[WIP] Add option to invalidate tokens on user logout

[JammingBen]

The idea is to have a setting per client that determines if all tokens for this client (and user) should be removed on user logout. Hence we implemented a new flag invalidateOnLogout that can be set per client. Then we hook onto the logout event and simply remove all the tokens for this user which are connected to a client that has invalidateOnLogout set to true.

Motivation/Context

Let's say you have Web running via oauth and log out of oC10. Currently, you will still be logged in in Web because the tokens are not being invalidated.

Fixes https://github.com/owncloud/web/issues/7018

[CLAassistant]

All committers have signed the CLA.

[JammingBen]

I'm having problems with the approach because the logout hook is basically fired all the time when using a client. E.g. when using Web, the hook gets called multiple times when authorizing the first time. Then, when navigating in Web, each action calls the logout again. I traced this down to some legacy code, unfortunately this is where my oC10/auth knowledge ends.

@DeepDiver1975 Maybe you have a clue on what's going on here or a different idea to approach this issue?

[DeepDiver1975]

What about adding a logout route to the oauth app.

[JammingBen]

Not sure if I understand correctly, but such route already exists: https://github.com/owncloud/oauth2/blob/master/lib/Controller/PageController.php#L338. The problem still persists: when do we call/redirect to this route? It would need to be called from core, which is a dependency to the oauth2 app that we don't want I assume.

[DeepDiver1975]

Logout needs to invalidate the access token .... .... Not too deep into the code base .... 🤷

[DeepDiver1975]

Let me explain more into depth:

• when ~phoenix~ web is connected via openid connect the used js client lib can make use of openid logout mechanisms
• the oauth2 protocol has the same mechanisms (if they are the same needs to be verified)
• so the idea is to implement one of the openid/oauth logout mechanisms in the oc oauths app

overview over openid logout mechanisms: https://curity.io/resources/learn/openid-connect-logout/

which to choose is a task on it's own ..... finally we don't want to reimplement a full openid idp in the oauth2 app .... there has ever since been the idea to fully go into the direction of openid and abandon oauth ........

[pascuflow]

Not sure if I understand correctly, but such route already exists: https://github.com/owncloud/oauth2/blob/master/lib/Controller/PageController.php#L338. The problem still persists: when do we call/redirect to this route? It would need to be called from core, which is a dependency to the oauth2 app that we don't want I assume.

How could one call this route with curl or Postman? Would it log the user out? This seems like an urgent need while the fancy config option and openid logout mechanisms are fleshed out, some us need a quick programmatic way otherwise Web is completely broken.