Skip to content
This repository was archived by the owner on Apr 26, 2024. It is now read-only.
This repository was archived by the owner on Apr 26, 2024. It is now read-only.

Support back-channel logouts from OIDC providers #11326

Closed
#11414
Closed
Support back-channel logouts from OIDC providers#11326
#11414
Assignees
sandhose
Labels
T-EnhancementNew features, changes in functionality, improvements in performance, or user-facing enhancements.
@sandhose

Description

@sandhose
sandhose
opened on Nov 12, 2021

Description:

Right now, if a user logs out from his identity provider, they does not get logged out from their session in Synapse.
OIDC has two mechanism to achieve that:

  • front-channel logouts, as defined here, which works by having the IdP display to the user an invisible iframe of the relying party ; hence the name "front-channel": the communication between the IdP and Synapse would happen in the user's browser
  • back-channel logouts, as defined here, which works by sending a request from the IdP to the relying party ; hence the name "back-channel": the communication between the IdP and Synapse would happen from server to server

Since we can do server-to-server requests between the IdP and Synapse, we should probably implement back-channel logouts.

When a logout happens, Synapse would get a JWT sent to an endpoint (e.g. /_synapse/client/oidc/backchannel-logout) signed by the IdP (we already have the keys discovered because we verify ID tokens signatures) with either the user ID (sub) or the session ID (sid).
Ideally, we would logout using the session ID, else we would not be able to distinguish what session to log out. It also involves saving that session ID when the login happens.

Things to do to make that happen:

  • the IdP indicates back-channel logout support via the backchannel_logout_supported metadata
  • Synapse indicates support for back-channel logout by filling the appropriate fields in the IdP (Keycloak has a Backchannel Logout URL field)
  • when logging in, we need to get the session ID from the ID token (should be the sid claim). We should probably attach the session ID to the device to avoid having to carry that whenever we refresh the token
  • when a request goes to /_synapse/client/oidc/backchannel-logout, Synapse should:
    • decode the JWT
    • get the issuer (iss claim) to find out what provider sent the request
    • validate the JWT signature with the keys we have for that provider
    • check a few claims in the JWT:
      • aud (audience) must match the client_id used by Synapse
      • iat (issued at) must not be in the future, nor too far in the past
      • events must be { "http://schemas.openid.net/event/backchannel-logout": {} }
      • jti (JWT token ID) should be saved to prevent token replay. We might skip that for performance reasons
    • get the session ID from the sid claim
    • find the device associated to this session ID in DB, and logout that device

See PSE-127

Metadata

Metadata

Assignees

Labels

T-EnhancementNew features, changes in functionality, improvements in performance, or user-facing enhancements.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions