fn as_str(self) -> &'static str {
+        match self {
+            Self::DoNothing => "do_nothing",
+            Self::LogoutBrowserOnly => "logout_browser_only",
+        }
+    }
+}
+
+impl std::fmt::Display for OnBackchannelLogout {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str(self.as_str())
+    }
+}
+
+impl std::str::FromStr for OnBackchannelLogout {
+    type Err = InvalidUpstreamOAuth2OnBackchannelLogout;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        match s {
+            "do_nothing" => Ok(Self::DoNothing),
+            "logout_browser_only" => Ok(Self::LogoutBrowserOnly),
+            s => Err(InvalidUpstreamOAuth2OnBackchannelLogout(s.to_owned())),
+        }
+    }
+}
+
+#[derive(Debug, Clone, Error)]
+#[error("Invalid upstream OAuth 2.0 'on backchannel logout': {0}")]
+pub struct InvalidUpstreamOAuth2OnBackchannelLogout(String);
+
 #[derive(Debug, Clone, PartialEq, Eq, Serialize)]
 pub struct UpstreamOAuthProvider {
     pub id: Ulid,
@@ -242,6 +281,7 @@ pub struct UpstreamOAuthProvider {
     pub claims_imports: ClaimsImports,
     pub additional_authorization_parameters: Vec<(String, String)>,
     pub forward_login_hint: bool,
+    pub on_backchannel_logout: OnBackchannelLogout,
 }
 
 impl PartialOrd for UpstreamOAuthProvider {
 
@@ -19,7 +19,8 @@ pub use self::{
 mod test_utils {
     use mas_data_model::{
         UpstreamOAuthProviderClaimsImports, UpstreamOAuthProviderDiscoveryMode,
-        UpstreamOAuthProviderPkceMode, UpstreamOAuthProviderTokenAuthMethod,
+        UpstreamOAuthProviderOnBackchannelLogout, UpstreamOAuthProviderPkceMode,
+        UpstreamOAuthProviderTokenAuthMethod,
     };
     use mas_iana::jose::JsonWebSignatureAlg;
     use mas_storage::upstream_oauth2::UpstreamOAuthProviderParams;
@@ -49,6 +50,7 @@ mod test_utils {
             additional_authorization_parameters: Vec::new(),
             forward_login_hint: false,
             ui_order: 0,
+            on_backchannel_logout: UpstreamOAuthProviderOnBackchannelLogout::DoNothing,
         }
     }
 }
@@ -296,7 +296,8 @@ mod tests {
     // 'insecure' discovery
 
     use mas_data_model::{
-        UpstreamOAuthProviderClaimsImports, UpstreamOAuthProviderTokenAuthMethod,
+        UpstreamOAuthProviderClaimsImports, UpstreamOAuthProviderOnBackchannelLogout,
+        UpstreamOAuthProviderTokenAuthMethod,
     };
     use mas_iana::jose::JsonWebSignatureAlg;
     use mas_storage::{Clock, clock::MockClock};
@@ -427,6 +428,7 @@ mod tests {
             claims_imports: UpstreamOAuthProviderClaimsImports::default(),
             additional_authorization_parameters: Vec::new(),
             forward_login_hint: false,
+            on_backchannel_logout: UpstreamOAuthProviderOnBackchannelLogout::DoNothing,
         };
 
         // Without any override, it should just use discovery
 
@@ -986,6 +986,8 @@ mod tests {
                     additional_authorization_parameters: Vec::new(),
                     forward_login_hint: false,
                     ui_order: 0,
+                    on_backchannel_logout:
+                        mas_data_model::UpstreamOAuthProviderOnBackchannelLogout::DoNothing,
                 },
             )
             .await
 
@@ -424,7 +424,8 @@ mod test {
         header::{CONTENT_TYPE, LOCATION},
     };
     use mas_data_model::{
-        UpstreamOAuthProviderClaimsImports, UpstreamOAuthProviderTokenAuthMethod,
+        UpstreamOAuthProviderClaimsImports, UpstreamOAuthProviderOnBackchannelLogout,
+        UpstreamOAuthProviderTokenAuthMethod,
     };
     use mas_iana::jose::JsonWebSignatureAlg;
     use mas_router::Route;
@@ -500,6 +501,7 @@ mod test {
                     additional_authorization_parameters: Vec::new(),
                     forward_login_hint: false,
                     ui_order: 0,
+                    on_backchannel_logout: UpstreamOAuthProviderOnBackchannelLogout::DoNothing,
                 },
             )
             .await
@@ -542,6 +544,7 @@ mod test {
                     additional_authorization_parameters: Vec::new(),
                     forward_login_hint: false,
                     ui_order: 1,
+                    on_backchannel_logout: UpstreamOAuthProviderOnBackchannelLogout::DoNothing,
                 },
             )
             .await
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,8 @@ pub use self::{`
`19`	`19`	`mod test_utils {`
`20`	`20`	`use mas_data_model::{`
`21`	`21`	`UpstreamOAuthProviderClaimsImports, UpstreamOAuthProviderDiscoveryMode,`
`22`		`- UpstreamOAuthProviderPkceMode, UpstreamOAuthProviderTokenAuthMethod,`
	`22`	`+ UpstreamOAuthProviderOnBackchannelLogout, UpstreamOAuthProviderPkceMode,`
	`23`	`+ UpstreamOAuthProviderTokenAuthMethod,`
`23`	`24`	`};`
`24`	`25`	`use mas_iana::jose::JsonWebSignatureAlg;`
`25`	`26`	`use mas_storage::upstream_oauth2::UpstreamOAuthProviderParams;`
`@@ -49,6 +50,7 @@ mod test_utils {`
`49`	`50`	`additional_authorization_parameters: Vec::new(),`
`50`	`51`	`forward_login_hint: false,`
`51`	`52`	`ui_order: 0,`
	`53`	`+ on_backchannel_logout: UpstreamOAuthProviderOnBackchannelLogout::DoNothing,`
`52`	`54`	`}`
`53`	`55`	`}`
`54`	`56`	`}`
Original file line number	Diff line number	Diff line change
`@@ -986,6 +986,8 @@ mod tests {`
`986`	`986`	`additional_authorization_parameters: Vec::new(),`
`987`	`987`	`forward_login_hint: false,`
`988`	`988`	`ui_order: 0,`
	`989`	`+ on_backchannel_logout:`
	`990`	`+ mas_data_model::UpstreamOAuthProviderOnBackchannelLogout::DoNothing,`
`989`	`991`	`},`
`990`	`992`	`)`
`991`	`993`	`.await`