Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OIDC RP-initiated logout #30072

Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open

Support OIDC RP-initiated logout #30072

wants to merge 20 commits into from

Conversation

jlehtoranta
Copy link

Add support for OIDC RP-initiated logout as defined in https://openid.net/specs/openid-connect-rpinitiated-1_0.html:

  • Track OIDC/OAuth2 login type, tokens and authentication data on session level
  • Keep session level data synced when using a login cookie (remember option)
  • Handle OIDC/OAuth2 logouts on an authentication source specific endpoint
  • Redirect to the OIDC end_session_endpoint, if it exists in the provider configuration
  • Fallback to local logout only
  • Be verbose about external logout errors
  • Use a callback endpoint for maintaining state between Gitea and an OIDC provider

Fixes #14270

Additional notes:

  • Tested with Keycloak (OIDC) and Github (OAuth2). Thorough testing with other IdPs and server setups is needed
  • There are most likely some (small) merge conflicts with Support SAML authentication #29403 as these PRs modify partly the same code
  • An additional PR is required for supporting OIDC back-channel (or front-channel) logout. I.e. your session in Gitea will still remain logged in, if you logout from your IdP elsewhere
  • Tracking external logins on session level by using ExternalAuthTokens makes it easier to implement OIDC back-channel or front-channel logout support in the future

@jlehtoranta
Add ExternalAuthToken model
d414a7c 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Fix Exist function in virtual session provider
dc03aec 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Support accessing virtual session provider for managing existing sess…
1a648a3 
…ions

Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Add ExternalAuthToken service
658b9d6 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Remove external session related data from ExternalLoginUser
b3fa45d 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Migrate DB ExternalLoginUser by removing ExternalAuthToken related co…
cf86822 
…lumns

Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Register auth source Type to gob
741193a 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Use login type identifiers in a session
266b4d9 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Add login type identifiers to AuthToken
207dc75 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Support checking if an auth token exists
d6050ea 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Sync login type identifiers between an auth token and session
4073ff7 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Manage external sessions by using ExternalAuthTokens
e9a50a6 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Update from local sign in to OAuth2/OIDC sign in after linking an acc…
991e682 
…ount

Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Delete ExternalAuthTokens when removing an account link
b12cea1 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Delete ExternalAuthTokens when removing a user
d12acc1 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Generate OIDC RP-initiated logout URLs
5296f7c 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Add a handler for OAuth2 or OIDC RP-initiated logout
ff17f0e 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Add a callback handler for OIDC RP-initiated logout
dc74954 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Show any sign out errors occurring before SignOutOAuth
041bb96 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@jlehtoranta
Redirect OAuth2/OIDC sessions to OAuth2/OIDC logout handler
514fa96 
Signed-off-by: Jarkko Lehtoranta <jarkko@bytecap.fi>
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 25, 2024
@pull-request-size pull-request-size bot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Mar 25, 2024
@github-actions github-actions bot added modifies/go Pull requests that update Go code modifies/migrations labels Mar 25, 2024
@lunny lunny added the type/feature Completely new functionality. Can only be merged if feature freeze is not active. label Apr 10, 2024
@lunny
Copy link
Member

lunny commented Apr 10, 2024

Since it's a big change for the user system, I think we need more time to discuss and have a whole design about the user system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/go Pull requests that update Go code modifies/migrations size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. type/feature Completely new functionality. Can only be merged if feature freeze is not active.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Logging out of OpenID Connect provider
3 participants
@jlehtoranta @lunny @GiteaBot