Add support for front-channel OIDC logout

[anderius]

The current implementation relies on cookies for front-channel logout. As noted in the spec, this is increasingly problematic, as modern browsers will not send cookies with content in an iframe.

The solution is either to use back-channel logout (which my IdP does not support), or use the sid parameter from the id-token as a session identifier, as is optional in the spec.

My feature request is that this oidc-implementation supports the sid parameter for front-channel logout.

[route443]

As I understand it, what you are asking for is a front-channel logout implementation, but we support only RP-initiated OIDC logout (see PR #96 ). The difference is that in the case of front-channel logout, the initiator is the IdP, and logout is performed through an iframe mechanism, relying on sid rather than authentication cookies (auth_token). I think we could add support for both back- and front-channel logouts, but it might be quite challenging, as we currently use auth_token as the key for tokens, and obtaining cookies based on, say, sid is not feasible. I’ll think about what can be done.

[anderius]

@route443 Our initial idea was to create a keyval map on login, from sid to auth_token. Then we could fetch auth_token from sid on logout, and create a sub-request with auth_token set. Would that not work?

[route443]

As far as I understand, technically, we cannot create a mapping like this:

keyval $foo $bar  
keyval $bar $baz

because if foo is an empty string, then baz will also be an empty string. However, nothing prevents us from setting up a mapping like this:

keyval $cookie_auth_token $session_jwt  
keyval $idp_sid $client_sid

where client_sid will equal cookie_auth_token. The issue is that, ultimately, we need to define the cookie_auth_token var, and doing this via a r.subrequest is not feasible because we cannot add headers to the client request (only args or body). We could use proxy_set_header, but that would require a proxy_pass.

I have an idea of how this could be implemented, but the solution requires refinement...

Question: whether you use only sid or sid + iss, as the spec requires both args to be present (since the uniqueness of sid can only be guaranteed within the scope of a single OP).

[anderius]

We will get both, so the map should then maybe include them both concatenated?

Example:

GET https://client.example.com/myapp/logout
     ?iss=https://idporten.no/
     &sid=D8Fgz-jEXG7JXP_VAORmAm1sKB0LjZyA3wAy-rVyMYc=

Source in Norwegian for reference: https://docs.digdir.no/docs/idporten/oidc/oidc_func_sso.html#2-h%C3%A5ndtere-utlogging-fra-id-porten-front-channel-logout

[route443]

I’d prefer to avoid using keyval as much as possible, primarily because it complicates the config and, secondarily, due to memory consumption and potential sync overhead. The current implementation (POC) uses a slightly different approach: since we can derive the auth_token from the op sid, and => the auth_token -> id_token, we can extract the iss and validate it against the one received from the args.
Additionally, this approach opens the way for back-channel logout, where based on the sid from the logout_token, we can retrieve all the necessary vars to clean up the session state.

[route443]

Hi @anderius ,

I've added support for Front-Channel logout in a separate oidc-logout-handling branch. I would greatly appreciate if you could check these changes in your environment and provide any feedback.

You can use openid_connect.js from this branch and make the following changes to your config:

1. For openid_connect_configuration.conf, add:

keyval_zone zone=oidc_sids:1M state=/var/lib/nginx/state/oidc_sids.json timeout=8h;
keyval $idp_sid $client_sid zone=oidc_sids;

2. For openid_connect.server_conf:

• Add the variable:

set $idp_sid "";

• Update the /_id_token_validation location to /_token_validation.

• Add a new location to handle Front-Channel requests:

location = /front_channel_logout {
    status_zone "OIDC logout";
    add_header Cache-Control "no-store";
    js_content oidc.handleFrontChannelLogout;
}

Thank you in advance!

[anderius]

Sorry for the long holiday, we will see if we can test the branch as soon as possible.

[anderius]

This works, thank you @route443! 🎉

Just a small bug. The content-type when calling /front_channel_logout is application/octet-stream, which causes browsers to download the file.

[anderius]

@route443 Will this make it into main? And hopefully make it into 4.1.0 release of the ingress controller, which is due March 26th?

[route443]

Hi @anderius ,

Just a small bug. The content-type when calling /front_channel_logout is application/octet-stream, which causes browsers to download the file.

Thanks for catching that! I've fixed the issue.

I've opened a PR #108, and it'll be merged into main right after the review.