feat(SDK-4731): Implement support for Back-Channel Logout #747
Conversation
evansims
added
Scope: Improvement
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #747 +/- ##
===========================================
Coverage 100.00% 100.00%
- Complexity 1339 1378 +39
===========================================
Files 62 62
Lines 4671 4769 +98
===========================================
+ Hits 4671 4769 +98
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
| @@ -28,7 +28,7 @@ | |||
| ], | |||
| "homepage": "https://github.com/auth0/auth0-PHP", | |||
| "require": { | |||
| "php": "^8.0", | |||
| "php": "^8.1", | |||
There was a problem hiding this comment.
PHP 8.0 has been deprecated, so we'll drop support with this coming release. This PR includes new language features that rely on 8.1+, so just going ahead and bumping it here.
| $sub = $token->getSubject() ?? ''; | ||
| $iss = $token->getIssuer() ?? ''; | ||
| $sid = $token->getIdentifier() ?? ''; | ||
| $this->setBackchannel(hash('sha256', implode('|', [$sub, $iss, $sid]))); |
There was a problem hiding this comment.
I would only expect you to set the backchannel logout cache item when you get the back-channel webhook. What is happening here on login?
There was a problem hiding this comment.
This is a workaround because the PHP SDK doesn't use persistent session identifiers that we could previously tie to a backchannel request. Basically just a UUID for the session. This allows us to tie a potential incoming webhook we receive later on to this particular session. (It's stored in the JSON struct of the device cookie, and not a query to the server-side cache itself.)
src/Auth0.php
Outdated
| ])); | ||
|
|
||
| // Let the backchannel logout request fall off after a reasonable amount of time. | ||
| $request->expiresAfter(time() + (86400 * 30)); |
There was a problem hiding this comment.
Do you have a session duration setting you can set this to? (shortest of rolling or absolute duration)
There was a problem hiding this comment.
👍 Updated to make this configurable; a new option is exposed during SDK initialization (the SdkConfiguration class), backchannelLogoutExpires. It still defaults to 30 days to cover some funky edge cases I can foresee with rolling sessions under certain circumstances.
| $cache = $this->configuration()->getBackchannelLogoutCache(); | ||
|
|
||
| // Does the session have a backchannel key available for lookup? | ||
| $backchannel = $state->getBackchannel(); |
There was a problem hiding this comment.
I'm not sure if this is expensive or not? If it is, it should be behind the backchannel enabled config (which I assume is $cache instanceof \Psr\Cache\CacheItemPoolInterface)
There was a problem hiding this comment.
Appreciate the caution, but should be all good:
-
$cachewill benullif Backchannel is not configured for the SDK, and thus ignored. Otherwise, the cache will have been initialized along with the SDK at runtime by necessity. It only occurs max once per request, and I imagine in 99% of cases will be the same cache resource the developer is already using for other things, like JWKS caching, so overhead will likely be non-existent in most applications. -
setBackchannel()just reads the string UUID stored in the device cookie's JSON structure, which is already extracted and decoded at request time.
**Added** - feat(SDK-4731): Implement support for Back-Channel Logout [\#747](#747) ([evansims](https://github.com/evansims)) **Changed** - PHP 8.1 is now the minimum supported runtime [\#748](#748) ([evansims](https://github.com/evansims))
Changes
This PR implements support for Back-Channel Logout.
References
See internal ticket SDK-4720.
Testing
Tests have been updated to add coverage for these new features.
Contributor Checklist