Handle session token revocation #1181
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
julien-nc
added
enhancement
julien-nc
force-pushed
the
enh/noid/handle-session-token-revocation
branch
4 times, most recently
from
f0b6e64 to
09c3ef1
Compare
Closed
8 tasks
julien-nc
force-pushed
the
enh/noid/handle-session-token-revocation
branch
from
cde8a4e to
a349040
Compare
janepie
approved these changes
Aug 29, 2025
Member
janepie
left a comment
janepie
left a comment
There was a problem hiding this comment.
Nitpicks, looks good overall!
| return; | ||
| } | ||
| // we have nothing to do if we know the idp session is already closed | ||
| if ($oidcSession->getIdpSessionClosed() !== 0) { |
Member
There was a problem hiding this comment.
Why not ==1? Can it be null for some reason?
Member
Author
There was a problem hiding this comment.
It is a "notNull" column. See 'notnull' => true, in the migration.
| 'created_at' => $this->getCreatedAt(), | ||
| 'user_id' => $this->getUserId(), | ||
| 'provider_id' => $this->getProviderId(), | ||
| 'idp_session_closed' => $this->getIdpSessionClosed() !== 0, |
…dP's end_session_endpoint to make sure it's not possible to login again from the invalidated browser session Signed-off-by: Julien Veyssier <[email protected]>
…point, cleanup our own oidc session when a token has been invalidated Signed-off-by: Julien Veyssier <[email protected]>
Signed-off-by: Julien Veyssier <[email protected]>
Signed-off-by: Julien Veyssier <[email protected]>
…ions row with the SID, update it Signed-off-by: Julien Veyssier <[email protected]>
julien-nc
force-pushed
the
enh/noid/handle-session-token-revocation
branch
from
a349040 to
9795046
Compare
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When a user logs in twice (with user_oidc) and invalidates the other session in the security settings, for example, it does not kill the IdP session so, in the browser session that is revoked, it is possible to complete the login flow without authenticating again in the IdP.
This PR adds a listener on a new event dispatched when an auth token is invalidated:
OCP\Authentication\Events\TokenInvalidatedEventIf we have an Oidc session that matches this invalidated token, we call the end_session_endpoint to make sure the related IdP session is terminated.
We also cleanup the session entry (in a user_oidc table) when this happens.
New columns in the
oc_user_oidc_sessiontable:user_idis used withauthtoken_idto get the session when a token is invalidatedprovider_idis necessary to get theclient_idso we can send it as a param to the end_session_endpointid_tokenis the login ID token, we also need it as a param to the end_session_endpointidp_session_closedhelps with backchannel logout (explained below)To make sure we don't mess with the backchannel logout, there is a new
idp_session_closedcolumn in theoc_user_oidc_sessiontable. When we receive a backchannel logout request, we know that the IdP is currently killing one of its sessions. We callauthTokenProvider->invalidateTokenByIdto kill the related Nextcloud session. So we will receive theOCP\Authentication\Events\TokenInvalidatedEventbut this time we don't need to make a request to the end_session_endpoint, we know the IdP session is already terminated. So we store that information in the session in theidp_session_closedcolumn so the listener can ignore the event related with this Oidc session.closes #1159
closes nextcloud/server#53942