Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC Back-Channel Logout #484

Merged
merged 2 commits into from
Sep 15, 2023
Merged

OIDC Back-Channel Logout #484

merged 2 commits into from
Sep 15, 2023

Conversation

adamjmcgrath
Copy link
Contributor

Description

Add support for OpenID Connect Back-Channel Logout https://openid.net/specs/openid-connect-backchannel-1_0.html

References

fixes #383

Testing

screencast.mp4

https://github.com/auth0-samples/auth0-express-webapp-sample/tree/backchannel-logout-demo/02-Back-Channel-Logout

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@adamjmcgrath adamjmcgrath requested a review from a team as a code owner September 11, 2023 16:28
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 11, 2023
View reviewed changes
examples/backchannel-logout-custom-genid.js
Comment on lines +54 to +60
app.get('/', async (req, res) => {
if (req.oidc.isAuthenticated()) {
res.send(`hello ${req.oidc.user.sub} <a href="/logout">logout</a>`);
} else {
res.send('<a href="/login">login</a>');
}
});

Check failure

Code scanning / CodeQL

Missing rate limiting

This route handler performs [authorization](1), but is not rate-limited.
examples/backchannel-logout.js
Comment on lines +21 to +27
app.get('/', async (req, res) => {
if (req.oidc.isAuthenticated()) {
res.send(`hello ${req.oidc.user.sub} <a href="/logout">logout</a>`);
} else {
res.send('<a href="/login">login</a>');
}
});

Check failure

Code scanning / CodeQL

Missing rate limiting

This route handler performs [authorization](1), but is not rate-limited.
examples/backchannel-logout-custom-query-store.js
Comment on lines +53 to +59
app.get('/', async (req, res) => {
if (req.oidc.isAuthenticated()) {
res.send(`hello ${req.oidc.user.sub} <a href="/logout">logout</a>`);
} else {
res.send('<a href="/login">login</a>');
}
});

Check failure

Code scanning / CodeQL

Missing rate limiting

This route handler performs [authorization](1), but is not rate-limited.
middleware/auth.js
Comment on lines +80 to +94
router.use(async (req, res, next) => {
if (!req.oidc.isAuthenticated()) {
next();
return;
}
try {
const loggedOut = await isLoggedOutFn(req, config);
if (loggedOut) {
req[config.session.name] = undefined;
}
next();
} catch (e) {
next(e);
}
});

Check failure

Code scanning / CodeQL

Missing rate limiting

This route handler performs [authorization](1), but is not rate-limited.
@adamjmcgrath adamjmcgrath force-pushed the back-channel-logout branch 2 times, most recently from 96f1226 to 86b21b2 Compare September 12, 2023 09:37
adamjmcgrath
adamjmcgrath commented Sep 12, 2023
View reviewed changes
lib/crypto.js
@@ -18,6 +18,7 @@ let encryption, signing;
* @see https://tools.ietf.org/html/rfc5869
*
*/
/* istanbul ignore else */
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't get hit since I upgraded the circleci Node image - will go back and setup the CI to run on multiple Node versions in another PR

adamjmcgrath
adamjmcgrath commented Sep 13, 2023
View reviewed changes
EXAMPLES.md Outdated Show resolved Hide resolved
@adamjmcgrath adamjmcgrath merged commit 864fb04 into master Sep 15, 2023
@adamjmcgrath adamjmcgrath deleted the back-channel-logout branch September 15, 2023 09:38
@adamjmcgrath adamjmcgrath mentioned this pull request Sep 15, 2023
Merged
@adamjmcgrath adamjmcgrath mentioned this pull request Dec 1, 2023
Merged
@Balaji-Balaraman Balaji-Balaraman mentioned this pull request Oct 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frederikprijck frederikprijck frederikprijck approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

backchannel logout token verification
2 participants
@adamjmcgrath @frederikprijck