Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement OIDC Front-Channel / Back-Channel Logout #5279

Open
1 task done
timhallmann opened this issue Oct 20, 2024 · 0 comments
Open
1 task done

Implement OIDC Front-Channel / Back-Channel Logout #5279

timhallmann opened this issue Oct 20, 2024 · 0 comments
Labels
🔨 Feature Request

Comments

@timhallmann
Copy link

timhallmann commented Oct 20, 2024
edited
Loading

Describe the feature you'd like

BookStack should provide endpoints for Front-Channel and Back-Channel Logout. This would enable the OpenID Provider to request the termination of a specific session or all sessions associated with a user.

Describe the benefits this would bring to existing BookStack users

  • Users do not need to log out of multiple applications
  • Users may log out from other devices than the one they used to log in
  • Administrators may initiate a logout

Can the goal of this request already be achieved via other means?

No.

Have you searched for an existing open/closed issue?

  • I have searched for existing issues and none cover my fundamental request

How long have you been using BookStack?

Not using yet, just scoping

Additional context

Requires #5278 (OIDC session handling).

Prior discussion in #3715 (RP-Initiated Logout).

The necessary specs have been finalized a while ago:

In terms of implementation, both Keycloak and Auth0 support Back-Channel Logout, although I've not looked into the extent of support from other OpenID Providers. Keycloak passes the OpenId Conformance tests for Front/Back-Channel Logout.

Plan to implement Front/Back-Channel Logout:

  • In routes / OidcController: Add an endpoint.
  • In OidcService: Validate and handle the request.
    • There doesn't seem to be a method to query all sessions (independent of storage method), so what's the best way to execute a logout for an entirely different session? Add the session ID to a blacklist and perform the actual logout in the middleware?

Alternatively, implement custom sessions.

Notes / Considerations:

  • Front/Back-Channel Logout must be explicitly configured at the OP, so there's no need to make this configurable in BookStack.
  • In order to receive logout requests, we need to keep the clients session at the OP alive, meaning we have to implement the session management described in Implement OIDC session handling #5278.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🔨 Feature Request
Milestone
No milestone
Development

No branches or pull requests
2 participants
@timhallmann and others