refactor: Removed OpenID Connect Session Management

BREAKING CHANGE: OpenID Connect Session Management draft implementation was removed. This is due to front-channel becoming more and more unreliable due to browsers blocking third-party cookie access.
panva · Feb 18, 2021 · 224dd38 · 224dd38
1 parent feecb5e
commit 224dd38
Show file tree

Hide file tree

Showing 27 changed files with 17 additions and 857 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -93,7 +93,6 @@ jobs:
           - '{"plan":"oidcc-dynamic-certification-test-plan","response_type":"code id_token token","skip":"oidcc-server-rotate-keys"}'
           - '{"plan":"oidcc-backchannel-rp-initiated-logout-certification-test-plan","response_type":"code","client_registration":"dynamic_client"}'
           - '{"plan":"oidcc-rp-initiated-logout-certification-test-plan","response_type":"code","client_registration":"dynamic_client"}'
-          - '{"plan":"oidcc-session-management-certification-test-plan","response_type":"code","client_registration":"dynamic_client","skip":"oidcc-session-management-rp-initiated-logout"}'
           - '{"plan":"fapi-rw-id2-test-plan","configuration":"./certification/fapi/pkjwt.json","client_auth_type":"private_key_jwt","fapi_profile":"plain_fapi","fapi_response_mode":"plain_response"}'
           - '{"plan":"fapi-rw-id2-test-plan","configuration":"./certification/fapi/pkjwt.json","client_auth_type":"private_key_jwt","fapi_profile":"plain_fapi","fapi_response_mode":"jarm"}'
           - '{"plan":"fapi-rw-id2-test-plan","configuration":"./certification/fapi/mtls.json","client_auth_type":"mtls","fapi_profile":"plain_fapi","fapi_response_mode":"plain_response"}'

diff --git a/certification/configuration.js b/certification/configuration.js
@@ -94,7 +94,6 @@ module.exports = {
       mode: 'strict',
     },
     revocation: { enabled: true },
-    sessionManagement: { enabled: true },
   },
   jwks: {
     keys: [

diff --git a/docs/README.md b/docs/README.md
@@ -1675,7 +1675,7 @@ _**default value**_:
 
 #### logoutSource
 
-HTML source rendered when session management feature renders a confirmation prompt for the User-Agent.  
+HTML source rendered when RP-Initiated Logout renders a confirmation prompt for the User-Agent.  
 
 
 _**default value**_:
@@ -1703,7 +1703,7 @@ async function logoutSource(ctx, form) {
 
 #### postLogoutSuccessSource
 
-HTML source rendered when session management feature concludes a logout but there was no `post_logout_redirect_uri` provided by the client.  
+HTML source rendered when RP-Initiated Logout concludes a logout but there was no `post_logout_redirect_uri` provided by the client.  
 
 
 _**default value**_:
@@ -1731,40 +1731,6 @@ async function postLogoutSuccessSource(ctx) {
 
 </details>
 
-### features.sessionManagement
-
-[Session Management 1.0 - draft 30](https://openid.net/specs/openid-connect-session-1_0-30.html)  
-
-Enables Session Management features.   
- Note: Browsers blocking access to cookies from a third party context hinder the reliability of this standard.  
-
-
-_**default value**_:
-```js
-{
-  ack: undefined,
-  enabled: false,
-  keepHeaders: false
-}
-```
-
-<details><summary>(Click to expand) features.sessionManagement options details</summary><br>
-
-
-#### keepHeaders
-
-Enables/Disables removing frame-ancestors from Content-Security-Policy and X-Frame-Options headers.  
-
-_**recommendation**_: Only enable this if you know what you're doing either in a followup middleware or your app server, otherwise you shouldn't have the need to touch this option.  
-
-
-_**default value**_:
-```js
-false
-```
-
-</details>
-
 ### features.userinfo
 
 [Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) - UserInfo Endpoint  
@@ -2002,8 +1968,7 @@ _**default value**_:
 {
   interaction: '_interaction',
   resume: '_interaction_resume',
-  session: '_session',
-  state: '_state'
+  session: '_session'
 }
 ```
 
@@ -2871,7 +2836,6 @@ _**default value**_:
 ```js
 {
   authorization: '/auth',
-  check_session: '/session/check',
   code_verification: '/device',
   device_authorization: '/device/auth',
   end_session: '/session/end',

diff --git a/lib/actions/authorization/respond.js b/lib/actions/authorization/respond.js
@@ -1,5 +1,4 @@
 const instance = require('../../helpers/weak_cache');
-const processSessionState = require('../../helpers/process_session_state');
 
 /*
  * Based on the authorization request response mode either redirects with parameters in query or
@@ -19,10 +18,6 @@ module.exports = async function respond(ctx, next) {
     out.state = params.state;
   }
 
-  if (instance(ctx.oidc.provider).configuration('features.sessionManagement.enabled')) {
-    out.session_state = processSessionState(ctx, params.redirect_uri);
-  }
-
   if (instance(ctx.oidc.provider).configuration('features.issAuthResp.enabled')) {
     out.iss = ctx.oidc.provider.issuer;
   }

diff --git a/lib/actions/check_session.js b/lib/actions/check_session.js
diff --git a/lib/actions/discovery.js b/lib/actions/discovery.js
@@ -15,7 +15,6 @@ module.exports = function discovery(ctx, next) {
     claims_supported: [...config.claimsSupported],
     code_challenge_methods_supported: config.pkce.methods,
     end_session_endpoint: features.rpInitiatedLogout.enabled ? ctx.oidc.urlFor('end_session') : undefined,
-    check_session_iframe: features.sessionManagement.enabled ? ctx.oidc.urlFor('check_session') : undefined,
     grant_types_supported: [...config.grantTypes],
     id_token_signing_alg_values_supported: config.idTokenSigningAlgValues,
     issuer: ctx.oidc.issuer,

diff --git a/lib/actions/end_session.js b/lib/actions/end_session.js
@@ -124,7 +124,7 @@ module.exports = {
       const { state } = session;
 
       const {
-        features: { backchannelLogout, sessionManagement },
+        features: { backchannelLogout },
         cookies: { long: opts },
       } = instance(ctx.oidc.provider).configuration();
 
@@ -176,25 +176,6 @@ module.exports = {
 
         await session.destroy();
 
-        if (sessionManagement.enabled) {
-          // get all cookies matching _state.[clientId](.sig) and drop them
-          const STATES = new RegExp(`${ctx.oidc.provider.cookieName('state')}\\.[^=]+=`, 'g');
-          const cookieNames = ctx.get('cookie').match(STATES);
-          if (cookieNames) {
-            cookieNames.forEach((val) => {
-              const name = val.slice(0, -1);
-              if (!name.endsWith('.legacy')) {
-                ssHandler.set(
-                  ctx.oidc.cookies,
-                  name,
-                  null,
-                  opts,
-                );
-              }
-            });
-          }
-        }
-
         ssHandler.set(
           ctx.oidc.cookies,
           ctx.oidc.provider.cookieName('session'),
@@ -212,14 +193,6 @@ module.exports = {
         if (session.authorizations) {
           delete session.authorizations[state.clientId];
         }
-        if (sessionManagement.enabled) {
-          ssHandler.set(
-            ctx.oidc.cookies,
-            `${ctx.oidc.provider.cookieName('state')}.${state.clientId}`,
-            null,
-            opts,
-          );
-        }
         session.resetIdentifier();
       }
 

diff --git a/lib/actions/index.js b/lib/actions/index.js
@@ -6,7 +6,6 @@ const registration = require('./registration');
 const getRevocation = require('./revocation');
 const getIntrospection = require('./introspection');
 const discovery = require('./discovery');
-const checkSession = require('./check_session');
 const endSession = require('./end_session');
 const codeVerification = require('./code_verification');
 
@@ -19,7 +18,6 @@ module.exports = {
   getRevocation,
   getIntrospection,
   discovery,
-  checkSession,
   endSession,
   codeVerification,
 };