fix: implement id token hint on RP-Initiated logout#4743
Open
jnfrati wants to merge 1 commit intodexidp:masterfrom
Open
fix: implement id token hint on RP-Initiated logout#4743jnfrati wants to merge 1 commit intodexidp:masterfrom
jnfrati wants to merge 1 commit intodexidp:masterfrom
Conversation
Signed-off-by: jnfrati <nicofrati@gmail.com>
nabokihms
added
release-note/bug-fix
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Hello again! Thanks to all the Dex team for taking the time to review my contributions ❤️
The purpose of this PR is to introduce the
id_token_hintwhen redirecting to upstream on RP-Initiated logout, while testing sessions we encountered the issue that some OIDC (e.g Pocket-id, Authentik) providers force-require theid_token_hintto be added when provided apost_logout_redirect_uri, this means that the chain RP -> OP(Dex) -> OP(Pocket-id) gets broken due to Dex not sending that extra parameter.Even though the current implementation of Dex is not "broken" as it's compliant with the specification, having this extra id_token_hint in the URL makes integration easier when working with a wide variety of third party services. Still, I understand that the intention might not be to send the id_token_hint always, so happy to apply any recommended approach on how to "flag" when to send this or not 🙌
What this PR does / why we need it
This PR introduces:
AuthSession.ConnectorData []byteAuthSession.ConnectorDataid_token_hintin case connectorData is provided toLogoutCallbackConnector.LogoutURL, worth mentioning that:id_token_hintis added if it's present in the connectorData, meaning it does not depend on whether thepost_redirect_logout_uriis present or not.This enables a much smoother integration with OIDC providers that require the
id_token_hintto validate the identity of the requesting party.Tests introduced
TestLogoutURL: coversIDTokenpresent/absent, malformed connector data, and hint emission withoutpost_logout_redirect_uri.TestTryUpstreamLogoutPrefersSessionConnectorData: verifies precedence of auth-session data over offline-session data, plus fallback behavior.storage/conformancetestAuthSessionCRUDnow assertsConnectorDataround-trips through both create and update.Special notes for your reviewer
My assumption on this PR is that the logout process is only done if sessions exist, meaning that there's a higher chance of finding the
id_tokenon theAuthSession.ConnectorDatathan in theOfflineSessionobject. This is why in logout, the auth session takes precedence over the offline session, but please let me know if this is a correct assumption!