feat(SDK-4733): Implement support for Back-Channel Logout (#167)

Author: evansims

config/definition.php

@@ -120,6 +120,12 @@
                     ->scalarNode('event_listener_provider')
                         ->defaultNull()
                         ->end()
+                    ->scalarNode('backchannel_logout_cache')
+                        ->defaultNull()
+                        ->end()
+                    ->integerNode('backchannel_logout_expires')
+                        ->defaultValue(2592000)
+                        ->end()
                 ->end()
             ->end() // sdk
             ->arrayNode('authenticator')

docs/BackchannelLogout.md

@@ -0,0 +1,14 @@
+# Backchannel Logout
+
+The Auth0 Symfony SDK supports [Backchannel Logout](https://auth0.com/docs/authenticate/login/logout/back-channel-logout) from v5.2 onward. To use this feature, some additional configuration is necessary:
+
+1. **Add a new route to your application.** This route must be publicly accessible. Auth0 will use it to send backchannel logout requests to your application. For example, from your `config/routes.yaml` file:
+
+```yaml
+backchannel: # Retrieve backchannel logout tokens from Auth0
+  path: /backckannel
+  controller: Auth0\Symfony\Controllers\BackchannelController::handle
+  methods: POST
+```
+
+2. **Configure your Auth0 tenant to use Backchannel Logout.** See the [Auth0 documentation](https://auth0.com/docs/authenticate/login/logout/back-channel-logout/configure-back-channel-logout) for more information on how to do this. Please ensure you point the Logout URI to the backchannel route we just added to your application.

example/config/packages/cache.yaml

@@ -20,3 +20,4 @@ framework:
     pools:
       auth0_token_cache: { adapter: cache.adapter.redis }
       auth0_management_token_cache: { adapter: cache.adapter.redis }
+      auth0_bachannel_logout_cache: { adapter: cache.adapter.redis }

src/Auth0Bundle.php

@@ -30,6 +30,9 @@ public function loadExtension(array $config, ContainerConfigurator $container, C
         $managementTokenCache = $config['sdk']['management_token_cache'] ?? 'cache.app';
         $managementTokenCache = new Reference($managementTokenCache);
 
+        $backchannelLogoutCache = $config['sdk']['backchannel_logout_cache'] ?? 'cache.app';
+        $backchannelLogoutCache = new Reference($backchannelLogoutCache);
+
         $transientStorage = new Reference($config['sdk']['transient_storage'] ?? 'auth0.store_transient');
         $sessionStorage = new Reference($config['sdk']['session_storage'] ?? 'auth0.store_session');
 
@@ -126,7 +129,9 @@ public function loadExtension(array $config, ContainerConfigurator $container, C
             ->arg('$queryUserInfo', false)
             ->arg('$managementToken', $config['sdk']['management_token'])
             ->arg('$managementTokenCache', $managementTokenCache)
-            ->arg('$eventListenerProvider', $eventListenerProvider);
+            ->arg('$eventListenerProvider', $eventListenerProvider)
+            ->arg('$backchannelLogoutCache', $backchannelLogoutCache)
+            ->arg('$backchannelLogoutExpires', $config['sdk']['backchannel_logout_expires']);
 
         $container->services()
             ->set('auth0', Service::class)

src/Controllers/BackchannelLogoutController.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Auth0\Symfony\Controllers;
+
+use Auth0\SDK\Auth0;
+use Auth0\Symfony\Contracts\Controllers\AuthenticationControllerInterface;
+use Auth0\Symfony\Security\Authenticator;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\{RedirectResponse, Request, Response};
+use Throwable;
+
+use function is_string;
+
+final class BackchannelLogoutController extends AbstractController implements AuthenticationControllerInterface
+{
+    public function __construct(
+        private Authenticator $authenticator,
+    ) {
+    }
+
+    public function handle(Request $request): Response
+    {
+        if ('POST' !== $request->getMethod()) {
+            return new Response('', Response::HTTP_METHOD_NOT_ALLOWED);
+        }
+
+        $logoutToken = $request->get('logout_token');
+
+        if (! is_string($logoutToken)) {
+            return new Response('', Response::HTTP_BAD_REQUEST);
+        }
+
+        $logoutToken = trim($logoutToken);
+
+        if ('' === $logoutToken) {
+            return new Response('', Response::HTTP_BAD_REQUEST);
+        }
+
+        try {
+            $this->getSdk()->handleBackchannelLogout($logoutToken);
+        } catch (Throwable $throwable) {
+            return new Response($throwable->getMessage(), Response::HTTP_BAD_REQUEST);
+        }
+
+        return new Response('', Response::HTTP_OK);
+    }
+
+    private function getSdk(): Auth0
+    {
+        return $this->authenticator->service->getSdk();
+    }
+}