Skip to content

add additional validation to logout token#2328

Draft
dragonchaser wants to merge 5 commits intoopencloud-eu:mainfrom
dragonchaser:fix-backchannel-logout
Draft

add additional validation to logout token#2328
dragonchaser wants to merge 5 commits intoopencloud-eu:mainfrom
dragonchaser:fix-backchannel-logout

Conversation

@dragonchaser
Copy link
Member

@dragonchaser dragonchaser commented Feb 12, 2026

@dragonchaser dragonchaser force-pushed the fix-backchannel-logout branch from a5ff70e to 8cd6107 Compare February 12, 2026 13:10
fschade
fschade reviewed Feb 12, 2026
View reviewed changes
fschade
fschade reviewed Feb 12, 2026
View reviewed changes
@dragonchaser dragonchaser force-pushed the fix-backchannel-logout branch from 8cd6107 to c051e6e Compare February 12, 2026 13:18
@fschade fschade force-pushed the fix-backchannel-logout branch from c67804e to 6f8c92f Compare February 13, 2026 19:47
@fschade
Copy link
Member

fschade commented Feb 13, 2026

toDo:

  • using nats kv by default is ok?
  • what should we do if the token contains a session id and a subject
  • check comment toDos

@fschade fschade force-pushed the fix-backchannel-logout branch 2 times, most recently from a10347c to ae9427a Compare February 13, 2026 20:20
micbar
micbar reviewed Feb 13, 2026
View reviewed changes
services/proxy/pkg/staticroutes/backchannellogout.go Outdated
logger.Error().Err(err).Msg("Error reading userinfo cache")

// the map will contain the record references that are needed for the logout.
// - nil value means: subject or claim record
Copy link
Member

@micbar micbar Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i understand what a subject and sid record is. But what is a claim record?

Copy link
Member

@fschade fschade Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i understand what a subject and sid record is. But what is a claim record?

the claim record contains the claim as []byte, e.g.:
https://github.com/dragonchaser/opencloud/blob/1e53cc92969ca56b3071211e189405615d398ced/services/proxy/pkg/middleware/oidc_auth.go#L110

the value is needed for the backchannel logout event for GetUserByClaims, e.g.:
https://github.com/dragonchaser/opencloud/blob/1e53cc92969ca56b3071211e189405615d398ced/services/proxy/pkg/staticroutes/backchannellogout.go#L160

the existing token cant be used because one subject could contain multiple sessions with one token each....

dragonchaser and others added 5 commits February 13, 2026 23:48
@dragonchaser @fschade
add additional validation to logout token
bb361da 
Signed-off-by: Christian Richter <c.richter@opencloud.eu>
Co-authored-by: Michael Barz <m.barz@opencloud.eu>
@dragonchaser @fschade
add mapping to backchannel logout for subject => sessionid
969df14 
Signed-off-by: Christian Richter <c.richter@opencloud.eu>
@dragonchaser @fschade
create mapping in cache for subject => sessionid
48c8e83 
Signed-off-by: Christian Richter <c.richter@opencloud.eu>
@dragonchaser @fschade
refactor deletion
c43a0eb 
Co-authored-by: Jörn Dreyer <j.dreyer@opencloud.eu>
Co-authored-by: Michael Barz <m.barz@opencloud.eu>
Signed-off-by: Christian Richter <c.richter@opencloud.eu>
@fschade
enhancement: finalize backchannel logout
1e53cc9
@fschade fschade force-pushed the fix-backchannel-logout branch from ae9427a to 1e53cc9 Compare February 13, 2026 23:07
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 13, 2026

Quality Gate Passed Quality Gate passed

Issues
5 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@fschade
Copy link
Member

fschade commented Feb 13, 2026

A few minor things here and there, but it should be fine for now.

logout.mp4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@micbar micbar micbar left review comments

@fschade fschade fschade left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dragonchaser @fschade @micbar