heimdall icon indicating copy to clipboard operation
heimdall copied to clipboard
verified publisher icon dadrus

Add support of session invalidations and subject state management

Open dadrus opened this issue 1 year ago • 0 comments

Preflight checklist

  • [x] I agree to follow this project's Code of Conduct.
  • [x] I have read and am following this repository's Contribution Guidelines."
  • [ ] I have discussed this feature request with the community.

Describe the background of your feature request

Currently, heimdall determines the validity of a login session based on indirect signals such as the presence or absence of a session cookie, respectively the answer from the IDP when verifying it, or access token expiration. However, these mechanisms are often insufficient in scenarios where:

  • A subject switches sessions.
  • A token is revoked externally but remains valid within its lifespan.
  • A subject’s account is compromised and should no longer be trusted.

Implementing a way which would allow heimdall receiving subject/session state changes would enhance heimdall’s ability to manage session validity more effectively.

Describe your idea

OpenID Connect has established a working group addressing similar issues by defining a standardized way to share subject state changes across different entities. This initiative, called the Shared Signals Framework (SSF), allows for secure, real-time distribution of subject state changes, such as logouts or security events (e.g., account compromise). The latest draft of the specification is available here.

Implementing support for SSF in heimdall would enable it to:

  • Receive subject state change events (e.g., logout, session revocation, account compromise notifications).
  • Invalidate cached authentication or authorization data based on received signals.
  • Allow session consistency across multiple domains and deployments.

Are there any workarounds or alternatives?

Currently, heimdall lacks a built-in way to handle such real-time signals. The only available options involve:

  • Reducing cache TTLs aggressively, which can lead to performance degradations (but doesn't solve the challenge described in the background entirely).
  • Implementing custom out-of-band mechanisms to notify heimdall of session state changes (e.g., via API calls or external event processing systems).
  • Relying on backend services to enforce session invalidation, which is not always feasible in distributed architectures.

While these alternatives can work in specific setups, they lack a standardized and scalable approach that SSF provides.

Version

0.15.5

Additional Context

No response

dadrus avatar Feb 03 '25 09:02 dadrus