Feature/logout (#149)

* Add end_session_endpoint to discovery

* Add post_logout_redirect_uri column migration

* Enable post-logout redirect URI registration

* Validate LogoutRequest

* Add sid to ID token

* Add RP associations

* logout handler

* Update conformance.sql

* Implement BCL requests


* curl version

* Simplify BCL handler

* Indicate BCL support in discovery

* cleanup

* Change custom scope 'attributes' key to 'claims'

* Cleanup and add incomplete tests

* tests

* wip: logout conformance tests

* logout conformance: add browser matcher

* conformance: add rp initiated logout tests

* conformance: add logout url

* Use logger service

* Add logout page template

* Add BCL URI to client

* Register logout URI

* Add useridattr to sub claim attribute list by default

* Show different message if logout was not performed

* Add new clients for RP-Initiated and Back-Channel logout tests

* Prevent logoutHnalder for Prompt and MaxAge rules

* Run logout handler only if logout is OIDC initiated

* Check for sub claim as user ID when creating RP associaton

* Clean it up

* Enable logout conformance tests in github actions

Co-authored-by: Marko Ivančić <[email protected]>

Author: cicnavi

.github/workflows/test.yaml

@@ -263,6 +263,12 @@ jobs:
       - name: Run Implicit conformance tests
         run: |
           ./conformance-suite/scripts/run-test-plan.py  --expected-failures-file ./main/conformance-tests/implicit-warnings.json --expected-skips-file ./main/conformance-tests/implicit-skips.json "oidcc-implicit-certification-test-plan[server_metadata=discovery][client_registration=static_client]" ./main/conformance-tests/conformance-implicit-ci.json
+      - name: Run RP logout
+        run: |
+          ./conformance-suite/scripts/run-test-plan.py   "oidcc-rp-initiated-logout-certification-test-plan[response_type=code][client_registration=static_client]"   ./main/conformance-tests/conformance-rp-initiated-logout-ci.json
+      - name: Run RP backchannel
+        run: |
+          ./conformance-suite/scripts/run-test-plan.py     "oidcc-backchannel-rp-initiated-logout-certification-test-plan[response_type=code][client_registration=static_client]" ./main/conformance-tests/conformance-back-channel-logout-ci.json
       - name: Stop SSP
         working-directory: ./main
         run: |

CONFORMANCE_TEST.md

@@ -54,6 +54,9 @@ To run basic profile test, launch this command in console inside `simplesamlphp-
 ```shell
 # Run run-test-plan.py script inside conformance-suite/scripts
 # Change the relative path to your conformance-suite installation
+# conformance-basic-ci.json contains clients, and browser interactions for automating various tests
+# Lines like "oidcc-implicit-certification-test-plan[server_metadata=discovery][client_registration=static_client]"
+#    indicate the conformance plan to run, and any variants (parameters) are passed in []
 
 OIDC_MODULE_FOLDER=.  # path to your checkout of the OIDC module
 # Basic profile
@@ -69,6 +72,15 @@ conformance-suite/scripts/run-test-plan.py \
   --expected-skips-file ${OIDC_MODULE_FOLDER}/conformance-tests/implicit-skips.json \
   "oidcc-implicit-certification-test-plan[server_metadata=discovery][client_registration=static_client]" \
   ${OIDC_MODULE_FOLDER}/conformance-tests/conformance-implicit-ci.json
+
+# RP Initiated back channel
+conformance-suite/scripts/run-test-plan.py \
+  "oidcc-backchannel-rp-initiated-logout-certification-test-plan[response_type=code][client_registration=static_client]" \
+  ${OIDC_MODULE_FOLDER}/conformance-tests/conformance-back-channel-logout-ci.json
+
+conformance-suite/scripts/run-test-plan.py \
+  "oidcc-rp-initiated-logout-certification-test-plan[response_type=code][client_registration=static_client]" \
+  ${OIDC_MODULE_FOLDER}/conformance-tests/conformance-rp-initiated-logout-ci.json
 ```
 
 

composer.json

@@ -18,24 +18,26 @@
     ],
     "require": {
         "php": ">=7.4",
+        "ext-curl": ">=7.4",
         "ext-json": "*",
         "ext-openssl": "*",
         "ext-pdo": "*",
+        "guzzlehttp/guzzle": "^7.0",
         "laminas/laminas-diactoros": "^2.2.1",
         "laminas/laminas-httphandlerrunner": "^1.1.0",
         "lcobucci/jwt": "^4.1",
         "league/oauth2-server": "^8.1.0",
         "nette/forms": "^2.4",
         "psr/container": "^1.0",
+        "psr/log": "^1.1",
         "simplesamlphp/composer-module-installer": "^1.0",
+        "spomky-labs/base64url": "^2.0",
         "steverhoades/oauth2-openid-connect-server": "^2.0",
-        "web-token/jwt-framework": "^2.1",
-        "spomky-labs/base64url": "^2.0"
+        "web-token/jwt-framework": "^2.1"
     },
     "require-dev": {
         "friendsofphp/php-cs-fixer": "^2.10",
         "friends-of-phpspec/phpspec-code-coverage": "^6.1",
-        "php-coveralls/php-coveralls": "^2.0",
         "phpspec/phpspec": "^7.1.0",
         "phpunit/php-code-coverage": "^9.0.0",
         "phpunit/phpcov": "^8.2.0",

config-templates/module_oidc.php

@@ -41,7 +41,9 @@
     // is not specified on particular client
     'auth' => 'default-sp',
 
-    // useridattr is the attribute-name that contains the userid as returned from idp
+    // useridattr is the attribute-name that contains the userid as returned from idp. By default, this attribute
+    // will be dynamically added to the 'sub' claim in the attribute-to-claim translation table (you will probably
+    // want to use this attribute as the 'sub' claim since it designates unique identifier for the user).
     'useridattr' => 'uid',
 
     /**
@@ -84,16 +86,13 @@
         // Add authproc filters here
     ],
 
-    // You can create as many scopes as you want and assign claims to them
+    // Optional custom scopes. You can create as many scopes as you want and assign claims to them.
     'scopes' => [
-        /*
-         * Optional. You can add more scopes.
-         */
-//        'private' => [
+//        'private' => [ // The key represents the scope name.
 //            'description' => 'private scope',
 //            'claim_name_prefix' => '', // Prefix to apply for all claim names from this scope
 //            'are_multiple_claim_values_allowed' => false, // Are claims for this scope allowed to have multiple values
-//            'attributes' => ['national_document_id'] // TODO refactor key 'attributes' to 'claims'
+//            'claims' => ['national_document_id'] // Claims from the translation table which this scope will contain
 //        ],
     ],
     'translate' => [
@@ -117,8 +116,13 @@
          * For convenience the default type is "string" so type does not need to be defined.
          * If "attributes" is not set, then it is assumed that the rest of the values are saml
          * attribute names.
+         *
+         * Note on 'sub' claim: by default, the list of attributes for 'sub' claim will also contain attribute defined
+         * in 'useridattr' setting. You will probably want to use this attribute as the 'sub' claim since it
+         * designates unique identifier for the user, However, override as necessary.
          */
 //        'sub' => [
+//            'attribute-defined-in-useridattr', // will be dynamically added if the list for 'sub' claim is not set.
 //            'eduPersonPrincipalName',
 //            'eduPersonTargetedID',
 //            'eduPersonUniqueId',