Skip to content

Support receiving OpenID Connect Back-Channel Logout notifications #4743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Jul 7, 2025
Merged

Support receiving OpenID Connect Back-Channel Logout notifications #4743

merged 10 commits into from
Jul 7, 2025

Conversation

sandhose
Copy link
Member

@sandhose sandhose commented Jul 3, 2025
edited
Loading

Fixes #2090

This adds support for receiving OpenID Connect Back-Channel Logout notifications. Those are fired when a user signs out from their upstream provider

This can be reviewed commit by commit. Note that we're now saving the ID token claims as a JSON field in the database. We could choose to backfill those if we wanted to make this work retroactively on previous sessions, but we don't really have nice primitives to do this kind of backfilling.

How to test this:

  • setup a Keycloak instance connected to MAS (see the updated docs)
  • sign in MAS with a keycloak account
  • go to the Keycloak account self-service URL (something like <kc>/realms/<realm>/account/)
  • click 'Sign out'
  • browser sessions and client sessions may be logged out, depending on the on_backchannel_logout setting on the provider

@sandhose sandhose force-pushed the quenting/backchannel-logout/record-id-token-claims branch from e35cf0e to 8275fe9 Compare July 3, 2025 16:09
@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Jul 3, 2025
edited
Loading

Deploying matrix-authentication-service-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 3bc3db1
Status: ✅  Deploy successful!
Preview URL: https://c20be523.matrix-authentication-service-docs.pages.dev
Branch Preview URL: https://quenting-backchannel-logout.matrix-authentication-service-docs.pages.dev

View logs

@sandhose sandhose force-pushed the quenting/backchannel-logout/record-id-token-claims branch 2 times, most recently from 4aa593f to 0e5c964 Compare July 4, 2025 10:53
@sandhose sandhose changed the title WIP: backchannel logout Support receiving OpenID Connect Back-Channel Logout notifications Jul 4, 2025
@sandhose sandhose added A-Upstream-OAuth Related to login via upstream OAuth 2.0 providers T-Enhancement New feature of request labels Jul 4, 2025
@sandhose sandhose requested a review from reivilibre July 4, 2025 14:16
@sandhose sandhose marked this pull request as ready for review July 4, 2025 14:16
@sandhose sandhose marked this pull request as draft July 4, 2025 14:19
sandhose added 10 commits July 4, 2025 16:27
@sandhose
Record the decoded ID token claims on upstream auth sessions
1c6c6ff
@sandhose
storage: list and count methods for upstream oauth sessions
db65a70
@sandhose
Allow filtering upstream sessions by sub and sid claims
835b1b5
@sandhose
Backchannel logout behavior settings on upstream providers
e28ffcc
@sandhose
Receive and validate backchannel logout requests
8006564 
We don't yet do anything with them, other than logging them
@sandhose
storage: allow filtering browser sessions by which upstream session
ae06e4b 
authd them
@sandhose
Log out browser sessions when receiving a backchannel logout notifica…
6ccdca6 
…tion
@sandhose
Compose filters for batch logging out of browser sessions
e245cd8 
Instead of having to load all authentication sessions in memory, we
allow composing browser session filters with a upstream auth sessions
filter
@sandhose
Log out oauth & compat sessions when receiving a backchannel logout r…
8d6621f 
…equest
@sandhose
Add documentation for backchannel logout
3bc3db1
@sandhose sandhose force-pushed the quenting/backchannel-logout/record-id-token-claims branch from fa123aa to 3bc3db1 Compare July 4, 2025 14:27
@sandhose sandhose marked this pull request as ready for review July 4, 2025 14:27
reivilibre
reivilibre approved these changes Jul 7, 2025
View reviewed changes
Copy link
Contributor

@reivilibre reivilibre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The semantics/opinions on desirable behaviour themselves seem messy, but as an implementation of what it says it will implement, this seems correct and reasonable

@sandhose sandhose merged commit 3688482 into main Jul 7, 2025
20 checks passed
@sandhose sandhose deleted the quenting/backchannel-logout/record-id-token-claims branch July 7, 2025 13:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reivilibre reivilibre reivilibre approved these changes

Assignees

No one assigned

Labels

A-Upstream-OAuth Related to login via upstream OAuth 2.0 providers T-Enhancement New feature of request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support receiving backchannel logout notifications

2 participants

@sandhose @reivilibre