Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Support OIDC backchannel logouts #11414

Merged
merged 20 commits into from
Oct 31, 2022
Merged

Support OIDC backchannel logouts #11414

Changes from 1 commit
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
49fe26e
Support back-channel logouts from OIDC providers
sandhose Sep 16, 2022
a0bb53d
Apply suggestions from code review
sandhose Dec 7, 2021
a5d74fa
Validate `exp` and `nbf` claims in logout tokens if present
sandhose Dec 7, 2021
51f3cd8
Docstrings on issuer/client_id properties
sandhose Dec 7, 2021
1fd3658
Misc changes
sandhose Sep 16, 2022
17580ae
Check the `sub` claim when receiving a logout token
sandhose Sep 21, 2022
42df126
Revoke in-flight logins
sandhose Oct 26, 2022
55076e1
Fix unit tests on old version of Twisted
sandhose Oct 26, 2022
eb7537a
Docs
sandhose Oct 26, 2022
d19bc83
Apply suggestions from code review
sandhose Oct 28, 2022
0f22917
Docs
sandhose Oct 28, 2022
99f58d0
Apply suggestions from code review
sandhose Oct 28, 2022
48777f3
Refactor OIDC backchannel logout test config
sandhose Oct 31, 2022
e3c2db6
Move the `is_access_token_valid` method to the `RestHelper`
sandhose Oct 31, 2022
9cc5d40
Clarification around logout token verification
sandhose Oct 31, 2022
c0b4986
Clarify the string split while manually parsing the JWT
sandhose Oct 31, 2022
6deef8d
Move the IDP session revocation logic to the SSO handler
sandhose Oct 31, 2022
e0748f6
Use the issuer from the metadata, not the config when verifying logou…
sandhose Oct 31, 2022
626d778
Merge branch 'develop' into sandhose/oidc-logout
sandhose Oct 31, 2022
8d32796
Fix remaining issues raised in code review
sandhose Oct 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Fix remaining issues raised in code review
  • Loading branch information
@sandhose
sandhose committed Oct 31, 2022
commit 8d3279662747e361429334e66f683d68f14e2c73
15 changes: 10 additions & 5 deletions synapse/handlers/oidc.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -292,10 +292,9 @@ async def handle_backchannel_logout(self, request: SynapseRequest) -> None:
# The aud and iss claims we care about are in the payload part, which
# is a JSON object.
try:
# By splitting a maximum of 3 times and destructuring the resulting array,
# we ensure that we have exactly 3 segments, while avoiding doing
# unnecessary splits.
_, payload, _ = logout_token.rsplit(".", 3)
# By destructuring the list after splitting, we ensure that we have
# exactly 3 segments
_, payload, _ = logout_token.split(".")
except ValueError:
raise SynapseError(400, "Invalid logout_token in request")

Expand Down Expand Up @@ -519,7 +518,7 @@ def _validate_metadata(self, m: OpenIDProviderMetadata) -> None:
try:
subject = self._user_mapping_provider.get_remote_user_id(user)
if subject != user["sub"]:
raise Exception()
raise ValueError("Unexpected subject")
except Exception:
clokep marked this conversation as resolved.
Show resolved Hide resolved
logger.warning(
f"OIDC Back-Channel Logout is enabled for issuer {self.issuer!r} "
Expand Down Expand Up @@ -1238,6 +1237,12 @@ async def handle_backchannel_logout(
logger.warning(
f"Received an OIDC Back-Channel Logout request from issuer {self.issuer!r} but it is disabled in config"
)

# TODO: this responds with a 400 status code, which is what the OIDC
# Back-Channel Logout spec expects, but spec also suggests answering with
# a JSON object, with the `error` and `error_description` fields set, which
# we are not doing here.
# See https://openid.net/specs/openid-connect-backchannel-1_0.html#BCResponse
raise SynapseError(
400, "OpenID Connect Back-Channel Logout is disabled for this provider"
)
Expand Down