Add OIDC backchannel logout (#4513)

nono · web-flow · commit 4db14ec44d68 · 2025-02-26T18:11:02.000+01:00
diff --git a/docs/delegated-auth.md b/docs/delegated-auth.md
@@ -177,6 +177,24 @@ Set-Cookie: ...
 Location: https://name00001-home.mycozy.cloud/
 ```
 
+#### POST /oidc/:context/logout
+
+This route implements the OpenID Connect Back-Channel Logout. It means that the
+SSO can call this endpoint to logout the user.
+
+```http
+POST /oidc/a-context/logout HTTP/1.1
+Host: name00001.mycozy.cloud
+Content-Type: application/x-www-form-urlencoded
+
+logout_token=eyJhbGci ... .eyJpc3Mi ... .T3BlbklE ...
+```
+
+```http
+HTTP/1.1 200 OK
+Cache-Control: no-store
+```
+
 #### POST /oidc/access_token
 
 This additional route can be used by an OAuth client (like a mobile app) when
diff --git a/model/session/session.go b/model/session/session.go
@@ -41,6 +41,7 @@ type Session struct {
 	LastSeen  time.Time `json:"last_seen"`
 	LongRun   bool      `json:"long_run"`
 	ShortRun  bool      `json:"short_run"`
+	SID       string    `json:"sid,omitempty"` // only present with OIDC
 }
 
 // DocType implements couchdb.Doc
@@ -101,14 +102,15 @@ func (s *Session) OlderThan(t time.Duration) bool {
 }
 
 // New creates a session in couchdb for the given instance
-func New(i *instance.Instance, duration Duration) (*Session, error) {
+func New(i *instance.Instance, duration Duration, sid string) (*Session, error) {
 	now := time.Now()
 	s := &Session{
 		instance:  i,
 		LastSeen:  now,
 		CreatedAt: now,
 		ShortRun:  duration == ShortRun,
 		LongRun:   duration == LongRun,
+		SID:       sid,
 	}
 	if err := couchdb.CreateDoc(i, s); err != nil {
 		return nil, err
@@ -302,6 +304,21 @@ func DeleteOthers(i *instance.Instance, selfSessionID string) error {
 	return nil
 }
 
+// DeleteBySID is used for the OIDC back-channel logout. It deletes the sessions
+// for the current device of the user.
+func DeleteBySID(inst *instance.Instance, sid string) error {
+	return couchdb.ForeachDocs(inst, consts.Sessions, func(_ string, data json.RawMessage) error {
+		var s Session
+		if err := json.Unmarshal(data, &s); err != nil {
+			return err
+		}
+		if s.SID == sid {
+			s.Delete(inst)
+		}
+		return nil
+	})
+}
+
 // cookieSessionMACConfig returns the options to authenticate the session
 // cookie.
 //
diff --git a/pkg/couchdb/index.go b/pkg/couchdb/index.go
@@ -317,6 +317,7 @@ func IndexesByDoctype(doctype string) []*mango.Index {
 // properly.
 var globalIndexes = []*mango.Index{
 	mango.MakeIndex(consts.Exports, "by-domain", mango.IndexDef{Fields: []string{"domain", "created_at"}}),
+	mango.MakeIndex(consts.Instances, "by-oidcid", mango.IndexDef{Fields: []string{"oidc_id"}}),
 }
 
 // secretIndexes is the index list required on the secret databases to run
diff --git a/web/accounts/oauth.go b/web/accounts/oauth.go
@@ -344,7 +344,7 @@ func checkLogin(next echo.HandlerFunc) echo.HandlerFunc {
 		}
 
 		if !wasLoggedIn {
-			sessionID, err := auth.SetCookieForNewSession(c, session.ShortRun)
+			sessionID, err := auth.SetCookieForNewSession(c, session.ShortRun, "")
 			req := c.Request()
 			if err == nil {
 				if err = session.StoreNewLoginEntry(inst, sessionID, "", req, "session_code", false); err != nil {
diff --git a/web/accounts/oauth_test.go b/web/accounts/oauth_test.go
@@ -37,7 +37,7 @@ func TestOauth(t *testing.T) {
 	setup := testutils.NewSetup(t, t.Name())
 	ts := setup.GetTestServer("/accounts", Routes, func(r *echo.Echo) *echo.Echo {
 		r.POST("/login", func(c echo.Context) error {
-			sess, _ := session.New(testInstance, session.LongRun)
+			sess, _ := session.New(testInstance, session.LongRun, "")
 			cookie, _ := sess.ToCookie()
 			t.Logf("cookie: %q", cookie)
 			c.SetCookie(cookie)
diff --git a/web/apps/apps.go b/web/apps/apps.go
@@ -797,7 +797,7 @@ func openWebapp(c echo.Context) error {
 		cookie.HttpOnly = true
 		cookie.SameSite = http.SameSiteLaxMode
 	} else {
-		sess, err = session.New(inst, session.NormalRun)
+		sess, err = session.New(inst, session.NormalRun, "")
 		if err != nil {
 			return wrapAppsError(err)
 		}
diff --git a/web/apps/apps_test.go b/web/apps/apps_test.go
@@ -92,7 +92,7 @@ func TestApps(t *testing.T) {
 
 	ts := setup.GetTestServer("/apps", webApps.WebappsRoutes, func(r *echo.Echo) *echo.Echo {
 		r.POST("/login", func(c echo.Context) error {
-			sess, _ := session.New(testInstance, session.LongRun)
+			sess, _ := session.New(testInstance, session.LongRun, "")
 			cookie, _ := sess.ToCookie()
 			c.SetCookie(cookie)
 			return c.HTML(http.StatusOK, "OK")
diff --git a/web/apps/serve.go b/web/apps/serve.go
@@ -162,7 +162,7 @@ func ServeAppFile(c echo.Context, i *instance.Instance, fs appfs.FileServer, web
 		// reused, even if the user is already logged in and we don't want to
 		// create a new session
 		if checked := i.CheckAndClearSessionCode(code); checked && !isLoggedIn {
-			sessionID, err := auth.SetCookieForNewSession(c, session.NormalRun)
+			sessionID, err := auth.SetCookieForNewSession(c, session.NormalRun, "")
 			req := c.Request()
 			if err == nil {
 				if err = session.StoreNewLoginEntry(i, sessionID, "", req, "session_code", false); err != nil {
diff --git a/web/auth/auth.go b/web/auth/auth.go
@@ -100,9 +100,9 @@ func Home(c echo.Context) error {
 }
 
 // SetCookieForNewSession creates a new session and sets the cookie on echo context
-func SetCookieForNewSession(c echo.Context, duration session.Duration) (string, error) {
+func SetCookieForNewSession(c echo.Context, duration session.Duration, sid string) (string, error) {
 	instance := middlewares.GetInstance(c)
-	session, err := session.New(instance, duration)
+	session, err := session.New(instance, duration, sid)
 	if err != nil {
 		return "", err
 	}
@@ -255,7 +255,7 @@ func loginForm(c echo.Context) error {
 		if err != nil {
 			instance.Logger().Warnf("Delegated token check failed: %s", err)
 		} else {
-			sessionID, err := SetCookieForNewSession(c, session.NormalRun)
+			sessionID, err := SetCookieForNewSession(c, session.NormalRun, "")
 			if err != nil {
 				return err
 			}
@@ -284,7 +284,7 @@ func newSession(c echo.Context, inst *instance.Instance, redirect *url.URL, dura
 		duration = session.ShortRun
 	}
 
-	sessionID, err := SetCookieForNewSession(c, duration)
+	sessionID, err := SetCookieForNewSession(c, duration, "")
 	if err != nil {
 		return err
 	}
diff --git a/web/auth/oauth.go b/web/auth/oauth.go
@@ -182,7 +182,7 @@ func (a *AuthorizeHTTPHandler) authorizeForm(c echo.Context) error {
 		// reused, even if the user is already logged in and we don't want to
 		// create a new session
 		if checked := inst.CheckAndClearSessionCode(code); checked && !isLoggedIn {
-			sessionID, err := SetCookieForNewSession(c, session.ShortRun)
+			sessionID, err := SetCookieForNewSession(c, session.ShortRun, "")
 			req := c.Request()
 			if err == nil {
 				if err = session.StoreNewLoginEntry(inst, sessionID, "", req, "session_code", false); err != nil {
diff --git a/web/oidc/oidc.go b/web/oidc/oidc.go
@@ -23,8 +23,10 @@ import (
 	"github.com/cozy/cozy-stack/pkg/config/config"
 	"github.com/cozy/cozy-stack/pkg/consts"
 	"github.com/cozy/cozy-stack/pkg/couchdb"
+	"github.com/cozy/cozy-stack/pkg/couchdb/mango"
 	"github.com/cozy/cozy-stack/pkg/limits"
 	"github.com/cozy/cozy-stack/pkg/logger"
+	"github.com/cozy/cozy-stack/pkg/prefixer"
 	"github.com/cozy/cozy-stack/web/auth"
 	"github.com/cozy/cozy-stack/web/middlewares"
 	"github.com/cozy/cozy-stack/web/statik"
@@ -147,12 +149,13 @@ func Login(c echo.Context) error {
 		return renderError(c, nil, http.StatusNotFound, "Sorry, the session has expired.")
 	}
 
+	var token string
 	if idToken != "" && conf.IDTokenKeyURL != "" {
 		if err := checkIDToken(conf, inst, idToken); err != nil {
 			return renderError(c, inst, http.StatusBadRequest, err.Error())
 		}
+		token = idToken
 	} else {
-		var token string
 		if conf.AllowOAuthToken {
 			token = c.QueryParam("access_token")
 		}
@@ -186,7 +189,10 @@ func Login(c echo.Context) error {
 		}
 	}
 
-	return createSessionAndRedirect(c, inst, redirect, confirm)
+	claims := jwt.MapClaims{}
+	_, _, _ = jwt.NewParser().ParseUnverified(token, claims)
+	sid, _ := claims["sid"].(string)
+	return createSessionAndRedirect(c, inst, redirect, confirm, sid)
 }
 
 func TwoFactor(c echo.Context) error {
@@ -205,7 +211,7 @@ func TwoFactor(c echo.Context) error {
 	}
 
 	if inst.ValidateTwoFactorTrustedDeviceSecret(c.Request(), trustedDeviceToken) {
-		return createSessionAndRedirect(c, inst, redirect, confirm)
+		return createSessionAndRedirect(c, inst, redirect, confirm, "")
 	}
 
 	twoFactorToken, err := lifecycle.SendTwoFactorPasscode(inst)
@@ -224,14 +230,14 @@ func TwoFactor(c echo.Context) error {
 	return c.Redirect(http.StatusSeeOther, inst.PageURL("/auth/twofactor", v))
 }
 
-func createSessionAndRedirect(c echo.Context, inst *instance.Instance, redirect, confirm string) error {
+func createSessionAndRedirect(c echo.Context, inst *instance.Instance, redirect, confirm, sid string) error {
 	// The OIDC danse has been made to confirm the identity of the user, not
 	// for creating a new session.
 	if confirm != "" {
 		return auth.ConfirmSuccess(c, inst, confirm)
 	}
 
-	sessionID, err := auth.SetCookieForNewSession(c, session.NormalRun)
+	sessionID, err := auth.SetCookieForNewSession(c, session.NormalRun, sid)
 	if err != nil {
 		return err
 	}
@@ -244,6 +250,103 @@ func createSessionAndRedirect(c echo.Context, inst *instance.Instance, redirect,
 	return c.Redirect(http.StatusSeeOther, redirect)
 }
 
+// Logout is the handler for the OpenID back-channel logout endpoint.
+func Logout(c echo.Context) error {
+	contextName := c.Param("context")
+	conf, err := getGenericConfig(contextName)
+	if err != nil {
+		return c.JSON(http.StatusBadRequest, echo.Map{
+			"error": "No OpenID Connect is configured",
+		})
+	}
+
+	keys, err := GetIDTokenKeys(conf.IDTokenKeyURL)
+	if err != nil {
+		return c.JSON(http.StatusBadRequest, echo.Map{
+			"error":             "Cannot get the keys",
+			"error_description": err,
+		})
+	}
+
+	logoutToken := c.FormValue("logout_token")
+	token, err := jwt.Parse(logoutToken, func(token *jwt.Token) (interface{}, error) {
+		return ChooseKeyForIDToken(keys, token)
+	})
+	if err != nil {
+		logger.WithNamespace("oidc").Errorf("Error on jwt.Parse for logout token: %s", err)
+		return c.JSON(http.StatusBadRequest, echo.Map{
+			"error":             "error on parsing the token",
+			"error_description": err,
+		})
+	}
+	if !token.Valid {
+		logger.WithNamespace("oidc").Errorf("Invalid logout token: %#v", token)
+		return c.JSON(http.StatusBadRequest, echo.Map{
+			"error": "invalid logout token",
+		})
+	}
+
+	claims := token.Claims.(jwt.MapClaims)
+	var inst *instance.Instance
+	if conf.AllowCustomInstance {
+		sub, ok := claims["sub"].(string)
+		if !ok {
+			logger.WithNamespace("oidc").Errorf("Invalid claims: %#v", claims)
+			return c.JSON(http.StatusBadRequest, echo.Map{
+				"error": "invalid claims",
+			})
+		}
+		var instances []*instance.Instance
+		req := &couchdb.FindRequest{
+			UseIndex: "by-oidcid",
+			Selector: mango.And(
+				mango.Equal("oidc_id", sub),
+				mango.Equal("context", contextName),
+			),
+			Limit: 1,
+		}
+		err := couchdb.FindDocs(prefixer.GlobalPrefixer, consts.Instances, req, &instances)
+		if err != nil || len(instances) == 0 {
+			return c.JSON(http.StatusBadRequest, echo.Map{
+				"error":             "internal server error",
+				"error_description": err,
+			})
+		}
+		inst = instances[0]
+	} else {
+		domain, ok := claims[conf.UserInfoField].(string)
+		if !ok {
+			logger.WithNamespace("oidc").Errorf("Invalid claims: %#v", claims)
+			return c.JSON(http.StatusBadRequest, echo.Map{
+				"error": "invalid claims",
+			})
+		}
+		domain = strings.ReplaceAll(domain, "-", "") // We don't want - in cozy instance
+		domain = strings.ToLower(domain)             // The domain is case insensitive
+		domain = conf.UserInfoPrefix + domain + conf.UserInfoSuffix
+		instance, err := lifecycle.GetInstance(domain)
+		if err != nil {
+			return c.JSON(http.StatusBadRequest, echo.Map{
+				"error":             "internal server error",
+				"error_description": err,
+			})
+		}
+		inst = instance
+	}
+
+	// TODO use the sid to logout only on the current device
+	if err := session.DeleteOthers(inst, "all"); err != nil {
+		inst.Logger().WithNamespace("oidc").Errorf("Cannot delete the session: %s", err)
+		return c.JSON(http.StatusBadRequest, echo.Map{
+			"error":             "internal server error",
+			"error_description": err,
+		})
+	}
+
+	c.Response().Header().Set("Cache-Control", "no-store")
+	return c.NoContent(http.StatusOK)
+}
+
 // AccessToken delivers an access_token and a refresh_token if the client gives
 // a valid token for OIDC.
 func AccessToken(c echo.Context) error {
@@ -848,6 +951,7 @@ func Routes(router *echo.Group) {
 	router.GET("/redirect", Redirect)
 	router.GET("/login", Login, middlewares.NeedInstance)
 	router.POST("/twofactor", TwoFactor, middlewares.NeedInstance)
+	router.POST("/:context/logout", Logout)
 	router.POST("/access_token", AccessToken, middlewares.NeedInstance)
 }
 
diff --git a/web/settings/passphrase.go b/web/settings/passphrase.go
@@ -125,7 +125,7 @@ func (h *HTTPHandler) registerPassphrase(c echo.Context) error {
 		}
 	}
 
-	sessionID, err := auth.SetCookieForNewSession(c, session.LongRun)
+	sessionID, err := auth.SetCookieForNewSession(c, session.LongRun, "")
 	if err != nil {
 		return err
 	}
@@ -304,7 +304,7 @@ func (h *HTTPHandler) updatePassphrase(c echo.Context) error {
 			_ = sharing.SendPublicKey(inst, params.PublicKey)
 		}()
 		if hasSession {
-			_, _ = auth.SetCookieForNewSession(c, currentSession.Duration())
+			_, _ = auth.SetCookieForNewSession(c, currentSession.Duration(), "")
 		}
 		return c.NoContent(http.StatusNoContent)
 	}
@@ -348,7 +348,7 @@ func (h *HTTPHandler) updatePassphrase(c echo.Context) error {
 	if hasSession {
 		duration = currentSession.Duration()
 	}
-	if _, err = auth.SetCookieForNewSession(c, duration); err != nil {
+	if _, err = auth.SetCookieForNewSession(c, duration, ""); err != nil {
 		return err
 	}
 
diff --git a/web/settings/settings_test.go b/web/settings/settings_test.go
@@ -46,7 +46,7 @@ func setupRouter(t *testing.T, inst *instance.Instance, svc csettings.Service) *
 			if err != http.ErrNoCookie {
 				require.NoError(t, err, "Could not get session cookie")
 				if cookie.Value == "connected" {
-					sess, _ := session.New(inst, session.LongRun)
+					sess, _ := session.New(inst, session.LongRun, "")
 					context.Set("session", sess)
 				}
 			}

Original file line number	Diff line number	Diff line change
`@@ -317,6 +317,7 @@ func IndexesByDoctype(doctype string) []*mango.Index {`
`317`	`317`	`// properly.`
`318`	`318`	`var globalIndexes = []*mango.Index{`
`319`	`319`	`mango.MakeIndex(consts.Exports, "by-domain", mango.IndexDef{Fields: []string{"domain", "created_at"}}),`
	`320`	`+ mango.MakeIndex(consts.Instances, "by-oidcid", mango.IndexDef{Fields: []string{"oidc_id"}}),`
`320`	`321`	`}`
`321`	`322`
`322`	`323`	`// secretIndexes is the index list required on the secret databases to run`
Original file line number	Diff line number	Diff line change
`@@ -344,7 +344,7 @@ func checkLogin(next echo.HandlerFunc) echo.HandlerFunc {`
`344`	`344`	`}`
`345`	`345`
`346`	`346`	`if !wasLoggedIn {`
`347`		`- sessionID, err := auth.SetCookieForNewSession(c, session.ShortRun)`
	`347`	`+ sessionID, err := auth.SetCookieForNewSession(c, session.ShortRun, "")`
`348`	`348`	`req := c.Request()`
`349`	`349`	`if err == nil {`
`350`	`350`	`if err = session.StoreNewLoginEntry(inst, sessionID, "", req, "session_code", false); err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -797,7 +797,7 @@ func openWebapp(c echo.Context) error {`
`797`	`797`	`cookie.HttpOnly = true`
`798`	`798`	`cookie.SameSite = http.SameSiteLaxMode`
`799`	`799`	`} else {`
`800`		`- sess, err = session.New(inst, session.NormalRun)`
	`800`	`+ sess, err = session.New(inst, session.NormalRun, "")`
`801`	`801`	`if err != nil {`
`802`	`802`	`return wrapAppsError(err)`
`803`	`803`	`}`
Original file line number	Diff line number	Diff line change
`@@ -100,9 +100,9 @@ func Home(c echo.Context) error {`
`100`	`100`	`}`
`101`	`101`
`102`	`102`	`// SetCookieForNewSession creates a new session and sets the cookie on echo context`
`103`		`-func SetCookieForNewSession(c echo.Context, duration session.Duration) (string, error) {`
	`103`	`+func SetCookieForNewSession(c echo.Context, duration session.Duration, sid string) (string, error) {`
`104`	`104`	`instance := middlewares.GetInstance(c)`
`105`		`- session, err := session.New(instance, duration)`
	`105`	`+ session, err := session.New(instance, duration, sid)`
`106`	`106`	`if err != nil {`
`107`	`107`	`return "", err`
`108`	`108`	`}`
`@@ -255,7 +255,7 @@ func loginForm(c echo.Context) error {`
`255`	`255`	`if err != nil {`
`256`	`256`	`instance.Logger().Warnf("Delegated token check failed: %s", err)`
`257`	`257`	`} else {`
`258`		`- sessionID, err := SetCookieForNewSession(c, session.NormalRun)`
	`258`	`+ sessionID, err := SetCookieForNewSession(c, session.NormalRun, "")`
`259`	`259`	`if err != nil {`
`260`	`260`	`return err`
`261`	`261`	`}`
`@@ -284,7 +284,7 @@ func newSession(c echo.Context, inst instance.Instance, redirect url.URL, dura`
`284`	`284`	`duration = session.ShortRun`
`285`	`285`	`}`
`286`	`286`
`287`		`- sessionID, err := SetCookieForNewSession(c, duration)`
	`287`	`+ sessionID, err := SetCookieForNewSession(c, duration, "")`
`288`	`288`	`if err != nil {`
`289`	`289`	`return err`
`290`	`290`	`}`