Skip to content

Make back-channel logout work on existing sessions #4767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 10, 2025
Merged

Make back-channel logout work on existing sessions #4767

merged 3 commits into from
Jul 10, 2025

Conversation

sandhose
Copy link
Member

@sandhose sandhose commented Jul 9, 2025

This backfills the id_token_claims column in the upstream_oauth_authorization_sessions table by decoding the id_token in each row.

Because we're worried about rolling updates and rollbacks, it also adds a trigger that fills the id_token_claims column on the fly if it's not set. We should be able to drop this trigger in a later version of MAS.

@sandhose sandhose changed the base branch from main to release/v0.19 July 9, 2025 12:47
@sandhose sandhose requested a review from Copilot July 9, 2025 12:47
Copilot
Copilot AI reviewed Jul 9, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR ensures that the id_token_claims column on upstream_oauth_authorization_sessions is populated both retrospectively and going forward by decoding the JWT payload in id_token.

  • Introduces a PL/pgSQL function (fill_id_token_claims) and trigger (trg_fill_id_token_claims) to auto-fill claims on INSERT/UPDATE when missing.
  • Runs an UPDATE to backfill id_token_claims for existing sessions.
Comments suppressed due to low confidence (1)

crates/storage-pg/migrations/20250709142230_backfill_id_token_claims.sql:53

  • [nitpick] Consider adding automated tests (or a test harness) for this migration and trigger to verify that id_token_claims is correctly backfilled and populated on new/updated rows.
UPDATE upstream_oauth_authorization_sessions

@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Jul 9, 2025
edited
Loading

Deploying matrix-authentication-service-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 620f214
Status: ✅  Deploy successful!
Preview URL: https://765cacc5.matrix-authentication-service-docs.pages.dev
Branch Preview URL: https://quenting-backfill-id-token-c.matrix-authentication-service-docs.pages.dev

View logs

@sandhose sandhose requested a review from reivilibre July 9, 2025 12:55
@sandhose sandhose merged commit de80063 into release/v0.19 Jul 10, 2025
15 checks passed
@sandhose sandhose deleted the quenting/backfill-id-token-claims branch July 10, 2025 15:14
@sandhose sandhose added the T-Task Refactoring, removal, replacement, enabling or disabling functionality, other engineering tasks. label Jul 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@reivilibre reivilibre reivilibre approved these changes

Assignees

No one assigned

Labels

T-Task Refactoring, removal, replacement, enabling or disabling functionality, other engineering tasks.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sandhose @reivilibre