Implement OIDC back-channel-logout

linagora / twake-drive

The open-source alternative to Google Drive.

GNU Affero General Public License v3.0

46 stars 14 forks source link

Implement OIDC back-channel-logout #509

Closed guimard closed 1 month ago

guimard commented 2 months ago

As describe in TWP linagora/twake-workplace-private#99, we want to have logout. The only unbuggy way to do it is to use OIDC Back Channel Logout like Twake-Mail and Twake-Chat.

Please implement it _(with backchannel_logout_session_required, to avoid deleting all sessions)_.

shepilov commented 2 months ago

[ ] Implements session storage with sub/sid
[ ] Add sid to the Twake Drive access token
[ ] Validate sid on every Twake Drive request
[ ] Implement backchannel logout URI with logout token validation

shepilov commented 2 months ago

@guimard logout URL should be with POST like this?

/backchannel_logout HTTP/1.1 Host: rp.example.org Content-Type: application/x-www-form-urlencoded logout_token=eyJhbGci...

guimard commented 2 months ago

@guimard logout URL should be with POST like this?

/backchannel_logout HTTP/1.1 Host: rp.example.org Content-Type: application/x-www-form-urlencoded logout_token=eyJhbGci...

Yes this is exactly what OP does

guimard commented 1 month ago

Hi @shepilov, could you give me the URL to set in LLNG conf ?

shepilov commented 1 month ago

@guimard https://drive.stg.lin-saas.com/internal/services/console/v1/backchannel_logout I've just deployed it on the staging

guimard commented 1 month ago

Configuration updated, let's test. Note that it may fail until @rezk2ll study the new flow