express-openid-connect icon indicating copy to clipboard operation
express-openid-connect copied to clipboard

Published 20 hours ago verified publisher icon auth0

backchannel logout token verification

Open d3vv3 opened this issue 3 years ago • 3 comments

Describe the problem you'd like to have solved

There is currently no implementation of backchannel-logout stated here.

Describe the ideal solution

There should be some sort of path for it (/backchannel-logout for example) to handle the logout_token verification.

Alternatives and current work-arounds

Accessing somehow the private key stated from the lib/appSession.js file and use:

jose.JWT.LogoutToken.verify(
  logout_token,
  keyOrStore,
  {
    issuer: 'https://op.example.com',
    audience: 'urn:example:client_id',
    algorithms: ['PS256']
  }
);

d3vv3 avatar Sep 06 '22 21:09 d3vv3

Hi @d3vv3 - thanks for your suggestion.

Do you have any opinions on how this SDK (or your app) would invalidate the session upon receiving the logout event?

adamjmcgrath avatar Sep 07 '22 08:09 adamjmcgrath

If I just decode the logout token, someone could be using his session to logout another user (if he had his logout token compromissed). To invalidate the session, it would be enough to do a session.destroy() of some sort.

On the meantime, how can I access the private key to verify it on my own?

Also I am leaving here a backchannel logout summary for other people (Keycloak example):

  1. User sends logout request from one application
  2. The application sends logout request to Keycloak
  3. The Keycloak server invalidates the user session
  4. The Keycloak server then sends a backchannel request to application with an admin url that are associated with the session
  5. When an application receives the logout request it invalidates the corresponding HTTP session

Validation of the logout token is specified here

d3vv3 avatar Sep 07 '22 09:09 d3vv3

Thanks for that @d3vv3

On the meantime, how can I access the private key to verify it on my own?

You use a public key to verify the token in the same way you verify an ID Token, using the AS's well-known jwks_uri or a shared secret (client secret)

  1. When an application receives the logout request it invalidates the corresponding HTTP session

This is what I'm interested in, how you would go about invalidating the session (especially a stateless session like the default for this SDK)

adamjmcgrath avatar Sep 07 '22 10:09 adamjmcgrath

Hi @d3vv3 - I have a branch with Back-Channel Logout implemented here https://github.com/auth0/express-openid-connect/blob/back-channel-logout/BACK_CHANNEL_LOGOUT.md

If you're planning on trying it out, would love to hear your feedback

adamjmcgrath avatar Nov 29 '22 09:11 adamjmcgrath

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️

stale[bot] avatar May 21 '23 21:05 stale[bot]