diff --git a/.circleci/config.yml b/.circleci/config.yml
index db219c7f..6fe9fe22 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -5,7 +5,7 @@ orbs:
jobs:
build:
docker:
- - image: circleci/node:14-browsers
+ - image: cimg/node:lts-browsers
environment:
LANG: en_US.UTF-8
steps:
diff --git a/EXAMPLES.md b/EXAMPLES.md
index 9dd2fe6a..c44593ed 100644
--- a/EXAMPLES.md
+++ b/EXAMPLES.md
@@ -10,6 +10,7 @@
8. [Logout from Identity Provider](#8-logout-from-identity-provider)
9. [Validate Claims from an ID token before logging a user in](#9-validate-claims-from-an-id-token-before-logging-a-user-in)
10. [Use a custom session store](#10-use-a-custom-session-store)
+11. [Back-Channel Logout](#11-back-channel-logout)
## 1. Basic setup
@@ -298,3 +299,50 @@ app.use(
```
Full example at [custom-session-store.js](./examples/custom-session-store.js), to run it: `npm run start:example -- custom-session-store`
+
+## 11. Back-Channel Logout
+
+Configure the SDK with `backchannelLogout` enabled. You will also need a session store (like Redis) - you can use any `express-session` compatible store.
+
+```js
+// index.js
+const { auth } = require('express-openid-connect');
+const { createClient } = require('redis');
+const RedisStore = require('connect-redis')(auth);
+
+// redis@v4
+let redisClient = createClient({ legacyMode: true });
+redisClient.connect();
+
+app.use(
+ auth({
+ idpLogout: true,
+ backchannelLogout: {
+ store: new RedisStore({ client: redisClient }),
+ },
+ })
+);
+```
+
+If you're already using a session store for stateful sessions you can just reuse that.
+
+```js
+app.use(
+ auth({
+ idpLogout: true,
+ session: {
+ store: new RedisStore({ client: redisClient }),
+ },
+ backchannelLogout: true,
+ })
+);
+```
+
+### This will:
+
+- Create the handler `/backchannel-logout` that you can register with your ISP.
+- On receipt of a valid Logout Token, the SDK will store an entry by `sid` (Session ID) and an entry by `sub` (User ID) in the `backchannelLogout.store` - the expiry of the entry will be set to the duration of the session (this is customisable using the [onLogoutToken](https://auth0.github.io/express-openid-connect/interfaces/BackchannelLogoutOptions.html#onLogoutToken) config hook)
+- On all authenticated requests, the SDK will check the store for an entry that corresponds with the session's ID token's `sid` or `sub`. If it finds a corresponding entry it will invalidate the session and clear the session cookie. (This is customisable using the [isLoggedOut](https://auth0.github.io/express-openid-connect/interfaces/BackchannelLogoutOptions.html#isLoggedOut) config hook)
+- If the user logs in again, the SDK will remove any stale `sub` entry in the Back-Channel Logout store to ensure they are not logged out immediately (this is customisable using the [onLogin](https://auth0.github.io/express-openid-connect/interfaces/BackchannelLogoutOptions.html#onLogin) config hook)
+
+The config options are [documented here](https://auth0.github.io/express-openid-connect/interfaces/BackchannelLogoutOptions.html)
diff --git a/end-to-end/backchannel-logout.test.js b/end-to-end/backchannel-logout.test.js
new file mode 100644
index 00000000..0558e907
--- /dev/null
+++ b/end-to-end/backchannel-logout.test.js
@@ -0,0 +1,103 @@
+const { assert } = require('chai');
+const puppeteer = require('puppeteer');
+const request = require('request-promise-native');
+const provider = require('./fixture/oidc-provider');
+const {
+ baseUrl,
+ start,
+ runExample,
+ stubEnv,
+ checkContext,
+ goto,
+ login,
+} = require('./fixture/helpers');
+
+describe('back-channel logout', async () => {
+ let authServer;
+ let appServer;
+ let browser;
+
+ beforeEach(async () => {
+ stubEnv();
+ authServer = await start(provider, 3001);
+ });
+
+ afterEach(async () => {
+ authServer.close();
+ appServer.close();
+ await browser.close();
+ });
+
+ const runTest = async (example) => {
+ appServer = await runExample(example);
+ browser = await puppeteer.launch({
+ args: ['no-sandbox', 'disable-setuid-sandbox'],
+ });
+ const page = await browser.newPage();
+ await goto(baseUrl, page);
+ assert.match(page.url(), /http:\/\/localhost:300/);
+ await Promise.all([page.click('a'), page.waitForNavigation()]);
+ await login('username', 'password', page);
+ assert.equal(
+ page.url(),
+ `${baseUrl}/`,
+ 'User is returned to the original page'
+ );
+ const loggedInCookies = await page.cookies('http://localhost:3000');
+ assert.ok(loggedInCookies.find(({ name }) => name === 'appSession'));
+
+ const response = await checkContext(await page.cookies());
+ assert.isOk(response.isAuthenticated);
+
+ await goto(`${baseUrl}/logout-token`, page);
+
+ await page.waitForSelector('pre');
+ const element = await page.$('pre');
+ const curl = await page.evaluate((el) => el.textContent, element);
+ const [, logoutToken] = curl.match(/logout_token=([^"]+)/);
+ const res = await request.post('http://localhost:3000/backchannel-logout', {
+ form: {
+ logout_token: logoutToken,
+ },
+ resolveWithFullResponse: true,
+ });
+ assert.equal(res.statusCode, 204);
+
+ await goto(baseUrl, page);
+ const loggedOutCookies = await page.cookies('http://localhost:3000');
+ assert.notOk(loggedOutCookies.find(({ name }) => name === 'appSession'));
+ };
+
+ it('should logout via back-channel logout', () =>
+ runTest('backchannel-logout'));
+
+ it('should not logout sub via back-channel logout if user logs in after', async () => {
+ await runTest('backchannel-logout');
+
+ await browser.close();
+ browser = await puppeteer.launch({
+ args: ['no-sandbox', 'disable-setuid-sandbox'],
+ });
+ const page = await browser.newPage();
+ await goto(baseUrl, page);
+ assert.match(page.url(), /http:\/\/localhost:300/);
+ await Promise.all([page.click('a'), page.waitForNavigation()]);
+ await login('username', 'password', page);
+ assert.equal(
+ page.url(),
+ `${baseUrl}/`,
+ 'User is returned to the original page'
+ );
+
+ const loggedInCookies = await page.cookies('http://localhost:3000');
+ assert.ok(loggedInCookies.find(({ name }) => name === 'appSession'));
+ const response = await checkContext(await page.cookies());
+ assert.isOk(response.isAuthenticated);
+ });
+
+ it('should logout via back-channel logout with custom implementation genid', () =>
+ runTest('backchannel-logout-custom-genid'));
+
+ it('should logout via back-channel logout with custom implementation query store', () =>
+ runTest('backchannel-logout-custom-query-store'));
+});
diff --git a/end-to-end/fixture/helpers.js b/end-to-end/fixture/helpers.js
index 9a9e4ff8..a880e6e3 100644
--- a/end-to-end/fixture/helpers.js
+++ b/end-to-end/fixture/helpers.js
@@ -1,6 +1,9 @@
const path = require('path');
+const crypto = require('crypto');
const sinon = require('sinon');
const express = require('express');
+const { JWT } = require('jose');
+const { privateJWK } = require('./jwk');
const request = require('request-promise-native').defaults({ json: true });
const baseUrl = 'http://localhost:3000';
@@ -89,6 +92,31 @@ const logout = async (page) => {
await Promise.all([page.click('[name=logout]'), page.waitForNavigation()]);
};
+const logoutTokenTester = (clientId, sid, sub) => async (req, res) => {
+ const logoutToken = JWT.sign(
+ {
+ events: {
+ 'http://schemas.openid.net/event/backchannel-logout': {},
+ },
+ ...(sid && { sid: req.oidc.user.sid }),
+ ...(sub && { sub: req.oidc.user.sub }),
+ },
+ privateJWK,
+ {
+ issuer: `http://localhost:${process.env.PROVIDER_PORT || 3001}`,
+ audience: clientId,
+ iat: true,
+ jti: crypto.randomBytes(16).toString('hex'),
+ algorithm: 'RS256',
+ header: { typ: 'logout+jwt' },
+ }
+ );
+
+ res.send(`
+
curl -X POST http://localhost:3000/backchannel-logout -d "logout_token=${logoutToken}"
+ `);
+};
+
module.exports = {
baseUrl,
start,
@@ -100,4 +128,5 @@ module.exports = {
goto,
login,
logout,
+ logoutTokenTester,
};
diff --git a/end-to-end/fixture/jwk.js b/end-to-end/fixture/jwk.js
new file mode 100644
index 00000000..0358976f
--- /dev/null
+++ b/end-to-end/fixture/jwk.js
@@ -0,0 +1,12 @@
+const { JWK } = require('jose');
+
+const key = JWK.generateSync('RSA', 2048, {
+ alg: 'RS256',
+ kid: 'key-1',
+ use: 'sig',
+});
+
+module.exports.privateJWK = key.toJWK(true);
+module.exports.publicJWK = key.toJWK();
+module.exports.privatePEM = key.toPEM(true);
+module.exports.publicPEM = key.toPEM();
diff --git a/end-to-end/fixture/oidc-provider.js b/end-to-end/fixture/oidc-provider.js
index 169a9973..79c6013c 100644
--- a/end-to-end/fixture/oidc-provider.js
+++ b/end-to-end/fixture/oidc-provider.js
@@ -1,4 +1,5 @@
const Provider = require('oidc-provider');
+const { privateJWK, publicJWK } = require('./jwk');
const client = {
client_id: 'test-express-openid-connect-client-id',
@@ -6,11 +7,8 @@ const client = {
token_endpoint_auth_method: 'client_secret_post',
response_types: ['id_token', 'code', 'code id_token'],
grant_types: ['implicit', 'authorization_code', 'refresh_token'],
- redirect_uris: [`http://localhost:3000/callback`],
- post_logout_redirect_uris: [
- 'http://localhost:3000',
- 'http://localhost:3000/custom-logout',
- ],
+ redirect_uris: ['http://localhost:3000/callback'],
+ post_logout_redirect_uris: ['http://localhost:3000'],
};
const config = {
@@ -19,21 +17,26 @@ const config = {
Object.assign({}, client, {
client_id: 'private-key-jwt-client',
token_endpoint_auth_method: 'private_key_jwt',
- jwks: {
- keys: [
- {
- kty: 'RSA',
- n: '20yjkC7WmelNZN33GAjFaMvKaInjTz3G49eUwizpuAW6Me9_1FMSAK6nM1XI7VBpy_o5-ffNleRIgcvFudZuSvZiAYBBS2HS5F5PjluVExPwHTD7X7CIwqJxq67N5sTeFkh_ZL4fWK-Na4VlFEsKhcjDrLGxhPCuOgr9FmL0u0Vx_TM3Mk3DEhaf-tMlFx-K3R2GRJRe1wnYhOt1sXm8SNUM2uMZI05W6eRFn1gUAdTLNdCTvDY67ZAl6wyOewYo-WGpzwFYXLXDvc-f8vYucRM3Hq_GSzvFQ4l0nRLLj_33vlCg8mB1CEw_LudadzticAir3Ux3bnpno9yndUZR6w',
- e: 'AQAB',
- },
- ],
- },
+ jwks: { keys: [publicJWK] },
+ }),
+ Object.assign({}, client, {
+ client_id: 'backchannel-logout-client',
+ backchannel_logout_uri: 'http://localhost:3000/backchannel-logout',
+ backchannel_logout_session_required: true,
+ }),
+ Object.assign({}, client, {
+ client_id: 'backchannel-logout-client-no-sid',
+ backchannel_logout_uri: 'http://localhost:3000/backchannel-logout',
+ backchannel_logout_session_required: false,
}),
Object.assign({}, client, {
client_id: 'client-secret-jwt-client',
token_endpoint_auth_method: 'client_secret_jwt',
}),
],
+ jwks: {
+ keys: [privateJWK],
+ },
formats: {
AccessToken: 'jwt',
},
@@ -47,6 +50,11 @@ const config = {
claims: () => ({ sub: id }),
};
},
+ features: {
+ backchannelLogout: {
+ enabled: true,
+ },
+ },
};
const PORT = process.env.PROVIDER_PORT || 3001;
diff --git a/examples/backchannel-logout-custom-genid.js b/examples/backchannel-logout-custom-genid.js
new file mode 100644
index 00000000..8593fb15
--- /dev/null
+++ b/examples/backchannel-logout-custom-genid.js
@@ -0,0 +1,69 @@
+const { promisify } = require('util');
+const crypto = require('crypto');
+const express = require('express');
+const { auth, requiresAuth } = require('../');
+const { logoutTokenTester } = require('../end-to-end/fixture/helpers');
+
+// This custom implementation uses a sessions with an id that matches the
+// Identity Provider's session id "sid" (by using the "genid" config).
+// When the SDK receives a logout token, it can identify the session that needs
+// to be destroyed by the logout token's "sid".
+
+const MemoryStore = require('memorystore')(auth);
+
+const app = express();
+
+const store = new MemoryStore();
+const destroy = promisify(store.destroy).bind(store);
+
+const onLogoutToken = async (token) => {
+ const { sid } = token;
+ // Delete the session - no need to store a logout token.
+ await destroy(sid);
+};
+
+app.use(
+ auth({
+ clientID: 'backchannel-logout-client',
+ authRequired: false,
+ idpLogout: true,
+ backchannelLogout: {
+ onLogoutToken,
+ isLoggedOut: false,
+ onLogin: false,
+ },
+ session: {
+ store,
+ // If you're using a custom `genid` you should sign the session store cookie
+ // to ensure it is a cryptographically secure random string and not guessable.
+ signSessionStoreCookie: true,
+ genid(req) {
+ if (req.oidc && req.oidc.isAuthenticated()) {
+ const { sid } = req.oidc.idTokenClaims;
+ // Note this must be unique and a cryptographically secure random value.
+ return sid;
+ } else {
+ // Anonymous user sessions (like checkout baskets)
+ return crypto.randomBytes(16).toString('hex');
+ }
+ },
+ },
+ })
+);
+
+app.get('/', async (req, res) => {
+ if (req.oidc.isAuthenticated()) {
+ res.send(`hello ${req.oidc.user.sub} logout`);
+ } else {
+ res.send('login');
+ }
+});
+
+// For testing purposes only
+app.get(
+ '/logout-token',
+ requiresAuth(),
+ logoutTokenTester('backchannel-logout-client', true)
+);
+
+module.exports = app;
diff --git a/examples/backchannel-logout-custom-query-store.js b/examples/backchannel-logout-custom-query-store.js
new file mode 100644
index 00000000..00fc7c16
--- /dev/null
+++ b/examples/backchannel-logout-custom-query-store.js
@@ -0,0 +1,68 @@
+const { promisify } = require('util');
+const express = require('express');
+const base64url = require('base64url');
+const { auth, requiresAuth } = require('../');
+const { logoutTokenTester } = require('../end-to-end/fixture/helpers');
+
+// This implementation assumes you can query all sessions in the store.
+// When you receive a Back-Channel logout request it queries you session store
+// for sessions that match the logout token's `sub` or `sid` claim and removes them.
+
+const MemoryStore = require('memorystore')(auth);
+
+const app = express();
+
+const store = new MemoryStore();
+const all = promisify(store.all).bind(store);
+const destroy = promisify(store.destroy).bind(store);
+
+const decodeJWT = (jwt) => {
+ const [, payload] = jwt.split('.');
+ return JSON.parse(base64url.decode(payload));
+};
+
+const onLogoutToken = async (token) => {
+ const { sid: logoutSid, sub: logoutSub } = token;
+ // Note: you may not be able to access all sessions in your store
+ // and this is likely to be an expensive operation if you have lots of sessions.
+ const allSessions = await all();
+ for (const [key, session] of Object.entries(allSessions)) {
+ // Rather than decode every id token in your store,
+ // you could store the `sub` and `sid` on the session in `afterCallback`.
+ const { sub, sid } = decodeJWT(session.data.id_token);
+ if ((logoutSid && logoutSid === sid) || (logoutSub && logoutSub === sub)) {
+ await destroy(key);
+ }
+ }
+};
+
+app.use(
+ auth({
+ clientID: 'backchannel-logout-client-no-sid',
+ authRequired: false,
+ idpLogout: true,
+ session: { store },
+ backchannelLogout: {
+ onLogoutToken,
+ isLoggedOut: false,
+ onLogin: false,
+ },
+ })
+);
+
+app.get('/', async (req, res) => {
+ if (req.oidc.isAuthenticated()) {
+ res.send(`hello ${req.oidc.user.sub} logout`);
+ } else {
+ res.send('login');
+ }
+});
+
+// For testing purposes only
+app.get(
+ '/logout-token',
+ requiresAuth(),
+ logoutTokenTester('backchannel-logout-client-no-sid', true, true)
+);
+
+module.exports = app;
diff --git a/examples/backchannel-logout.js b/examples/backchannel-logout.js
new file mode 100644
index 00000000..54059b19
--- /dev/null
+++ b/examples/backchannel-logout.js
@@ -0,0 +1,36 @@
+const express = require('express');
+const { auth, requiresAuth } = require('../');
+const { logoutTokenTester } = require('../end-to-end/fixture/helpers');
+
+const MemoryStore = require('memorystore')(auth);
+
+const app = express();
+
+app.use(
+ auth({
+ clientID: 'backchannel-logout-client',
+ authRequired: false,
+ idpLogout: true,
+ session: {
+ store: new MemoryStore(),
+ },
+ backchannelLogout: true,
+ })
+);
+
+app.get('/', async (req, res) => {
+ if (req.oidc.isAuthenticated()) {
+ res.send(`hello ${req.oidc.user.sub} logout`);
+ } else {
+ res.send('login');
+ }
+});
+
+// For testing purposes only
+app.get(
+ '/logout-token',
+ requiresAuth(),
+ logoutTokenTester('backchannel-logout-client', false, true)
+);
+
+module.exports = app;
diff --git a/examples/private-key-jwt.js b/examples/private-key-jwt.js
index 0c5ec2d0..acc7516b 100644
--- a/examples/private-key-jwt.js
+++ b/examples/private-key-jwt.js
@@ -1,7 +1,6 @@
-const fs = require('fs');
-const path = require('path');
const express = require('express');
const { auth } = require('../');
+const { privateJWK } = require('../end-to-end/fixture/jwk');
const app = express();
@@ -12,9 +11,7 @@ app.use(
authorizationParams: {
response_type: 'code',
},
- clientAssertionSigningKey: fs.readFileSync(
- path.join(__dirname, 'private-key.pem')
- ),
+ clientAssertionSigningKey: privateJWK,
})
);
diff --git a/examples/private-key.pem b/examples/private-key.pem
index d1391f9c..43b71335 100644
--- a/examples/private-key.pem
+++ b/examples/private-key.pem
@@ -25,4 +25,4 @@ nH64nNQFIFSKsCZIz5q/8TUY0bDY6GsZJnd2YAg4JtkRTY8tPcVjQU9fxxtFJ+X1
ukIdiJtMNPwePfsT/2KqrbnftQnAKNnhsgcYGo8NAvntX4FokOAEdunyYmm85mLp
BGKYgVXJqnm6+TJyCRac1ro3noG898P/LZ8MOBoaYQtWeWRpDc46jPrA0FqUJy+i
ca/T0LLtgmbMmxSv/MmzIg==
------END PRIVATE KEY-----
+-----END PRIVATE KEY-----
\ No newline at end of file
diff --git a/index.d.ts b/index.d.ts
index 318aa8a0..c59ecb39 100644
--- a/index.d.ts
+++ b/index.d.ts
@@ -256,6 +256,59 @@ interface CallbackOptions {
tokenEndpointParams?: TokenParameters;
}
+/**
+ * Custom options to configure Back-Channel Logout on your application.
+ */
+interface BackchannelLogoutOptions {
+ /**
+ * Used to store Back-Channel Logout entries, you can specify a separate store
+ * for this or just reuse {@link SessionConfigParams.store} if you are using one already.
+ *
+ * The store should have `get`, `set` and `destroy` methods, making it compatible
+ * with [express-session stores](https://github.com/expressjs/session#session-store-implementation).
+ */
+ store?: SessionStore>;
+
+ /**
+ * On receipt of a Logout Token the SDK validates the token then by default stores 2 entries: one
+ * by the token's `sid` claim (if available) and one by the token's `sub` claim (if available).
+ *
+ * If a session subsequently shows up with either the same `sid` or `sub`, the user if forbidden access and
+ * their cookie is deleted.
+ *
+ * You can override this to implement your own Back-Channel Logout logic
+ * (See {@link https://github.com/auth0/express-openid-connect/tree/master/examples/examples/backchannel-logout-custom-genid.js} or {@link https://github.com/auth0/express-openid-connect/tree/master/examples/examples/backchannel-logout-custom-query-store.js})
+ */
+ onLogoutToken?: (
+ decodedToken: object,
+ config: ConfigParams
+ ) => Promise | void;
+
+ /**
+ * When {@link backchannelLogout} is enabled all requests that have a session
+ * will be checked for a previous Back-Channel logout. By default, this
+ * uses the `sub` and the `sid` (if available) from the session's ID token to look up a previous logout and
+ * logs the user out if one is found.
+ *
+ * You can override this to implement your own Back-Channel Logout logic
+ * (See {@link https://github.com/auth0/express-openid-connect/tree/master/examples/examples/backchannel-logout-custom-genid.js} or {@link https://github.com/auth0/express-openid-connect/tree/master/examples/examples/backchannel-logout-custom-query-store.js})
+ */
+ isLoggedOut?:
+ | false
+ | ((req: Request, config: ConfigParams) => Promise | boolean);
+
+ /**
+ * When {@link backchannelLogout} is enabled, upon successful login the SDK will remove any existing Back-Channel
+ * logout entries for the same `sub`, to prevent the user from being logged out by an old Back-Channel logout.
+ *
+ * You can override this to implement your own Back-Channel Logout logic
+ * (See {@link https://github.com/auth0/express-openid-connect/tree/master/examples/examples/backchannel-logout-custom-genid.js} or {@link https://github.com/auth0/express-openid-connect/tree/master/examples/examples/backchannel-logout-custom-query-store.js})
+ */
+ onLogin?:
+ | false
+ | ((req: Request, config: ConfigParams) => Promise | void);
+}
+
/**
* Configuration parameters passed to the `auth()` middleware.
*
@@ -484,6 +537,21 @@ interface ConfigParams {
*/
pushedAuthorizationRequests?: boolean;
+ /**
+ * Set to `true` to enable Back-Channel Logout in your application.
+ * This will set up a web hook on your app at {@link ConfigParams.routes routes.backchannelLogout}
+ * On receipt of a Logout Token the webhook will store the token, then on any
+ * subsequent requests, will check the store for a Logout Token that corresponds to the
+ * current session. If it finds one, it will log the user out.
+ *
+ * In order for this to work you need to specify a {@link ConfigParams.backchannelLogout.store},
+ * which can be any `express-session` compatible store, or you can
+ * reuse {@link SessionConfigParams.store} if you are using one already.
+ *
+ * See: https://openid.net/specs/openid-connect-backchannel-1_0.html
+ */
+ backchannelLogout?: boolean | BackchannelLogoutOptions;
+
/**
* Configuration for the login, logout, callback and postLogoutRedirect routes.
*/
@@ -509,6 +577,11 @@ interface ConfigParams {
* Relative path to the application callback to process the response from the authorization server.
*/
callback?: string | false;
+
+ /**
+ * Relative path to the application's Back-Channel Logout web hook.
+ */
+ backchannelLogout?: string;
};
/**
@@ -619,7 +692,7 @@ interface ConfigParams {
httpUserAgent?: string;
}
-interface SessionStorePayload {
+interface SessionStorePayload {
header: {
/**
* timestamp (in secs) when the session was created.
@@ -638,16 +711,25 @@ interface SessionStorePayload {
/**
* The session data.
*/
- data: Session;
+ data: Data;
+
+ /**
+ * This makes it compatible with some `express-session` stores that use this
+ * to set their ttl.
+ */
+ cookie: {
+ expires: number;
+ maxAge: number;
+ };
}
-interface SessionStore {
+interface SessionStore {
/**
* Gets the session from the store given a session ID and passes it to `callback`.
*/
get(
sid: string,
- callback: (err: any, session?: SessionStorePayload | null) => void
+ callback: (err: any, session?: SessionStorePayload | null) => void
): void;
/**
@@ -655,7 +737,7 @@ interface SessionStore {
*/
set(
sid: string,
- session: SessionStorePayload,
+ session: SessionStorePayload,
callback?: (err?: any) => void
): void;
diff --git a/lib/client.js b/lib/client.js
index 4d73e406..455e3102 100644
--- a/lib/client.js
+++ b/lib/client.js
@@ -145,7 +145,7 @@ async function get(config) {
}
}
- return client;
+ return { client, issuer };
}
const cache = new Map();
diff --git a/lib/config.js b/lib/config.js
index 3e73a9ae..25095f6d 100644
--- a/lib/config.js
+++ b/lib/config.js
@@ -43,7 +43,20 @@ const paramsSchema = Joi.object({
.pattern(/^[0-9a-zA-Z_.-]+$/, { name: 'cookie name' })
.optional()
.default('appSession'),
- store: Joi.object().optional(),
+ store: Joi.object()
+ .optional()
+ .when(Joi.ref('/backchannelLogout'), {
+ not: false,
+ then: Joi.when('/backchannelLogout.store', {
+ not: Joi.exist(),
+ then: Joi.when('/backchannelLogout.isLoggedOut', {
+ not: Joi.exist(),
+ then: Joi.object().required().messages({
+ 'any.required': `Back-Channel Logout requires a "backchannelLogout.store" (you can also reuse "session.store" if you have stateful sessions) or custom hooks for "isLoggedOut" and "onLogoutToken".`,
+ }),
+ }),
+ }),
+ }),
genid: Joi.function()
.maxArity(1)
.optional()
@@ -116,6 +129,21 @@ const paramsSchema = Joi.object({
.unknown(true)
.default(),
logoutParams: Joi.object().optional(),
+ backchannelLogout: Joi.alternatives([
+ Joi.object({
+ store: Joi.object().optional(),
+ onLogin: Joi.alternatives([
+ Joi.function(),
+ Joi.boolean().valid(false),
+ ]).optional(),
+ isLoggedOut: Joi.alternatives([
+ Joi.function(),
+ Joi.boolean().valid(false),
+ ]).optional(),
+ onLogoutToken: Joi.function().optional(),
+ }),
+ Joi.boolean(),
+ ]).default(false),
baseURL: Joi.string()
.uri()
.required()
@@ -200,6 +228,9 @@ const paramsSchema = Joi.object({
Joi.boolean().valid(false),
]).default('/callback'),
postLogoutRedirect: Joi.string().uri({ allowRelative: true }).default(''),
+ backchannelLogout: Joi.string()
+ .uri({ allowRelative: true })
+ .default('/backchannel-logout'),
})
.default()
.unknown(false),
diff --git a/lib/context.js b/lib/context.js
index ebefe28d..05b81544 100644
--- a/lib/context.js
+++ b/lib/context.js
@@ -1,7 +1,9 @@
const url = require('url');
const urlJoin = require('url-join');
+const { JWT } = require('jose');
const { TokenSet } = require('openid-client');
const clone = require('clone');
+
const { strict: assert } = require('assert');
const createError = require('http-errors');
@@ -9,6 +11,8 @@ const debug = require('./debug')('context');
const { once } = require('./once');
const { get: getClient } = require('./client');
const { encodeState, decodeState } = require('../lib/hooks/getLoginState');
+const onLogin = require('./hooks/backchannelLogout/onLogIn');
+const onLogoutToken = require('./hooks/backchannelLogout/onLogoutToken');
const {
cancelSilentLogin,
resumeSilentLogin,
@@ -25,7 +29,7 @@ function isExpired() {
async function refresh({ tokenEndpointParams } = {}) {
let { config, req } = weakRef(this);
- const client = await getClient(config);
+ const { client } = await getClient(config);
const oldTokenSet = tokenSet.call(this);
let extras;
@@ -127,7 +131,15 @@ class RequestContext {
get idTokenClaims() {
try {
- return clone(tokenSet.call(this).claims());
+ const {
+ config: { session },
+ req,
+ } = weakRef(this);
+
+ // The ID Token from Auth0's Refresh Grant doesn't contain a "sid"
+ // so we should check the backup sid we stored at login.
+ const { sid } = req[session.name];
+ return { sid, ...clone(tokenSet.call(this).claims()) };
} catch (err) {
return undefined;
}
@@ -152,7 +164,7 @@ class RequestContext {
async fetchUserInfo() {
const { config } = weakRef(this);
- const client = await getClient(config);
+ const { client } = await getClient(config);
return client.userinfo(tokenSet.call(this));
}
}
@@ -185,7 +197,7 @@ class ResponseContext {
let { config, req, res, next, transient } = weakRef(this);
next = once(next);
try {
- const client = await getClient(config);
+ const { client } = await getClient(config);
// Set default returnTo value, allow passed-in options to override or use originalUrl on GET
let returnTo = config.baseURL;
@@ -289,7 +301,7 @@ class ResponseContext {
debug('req.oidc.logout() with return url: %s', returnURL);
try {
- const client = await getClient(config);
+ const { client } = await getClient(config);
if (url.parse(returnURL).host === null) {
returnURL = urlJoin(config.baseURL, returnURL);
@@ -328,7 +340,7 @@ class ResponseContext {
let { config, req, res, transient, next } = weakRef(this);
next = once(next);
try {
- const client = await getClient(config);
+ const { client } = await getClient(config);
const redirectUri = options.redirectUri || this.getRedirectUri();
let tokenSet;
@@ -358,6 +370,10 @@ class ResponseContext {
}
let session = Object.assign({}, tokenSet); // Remove non-enumerable methods from the TokenSet
+ const claims = tokenSet.claims();
+ // Must store the `sid` separately as the ID Token gets overridden by
+ // ID Token from the Refresh Grant which may not contain a sid (In Auth0 currently).
+ session.sid = claims.sid;
if (config.afterCallback) {
session = await config.afterCallback(
@@ -369,7 +385,7 @@ class ResponseContext {
}
if (req.oidc.isAuthenticated()) {
- if (req.oidc.user.sub === tokenSet.claims().sub) {
+ if (req.oidc.user.sub === claims.sub) {
// If it's the same user logging in again, just update the existing session.
Object.assign(req[config.session.name], session);
} else {
@@ -387,6 +403,14 @@ class ResponseContext {
await regenerateSessionStoreId(req, config);
}
resumeSilentLogin(req, res);
+
+ if (
+ req.oidc.isAuthenticated() &&
+ config.backchannelLogout &&
+ config.backchannelLogout.onLogin !== false
+ ) {
+ await (config.backchannelLogout.onLogin || onLogin)(req, config);
+ }
} catch (err) {
if (!req.openidState || !req.openidState.attemptingSilentLogin) {
return next(err);
@@ -394,6 +418,50 @@ class ResponseContext {
}
res.redirect(req.openidState.returnTo || config.baseURL);
}
+
+ async backchannelLogout() {
+ let { config, req, res } = weakRef(this);
+ res.setHeader('cache-control', 'no-store');
+ const logoutToken = req.body.logout_token;
+ if (!logoutToken) {
+ res.status(400).json({
+ error: 'invalid_request',
+ error_description: 'Missing logout_token',
+ });
+ return;
+ }
+ const onToken =
+ (config.backchannelLogout && config.backchannelLogout.onLogoutToken) ||
+ onLogoutToken;
+ let token;
+ try {
+ const { issuer } = await getClient(config);
+ const keyInput = await issuer.keystore();
+
+ token = await JWT.LogoutToken.verify(logoutToken, keyInput, {
+ issuer: issuer.issuer,
+ audience: config.clientID,
+ algorithms: [config.idTokenSigningAlg],
+ });
+ } catch (e) {
+ res.status(400).json({
+ error: 'invalid_request',
+ error_description: e.message,
+ });
+ return;
+ }
+ try {
+ await onToken(token, config);
+ } catch (e) {
+ debug('req.oidc.backchannelLogout() failed with: %s', e.message);
+ res.status(400).json({
+ error: 'application_error',
+ error_description: `The application failed to invalidate the session.`,
+ });
+ return;
+ }
+ res.status(204).send();
+ }
}
module.exports = { RequestContext, ResponseContext };
diff --git a/lib/crypto.js b/lib/crypto.js
index 89311d25..0d12d0ed 100644
--- a/lib/crypto.js
+++ b/lib/crypto.js
@@ -18,6 +18,7 @@ let encryption, signing;
* @see https://tools.ietf.org/html/rfc5869
*
*/
+/* istanbul ignore else */
if (crypto.hkdfSync) {
// added in v15.0.0
encryption = (secret) =>
diff --git a/lib/hooks/backchannelLogout/isLoggedOut.js b/lib/hooks/backchannelLogout/isLoggedOut.js
new file mode 100644
index 00000000..00428a12
--- /dev/null
+++ b/lib/hooks/backchannelLogout/isLoggedOut.js
@@ -0,0 +1,22 @@
+const { promisify } = require('util');
+const { get: getClient } = require('../../client');
+
+// Default hook that checks if the user has been logged out via Back-Channel Logout
+module.exports = async (req, config) => {
+ const store =
+ (config.backchannelLogout && config.backchannelLogout.store) ||
+ config.session.store;
+ const get = promisify(store.get).bind(store);
+ const {
+ issuer: { issuer },
+ } = await getClient(config);
+ const { sid, sub } = req.oidc.idTokenClaims;
+ if (!sid && !sub) {
+ throw new Error(`The session must have a 'sid' or a 'sub'`);
+ }
+ const [logoutSid, logoutSub] = await Promise.all([
+ sid && get(`${issuer}|${sid}`),
+ sub && get(`${issuer}|${sub}`),
+ ]);
+ return !!(logoutSid || logoutSub);
+};
diff --git a/lib/hooks/backchannelLogout/onLogIn.js b/lib/hooks/backchannelLogout/onLogIn.js
new file mode 100644
index 00000000..d72bcb29
--- /dev/null
+++ b/lib/hooks/backchannelLogout/onLogIn.js
@@ -0,0 +1,13 @@
+const { promisify } = require('util');
+const { get: getClient } = require('../../client');
+
+// Remove any Back-Channel Logout tokens for this `sub`
+module.exports = async (req, config) => {
+ const {
+ issuer: { issuer },
+ } = await getClient(config);
+ const { session, backchannelLogout } = config;
+ const store = (backchannelLogout && backchannelLogout.store) || session.store;
+ const destroy = promisify(store.destroy).bind(store);
+ await destroy(`${issuer}|${req.oidc.idTokenClaims.sub}`);
+};
diff --git a/lib/hooks/backchannelLogout/onLogoutToken.js b/lib/hooks/backchannelLogout/onLogoutToken.js
new file mode 100644
index 00000000..f9be8fd2
--- /dev/null
+++ b/lib/hooks/backchannelLogout/onLogoutToken.js
@@ -0,0 +1,39 @@
+const { promisify } = require('util');
+
+// Default hook stores an entry in the logout store for `sid` (if available) and `sub` (if available).
+module.exports = async (token, config) => {
+ const {
+ session: {
+ absoluteDuration,
+ rolling: rollingEnabled,
+ rollingDuration,
+ store,
+ },
+ backchannelLogout,
+ } = config;
+ const backchannelLogoutStore =
+ (backchannelLogout && backchannelLogout.store) || store;
+ const maxAge =
+ (rollingEnabled
+ ? Math.min(absoluteDuration, rollingDuration)
+ : absoluteDuration) * 1000;
+ const payload = {
+ // The "cookie" prop makes the payload compatible with
+ // `express-session` stores.
+ cookie: {
+ expires: Date.now() + maxAge,
+ maxAge,
+ },
+ };
+ const set = promisify(backchannelLogoutStore.set).bind(
+ backchannelLogoutStore
+ );
+ const { iss, sid, sub } = token;
+ if (!sid && !sub) {
+ throw new Error(`The Logout Token must have a 'sid' or a 'sub'`);
+ }
+ await Promise.all([
+ sid && set(`${iss}|${sid}`, payload),
+ sub && set(`${iss}|${sub}`, payload),
+ ]);
+};
diff --git a/middleware/auth.js b/middleware/auth.js
index f071dcb3..651342b2 100644
--- a/middleware/auth.js
+++ b/middleware/auth.js
@@ -7,6 +7,7 @@ const attemptSilentLogin = require('./attemptSilentLogin');
const TransientCookieHandler = require('../lib/transientHandler');
const { RequestContext, ResponseContext } = require('../lib/context');
const appSession = require('../lib/appSession');
+const isLoggedOut = require('../lib/hooks/backchannelLogout/isLoggedOut');
const enforceLeadingSlash = (path) => {
return path.split('')[0] === '/' ? path : '/' + path;
@@ -67,6 +68,33 @@ const auth = function (params) {
debug('callback handling route not applied');
}
+ if (config.backchannelLogout) {
+ const path = enforceLeadingSlash(config.routes.backchannelLogout);
+ debug('adding POST %s route', path);
+ router.post(path, express.urlencoded({ extended: false }), (req, res) =>
+ res.oidc.backchannelLogout()
+ );
+
+ if (config.backchannelLogout.isLoggedOut !== false) {
+ const isLoggedOutFn = config.backchannelLogout.isLoggedOut || isLoggedOut;
+ router.use(async (req, res, next) => {
+ if (!req.oidc.isAuthenticated()) {
+ next();
+ return;
+ }
+ try {
+ const loggedOut = await isLoggedOutFn(req, config);
+ if (loggedOut) {
+ req[config.session.name] = undefined;
+ }
+ next();
+ } catch (e) {
+ next(e);
+ }
+ });
+ }
+ }
+
if (config.authRequired) {
debug(
'authentication is required for all routes this middleware is applied to'
diff --git a/package-lock.json b/package-lock.json
index 23550b16..d36160b1 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -30,7 +30,7 @@
"dotenv": "^8.2.0",
"eslint": "^5.16.0",
"express": "^4.18.2",
- "express-oauth2-jwt-bearer": "^1.1.0",
+ "express-oauth2-jwt-bearer": "^1.5.0",
"husky": "^4.2.5",
"lodash": "^4.17.15",
"memorystore": "^1.6.4",
@@ -2699,21 +2699,21 @@
}
},
"node_modules/express-oauth2-jwt-bearer": {
- "version": "1.1.0",
- "resolved": "https://registry.npmjs.org/express-oauth2-jwt-bearer/-/express-oauth2-jwt-bearer-1.1.0.tgz",
- "integrity": "sha512-T9sSmGftzMACOH1oY2gniHkiJ53dWjPgIUD/CrJDL5Ss5PeX+PAol53upd7eaKLiLn/vp+AMTefxkkDIPEJXBQ==",
+ "version": "1.5.0",
+ "resolved": "https://registry.npmjs.org/express-oauth2-jwt-bearer/-/express-oauth2-jwt-bearer-1.5.0.tgz",
+ "integrity": "sha512-C8avk1VfopX3zjqfTLg9EuYFjNRdmXdYncBoZGmjxQzGx7cQRiupeWV5r3G2SYGzx0gDw1uyu1cdJrmILOvd3g==",
"dev": true,
"dependencies": {
- "jose": "^4.3.7"
+ "jose": "^4.13.1"
},
"engines": {
- "node": "12.19.0 || ^14.15.0 || ^16.13.0"
+ "node": "^12.19.0 || ^14.15.0 || ^16.13.0 || ^18.12.0 || ^20.2.0"
}
},
"node_modules/express-oauth2-jwt-bearer/node_modules/jose": {
- "version": "4.8.3",
- "resolved": "https://registry.npmjs.org/jose/-/jose-4.8.3.tgz",
- "integrity": "sha512-7rySkpW78d8LBp4YU70Wb7+OTgE3OwAALNVZxhoIhp4Kscp+p/fBkdpxGAMKxvCAMV4QfXBU9m6l9nX/vGwd2g==",
+ "version": "4.14.6",
+ "resolved": "https://registry.npmjs.org/jose/-/jose-4.14.6.tgz",
+ "integrity": "sha512-EqJPEUlZD0/CSUMubKtMaYUOtWe91tZXTWMJZoKSbLk+KtdhNdcvppH8lA9XwVu2V4Ailvsj0GBZJ2ZwDjfesQ==",
"dev": true,
"funding": {
"url": "https://github.com/sponsors/panva"
@@ -10597,18 +10597,18 @@
}
},
"express-oauth2-jwt-bearer": {
- "version": "1.1.0",
- "resolved": "https://registry.npmjs.org/express-oauth2-jwt-bearer/-/express-oauth2-jwt-bearer-1.1.0.tgz",
- "integrity": "sha512-T9sSmGftzMACOH1oY2gniHkiJ53dWjPgIUD/CrJDL5Ss5PeX+PAol53upd7eaKLiLn/vp+AMTefxkkDIPEJXBQ==",
+ "version": "1.5.0",
+ "resolved": "https://registry.npmjs.org/express-oauth2-jwt-bearer/-/express-oauth2-jwt-bearer-1.5.0.tgz",
+ "integrity": "sha512-C8avk1VfopX3zjqfTLg9EuYFjNRdmXdYncBoZGmjxQzGx7cQRiupeWV5r3G2SYGzx0gDw1uyu1cdJrmILOvd3g==",
"dev": true,
"requires": {
- "jose": "^4.3.7"
+ "jose": "^4.13.1"
},
"dependencies": {
"jose": {
- "version": "4.8.3",
- "resolved": "https://registry.npmjs.org/jose/-/jose-4.8.3.tgz",
- "integrity": "sha512-7rySkpW78d8LBp4YU70Wb7+OTgE3OwAALNVZxhoIhp4Kscp+p/fBkdpxGAMKxvCAMV4QfXBU9m6l9nX/vGwd2g==",
+ "version": "4.14.6",
+ "resolved": "https://registry.npmjs.org/jose/-/jose-4.14.6.tgz",
+ "integrity": "sha512-EqJPEUlZD0/CSUMubKtMaYUOtWe91tZXTWMJZoKSbLk+KtdhNdcvppH8lA9XwVu2V4Ailvsj0GBZJ2ZwDjfesQ==",
"dev": true
}
}
diff --git a/package.json b/package.json
index 78927b00..4ecb2f7c 100644
--- a/package.json
+++ b/package.json
@@ -47,7 +47,7 @@
"dotenv": "^8.2.0",
"eslint": "^5.16.0",
"express": "^4.18.2",
- "express-oauth2-jwt-bearer": "^1.1.0",
+ "express-oauth2-jwt-bearer": "^1.5.0",
"husky": "^4.2.5",
"lodash": "^4.17.15",
"memorystore": "^1.6.4",
diff --git a/test/appSession.customStore.tests.js b/test/appSession.customStore.tests.js
index c7723ae9..e0d147ce 100644
--- a/test/appSession.customStore.tests.js
+++ b/test/appSession.customStore.tests.js
@@ -1,4 +1,3 @@
-const { promisify } = require('util');
const express = require('express');
const { assert } = require('chai').use(require('chai-as-promised'));
const request = require('request-promise-native').defaults({
@@ -9,9 +8,8 @@ const request = require('request-promise-native').defaults({
const appSession = require('../lib/appSession');
const { get: getConfig } = require('../lib/config');
const { create: createServer } = require('./fixture/server');
-const redis = require('redis-mock');
const { getKeyStore, signCookie } = require('../lib/crypto');
-const RedisStore = require('connect-redis')({ Store: class Store {} });
+const getRedisStore = require('./fixture/store');
const defaultConfig = {
clientID: '__test_client_id__',
@@ -58,12 +56,8 @@ describe('appSession custom store', () => {
let signedCookieValue;
const setup = async (config) => {
- redisClient = redis.createClient();
- const store = new RedisStore({ client: redisClient, prefix: '' });
- redisClient.asyncSet = promisify(redisClient.set).bind(redisClient);
- redisClient.asyncGet = promisify(redisClient.get).bind(redisClient);
- redisClient.asyncDbsize = promisify(redisClient.dbsize).bind(redisClient);
- redisClient.asyncTtl = promisify(redisClient.ttl).bind(redisClient);
+ const { client, store } = getRedisStore();
+ redisClient = client;
const conf = getConfig({
...defaultConfig,
@@ -232,8 +226,7 @@ describe('appSession custom store', () => {
json: true,
});
assert.equal(res.statusCode, 200);
- const storedSessionJson = await redisClient.asyncGet(immId);
- const { data: sessionValues } = JSON.parse(storedSessionJson);
+ const { data: sessionValues } = await redisClient.asyncGet(immId);
assert.deepEqual(sessionValues, {
sub: '__foo_user__',
role: 'test',
@@ -278,9 +271,9 @@ describe('appSession custom store', () => {
it('should not throw if another mw writes the header', async () => {
const app = express();
- redisClient = redis.createClient();
- const store = new RedisStore({ client: redisClient, prefix: '' });
- await promisify(redisClient.set).bind(redisClient)('foo', sessionData());
+ const { client, store } = getRedisStore();
+ redisClient = client;
+ await redisClient.set('foo', sessionData());
const conf = getConfig({
...defaultConfig,
diff --git a/test/backchannelLogout.tests.js b/test/backchannelLogout.tests.js
new file mode 100644
index 00000000..951b0600
--- /dev/null
+++ b/test/backchannelLogout.tests.js
@@ -0,0 +1,289 @@
+const { assert } = require('chai');
+const onLogin = require('../lib/hooks/backchannelLogout/onLogIn');
+const { get: getConfig } = require('../lib/config');
+const { create: createServer } = require('./fixture/server');
+const { makeIdToken, makeLogoutToken } = require('./fixture/cert');
+const { auth } = require('./..');
+const getRedisStore = require('./fixture/store');
+
+const baseUrl = 'http://localhost:3000';
+
+const request = require('request-promise-native').defaults({
+ simple: false,
+ resolveWithFullResponse: true,
+ baseUrl,
+ json: true,
+});
+
+const login = async (idToken) => {
+ const jar = request.jar();
+ await request.post({
+ uri: '/session',
+ json: {
+ id_token: idToken || makeIdToken(),
+ },
+ jar,
+ });
+
+ const session = (await request.get({ uri: '/session', jar })).body;
+ return { jar, session };
+};
+
+describe('back-channel logout', async () => {
+ let server;
+ let client;
+ let store;
+ let config;
+
+ beforeEach(() => {
+ ({ client, store } = getRedisStore());
+ config = {
+ clientID: '__test_client_id__',
+ baseURL: 'http://example.org',
+ issuerBaseURL: 'https://op.example.com',
+ secret: '__test_session_secret__',
+ authRequired: false,
+ backchannelLogout: { store },
+ };
+ });
+
+ afterEach(async () => {
+ if (server) {
+ server.close();
+ }
+ if (client) {
+ await new Promise((resolve) => client.flushall(resolve));
+ await new Promise((resolve) => client.quit(resolve));
+ }
+ });
+
+ it('should only handle post requests', async () => {
+ server = await createServer(auth(config));
+
+ for (const method of ['get', 'put', 'patch', 'delete']) {
+ const res = await request('/backchannel-logout', {
+ method,
+ });
+ assert.equal(res.statusCode, 404);
+ }
+ });
+
+ it('should require a logout token', async () => {
+ server = await createServer(auth(config));
+
+ const res = await request.post('/backchannel-logout');
+ assert.equal(res.statusCode, 400);
+ assert.deepEqual(res.body, {
+ error: 'invalid_request',
+ error_description: 'Missing logout_token',
+ });
+ });
+
+ it('should not cache the response', async () => {
+ server = await createServer(auth(config));
+
+ const res = await request.post('/backchannel-logout');
+ assert.equal(res.headers['cache-control'], 'no-store');
+ });
+
+ it('should accept and store a valid logout_token', async () => {
+ server = await createServer(auth(config));
+
+ const res = await request.post('/backchannel-logout', {
+ form: {
+ logout_token: makeLogoutToken({ sid: 'foo' }),
+ },
+ });
+ assert.equal(res.statusCode, 204);
+ const payload = await client.asyncGet('https://op.example.com/|foo');
+ assert.ok(payload);
+ });
+
+ it('should accept and store a valid logout_token signed with HS256', async () => {
+ server = await createServer(auth(config));
+
+ const res = await request.post('/backchannel-logout', {
+ form: {
+ logout_token: makeLogoutToken({
+ sid: 'foo',
+ secret: config.clientSecret,
+ }),
+ },
+ });
+ assert.equal(res.statusCode, 204);
+ const payload = await client.asyncGet('https://op.example.com/|foo');
+ assert.ok(payload);
+ });
+
+ it('should require a sid or a sub', async () => {
+ server = await createServer(auth(config));
+
+ const res = await request.post('/backchannel-logout', {
+ form: {
+ logout_token: makeLogoutToken(),
+ },
+ });
+ assert.equal(res.statusCode, 400);
+ });
+
+ it('should set a maxAge based on rolling expiry', async () => {
+ server = await createServer(
+ auth({ ...config, session: { rollingDuration: 999 } })
+ );
+
+ const res = await request.post('/backchannel-logout', {
+ form: {
+ logout_token: makeLogoutToken({ sid: 'foo' }),
+ },
+ });
+ assert.equal(res.statusCode, 204);
+ const { cookie } = await client.asyncGet('https://op.example.com/|foo');
+ assert.equal(cookie.maxAge, 999 * 1000);
+ const ttl = await client.asyncTtl('https://op.example.com/|foo');
+ assert.closeTo(ttl, 999, 5);
+ });
+
+ it('should set a maxAge based on absolute expiry', async () => {
+ server = await createServer(
+ auth({ ...config, session: { absoluteDuration: 999, rolling: false } })
+ );
+
+ const res = await request.post('/backchannel-logout', {
+ form: {
+ logout_token: makeLogoutToken({ sid: 'foo' }),
+ },
+ });
+ assert.equal(res.statusCode, 204);
+ const { cookie } = await client.asyncGet('https://op.example.com/|foo');
+ assert.equal(cookie.maxAge, 999 * 1000);
+ const ttl = await client.asyncTtl('https://op.example.com/|foo');
+ assert.closeTo(ttl, 999, 5);
+ });
+
+ it('should fail if storing the token fails', async () => {
+ server = await createServer(
+ auth({
+ ...config,
+ backchannelLogout: {
+ ...config.backchannelLogout,
+ onLogoutToken() {
+ throw new Error('storage failure');
+ },
+ },
+ })
+ );
+
+ const res = await request.post('/backchannel-logout', {
+ form: {
+ logout_token: makeLogoutToken({ sid: 'foo' }),
+ },
+ });
+ assert.equal(res.statusCode, 400);
+ assert.equal(res.body.error, 'application_error');
+ });
+
+ it('should log sid out on subsequent requests', async () => {
+ server = await createServer(auth(config));
+ const { jar } = await login(makeIdToken({ sid: '__foo_sid__' }));
+ let body;
+ ({ body } = await request.get('/session', {
+ jar,
+ }));
+ assert.isNotEmpty(body);
+ assert.isNotEmpty(jar.getCookies(baseUrl));
+
+ const res = await request.post('/backchannel-logout', {
+ baseUrl,
+ form: {
+ logout_token: makeLogoutToken({ sid: '__foo_sid__' }),
+ },
+ });
+ assert.equal(res.statusCode, 204);
+ const payload = await client.asyncGet(
+ 'https://op.example.com/|__foo_sid__'
+ );
+ assert.ok(payload);
+ ({ body } = await request.get('/session', {
+ jar,
+ }));
+ assert.isEmpty(jar.getCookies(baseUrl));
+ assert.isUndefined(body);
+ });
+
+ it('should log sub out on subsequent requests', async () => {
+ server = await createServer(auth(config));
+ const { jar } = await login(makeIdToken({ sub: '__foo_sub__' }));
+ let body;
+ ({ body } = await request.get('/session', {
+ jar,
+ }));
+ assert.isNotEmpty(body);
+ assert.isNotEmpty(jar.getCookies(baseUrl));
+
+ const res = await request.post('/backchannel-logout', {
+ baseUrl,
+ form: {
+ logout_token: makeLogoutToken({ sub: '__foo_sub__' }),
+ },
+ });
+ assert.equal(res.statusCode, 204);
+ const payload = await client.asyncGet(
+ 'https://op.example.com/|__foo_sub__'
+ );
+ assert.ok(payload);
+ ({ body } = await request.get('/session', {
+ jar,
+ }));
+ assert.isEmpty(jar.getCookies(baseUrl));
+ assert.isUndefined(body);
+ });
+
+ it('should not log sub out if login is after back-channel logout', async () => {
+ server = await createServer(auth(config));
+
+ const { jar } = await login(makeIdToken({ sub: '__foo_sub__' }));
+
+ const res = await request.post('/backchannel-logout', {
+ baseUrl,
+ form: {
+ logout_token: makeLogoutToken({ sub: '__foo_sub__' }),
+ },
+ });
+ assert.equal(res.statusCode, 204);
+ let payload = await client.asyncGet('https://op.example.com/|__foo_sub__');
+ assert.ok(payload);
+
+ await onLogin(
+ { oidc: { idTokenClaims: { sub: '__foo_sub__' } } },
+ getConfig(config)
+ );
+ payload = await client.asyncGet('https://op.example.com/|__foo_sub__');
+ assert.notOk(payload);
+
+ const { body } = await request.get('/session', {
+ jar,
+ });
+ assert.isNotEmpty(jar.getCookies(baseUrl));
+ assert.isNotEmpty(body);
+ });
+
+ it('should handle failures to get logout token', async () => {
+ server = await createServer(
+ auth({
+ ...config,
+ backchannelLogout: {
+ ...config.backchannelLogout,
+ isLoggedOut() {
+ throw new Error('storage failure');
+ },
+ },
+ })
+ );
+ const { jar } = await login(makeIdToken({ sid: '__foo_sid__' }));
+ let body;
+ ({ body } = await request.get('/session', {
+ jar,
+ }));
+ assert.deepEqual(body, { err: { message: 'storage failure' } });
+ });
+});
diff --git a/test/callback.tests.js b/test/callback.tests.js
index d379e869..cd74c82f 100644
--- a/test/callback.tests.js
+++ b/test/callback.tests.js
@@ -16,9 +16,8 @@ const clientID = '__test_client_id__';
const expectedDefaultState = encodeState({ returnTo: 'https://example.org' });
const nock = require('nock');
const MemoryStore = require('memorystore')(auth);
-const privateKey = require('fs').readFileSync(
- require('path').join(__dirname, '../examples', 'private-key.pem')
-);
+const { privatePEM: privateKey } = require('../end-to-end/fixture/jwk');
+const getRedisStore = require('./fixture/store');
const baseUrl = 'http://localhost:3000';
const defaultConfig = {
@@ -599,6 +598,103 @@ describe('callback response_mode: form_post', () => {
);
});
+ it('should retain sid after token refresh', async () => {
+ const idTokenWithSid = makeIdToken({
+ c_hash: '77QmUPtjPfzWtF2AnpK9RQ',
+ sid: 'foo',
+ });
+ const idTokenNoSid = makeIdToken({
+ c_hash: '77QmUPtjPfzWtF2AnpK9RQ',
+ });
+
+ const authOpts = {
+ ...defaultConfig,
+ clientSecret: '__test_client_secret__',
+ authorizationParams: {
+ response_type: 'code id_token',
+ audience: 'https://api.example.com/',
+ scope: 'openid profile email read:reports offline_access',
+ },
+ };
+ const router = auth(authOpts);
+ router.get('/refresh', async (req, res) => {
+ const accessToken = await req.oidc.accessToken.refresh();
+ res.json({
+ accessToken,
+ refreshToken: req.oidc.refreshToken,
+ });
+ });
+
+ const { jar } = await setup({
+ router,
+ authOpts: {
+ clientSecret: '__test_client_secret__',
+ authorizationParams: {
+ response_type: 'code id_token',
+ audience: 'https://api.example.com/',
+ scope: 'openid profile email read:reports offline_access',
+ },
+ },
+ cookies: generateCookies({
+ state: expectedDefaultState,
+ nonce: '__test_nonce__',
+ }),
+ body: {
+ state: expectedDefaultState,
+ id_token: idTokenWithSid,
+ code: 'jHkWEdUXMU1BwAsC4vtUsZwnNvTIxEl0z9K3vx5KF0Y',
+ },
+ });
+
+ const reply = sinon.spy(() => ({
+ access_token: '__new_access_token__',
+ refresh_token: '__new_refresh_token__',
+ id_token: idTokenNoSid,
+ token_type: 'Bearer',
+ expires_in: 86400,
+ }));
+ const {
+ interceptors: [interceptor],
+ } = nock('https://op.example.com', { allowUnmocked: true })
+ .post('/oauth/token')
+ .reply(200, reply);
+
+ await request.get('/refresh', { baseUrl, jar });
+ const { body: newTokens } = await request.get('/tokens', {
+ baseUrl,
+ jar,
+ json: true,
+ });
+ nock.removeInterceptor(interceptor);
+
+ assert.equal(newTokens.accessToken.access_token, '__new_access_token__');
+ assert.equal(newTokens.idTokenClaims.sid, 'foo');
+ });
+
+ it('should remove any stale back-channel logout entries by sub', async () => {
+ const { client, store } = getRedisStore();
+ await client.asyncSet('https://op.example.com/|bcl-sub', '{}');
+ const idToken = makeIdToken({ sub: 'bcl-sub' });
+ const {
+ response: { statusCode },
+ } = await setup({
+ cookies: generateCookies({
+ state: expectedDefaultState,
+ nonce: '__test_nonce__',
+ }),
+ body: {
+ state: expectedDefaultState,
+ id_token: idToken,
+ },
+ authOpts: {
+ backchannelLogout: { store },
+ },
+ });
+ assert.equal(statusCode, 302);
+ const logout = await client.asyncGet('https://op.example.com/|bcl-sub');
+ assert.notOk(logout);
+ });
+
it('should refresh an access token and keep original refresh token', async () => {
const idToken = makeIdToken({
c_hash: '77QmUPtjPfzWtF2AnpK9RQ',
diff --git a/test/client.tests.js b/test/client.tests.js
index d608182e..99e205a5 100644
--- a/test/client.tests.js
+++ b/test/client.tests.js
@@ -30,7 +30,7 @@ describe('client initialization', function () {
let client;
beforeEach(async function () {
- client = await getClient(config);
+ ({ client } = await getClient(config));
});
it('should save the passed values', async function () {
@@ -99,7 +99,7 @@ describe('client initialization', function () {
})
);
- const client = await getClient(config);
+ const { client } = await getClient(config);
assert.equal(client.id_token_signed_response_alg, 'RS256');
});
});
@@ -115,12 +115,14 @@ describe('client initialization', function () {
};
it('should use discovered logout endpoint by default', async function () {
- const client = await getClient(getConfig(base));
+ const { client } = await getClient(getConfig(base));
assert.equal(client.endSessionUrl({}), wellKnown.end_session_endpoint);
});
it('should use auth0 logout endpoint if configured', async function () {
- const client = await getClient(getConfig({ ...base, auth0Logout: true }));
+ const { client } = await getClient(
+ getConfig({ ...base, auth0Logout: true })
+ );
assert.equal(
client.endSessionUrl({}),
'https://op.example.com/v2/logout?client_id=__test_client_id__'
@@ -131,7 +133,7 @@ describe('client initialization', function () {
nock('https://foo.auth0.com')
.get('/.well-known/openid-configuration')
.reply(200, { ...wellKnown, issuer: 'https://foo.auth0.com/' });
- const client = await getClient(
+ const { client } = await getClient(
getConfig({ ...base, issuerBaseURL: 'https://foo.auth0.com' })
);
assert.equal(
@@ -144,7 +146,7 @@ describe('client initialization', function () {
nock('https://foo.auth0.com')
.get('/.well-known/openid-configuration')
.reply(200, { ...wellKnown, issuer: 'https://foo.auth0.com/' });
- const client = await getClient(
+ const { client } = await getClient(
getConfig({
...base,
issuerBaseURL: 'https://foo.auth0.com',
@@ -165,7 +167,7 @@ describe('client initialization', function () {
issuer: 'https://foo.auth0.com/',
end_session_endpoint: 'https://foo.auth0.com/oidc/logout',
});
- const client = await getClient(
+ const { client } = await getClient(
getConfig({
...base,
issuerBaseURL: 'https://foo.auth0.com',
@@ -186,7 +188,7 @@ describe('client initialization', function () {
issuer: 'https://op2.example.com',
end_session_endpoint: undefined,
});
- const client = await getClient(
+ const { client } = await getClient(
getConfig({ ...base, issuerBaseURL: 'https://op2.example.com' })
);
assert.throws(() => client.endSessionUrl({}));
@@ -221,21 +223,21 @@ describe('client initialization', function () {
it('should not timeout for default', async function () {
mockRequest(0);
- const client = await getClient({ ...config });
+ const { client } = await getClient({ ...config });
const response = await invokeRequest(client);
assert.equal(response.statusCode, 200);
});
it('should not timeout for delay < httpTimeout', async function () {
mockRequest(1000);
- const client = await getClient({ ...config, httpTimeout: 1500 });
+ const { client } = await getClient({ ...config, httpTimeout: 1500 });
const response = await invokeRequest(client);
assert.equal(response.statusCode, 200);
});
it('should timeout for delay > httpTimeout', async function () {
mockRequest(1500);
- const client = await getClient({ ...config, httpTimeout: 500 });
+ const { client } = await getClient({ ...config, httpTimeout: 500 });
await expect(invokeRequest(client)).to.be.rejectedWith(
`Timeout awaiting 'request' for 500ms`
);
@@ -254,7 +256,7 @@ describe('client initialization', function () {
it('should send default UA header', async function () {
const handler = sinon.stub().returns([200]);
nock('https://op.example.com').get('/foo').reply(handler);
- const client = await getClient({ ...config });
+ const { client } = await getClient({ ...config });
await client.requestResource('https://op.example.com/foo');
expect(handler.firstCall.thisValue.req.headers['user-agent']).to.match(
/^express-openid-connect\//
@@ -264,7 +266,7 @@ describe('client initialization', function () {
it('should send custom UA header', async function () {
const handler = sinon.stub().returns([200]);
nock('https://op.example.com').get('/foo').reply(handler);
- const client = await getClient({ ...config, httpUserAgent: 'foo' });
+ const { client } = await getClient({ ...config, httpUserAgent: 'foo' });
await client.requestResource('https://op.example.com/foo');
expect(handler.firstCall.thisValue.req.headers['user-agent']).to.equal(
'foo'
@@ -287,7 +289,7 @@ describe('client initialization', function () {
it('should pass agent argument', async function () {
const handler = sinon.stub().returns([200]);
nock('https://op.example.com').get('/foo').reply(handler);
- const client = await getClient({ ...config });
+ const { client } = await getClient({ ...config });
expect(client[custom.http_options]({}).agent.https).to.eq(agent);
});
});
@@ -346,7 +348,7 @@ describe('client initialization', function () {
it('should set default client signing assertion alg', async function () {
const handler = sinon.stub().returns([200, {}]);
nock('https://op.example.com').post('/oauth/token').reply(handler);
- const client = await getClient(getConfig(config));
+ const { client } = await getClient(getConfig(config));
await client.grant();
const [, body] = handler.firstCall.args;
const jwt = new URLSearchParams(body).get('client_assertion');
@@ -359,7 +361,7 @@ describe('client initialization', function () {
it('should set custom client signing assertion alg', async function () {
const handler = sinon.stub().returns([200, {}]);
nock('https://op.example.com').post('/oauth/token').reply(handler);
- const client = await getClient({
+ const { client } = await getClient({
...getConfig(config),
clientAssertionSigningAlg: 'RS384',
});
@@ -394,7 +396,7 @@ describe('client initialization', function () {
.get('/.well-known/openid-configuration')
.reply(200, spy);
- const client = await getClient(config);
+ const { client } = await getClient(config);
await getClient(config);
await getClient(config);
expect(client.client_id).to.eq('__test_cache_max_age_client_id__');
@@ -423,7 +425,7 @@ describe('client initialization', function () {
.get('/.well-known/openid-configuration')
.reply(200, spy);
- const client = await getClient(config);
+ const { client } = await getClient(config);
await getClient({ ...config });
await getClient({ ...config });
expect(client.client_id).to.eq('__test_cache_max_age_client_id__');
@@ -442,7 +444,7 @@ describe('client initialization', function () {
.get('/.well-known/openid-configuration')
.reply(200, spy);
- const client = await getClient(config);
+ const { client } = await getClient(config);
clock.tick(10 * mins + 1);
await getClient(config);
clock.tick(1 * mins);
@@ -465,7 +467,7 @@ describe('client initialization', function () {
.reply(200, spy);
config = { ...config, discoveryCacheMaxAge: 20 * mins };
- const client = await getClient(config);
+ const { client } = await getClient(config);
clock.tick(10 * mins + 1);
await getClient(config);
expect(spy.callCount).to.eq(1);
@@ -489,7 +491,7 @@ describe('client initialization', function () {
await assert.isRejected(getClient(config));
- const client = await getClient(config);
+ const { client } = await getClient(config);
expect(client.client_id).to.eq('__test_cache_max_age_client_id__');
expect(spy.callCount).to.eq(1);
});
@@ -509,7 +511,7 @@ describe('client initialization', function () {
assert.isRejected(getClient(config)),
assert.isRejected(getClient(config)),
]);
- const client = await getClient(config);
+ const { client } = await getClient(config);
expect(client.client_id).to.eq('__test_cache_max_age_client_id__');
expect(spy.callCount).to.eq(1);
});
diff --git a/test/config.tests.js b/test/config.tests.js
index beb63559..70db0112 100644
--- a/test/config.tests.js
+++ b/test/config.tests.js
@@ -857,4 +857,43 @@ describe('get config', () => {
});
}
});
+
+ it('should require a session store for back-channel logout', () => {
+ assert.throws(
+ () => getConfig({ ...defaultConfig, backchannelLogout: true }),
+ TypeError,
+ `Back-Channel Logout requires a "backchannelLogout.store" (you can also reuse "session.store" if you have stateful sessions) or custom hooks for "isLoggedOut" and "onLogoutToken".`
+ );
+ });
+
+ it(`should configure back-channel logout with it's own store`, () => {
+ assert.doesNotThrow(() =>
+ getConfig({
+ ...defaultConfig,
+ backchannelLogout: { store: {} },
+ })
+ );
+ });
+
+ it(`should configure back-channel logout with a shared store`, () => {
+ assert.doesNotThrow(() =>
+ getConfig({
+ ...defaultConfig,
+ backchannelLogout: true,
+ session: { store: {} },
+ })
+ );
+ });
+
+ it(`should configure back-channel logout with custom hooks`, () => {
+ assert.doesNotThrow(() =>
+ getConfig({
+ ...defaultConfig,
+ backchannelLogout: {
+ isLoggedOut: () => {},
+ onLogoutToken: () => {},
+ },
+ })
+ );
+ });
});
diff --git a/test/fixture/cert.js b/test/fixture/cert.js
index d5c3626c..cc3e0ece 100644
--- a/test/fixture/cert.js
+++ b/test/fixture/cert.js
@@ -1,21 +1,15 @@
const { JWK, JWKS, JWT } = require('jose');
+const crypto = require('crypto');
const key = JWK.asKey({
e: 'AQAB',
- n:
- 'wQrThQ9HKf8ksCQEzqOu0ofF8DtLJgexeFSQBNnMQetACzt4TbHPpjhTWUIlD8bFCkyx88d2_QV3TewMtfS649Pn5hV6adeYW2TxweAA8HVJxskcqTSa_ktojQ-cD43HIStsbqJhHoFv0UY6z5pwJrVPT-yt38ciKo9Oc9IhEl6TSw-zAnuNW0zPOhKjuiIqpAk1lT3e6cYv83ahx82vpx3ZnV83dT9uRbIbcgIpK4W64YnYb5uDH7hGI8-4GnalZDfdApTu-9Y8lg_1v5ul-eQDsLCkUCPkqBaNiCG3gfZUAKp9rrFRE_cJTv_MJn-y_XSTMWILvTY7vdSMRMo4kQ',
- d:
- 'EMHY1K8b1VhxndyykiGBVoM0uoLbJiT60eA9VD53za0XNSJncg8iYGJ5UcE9KF5v0lIQDIJfIN2tmpUIEW96HbbSZZWtt6xgbGaZ2eOREU6NJfVlSIbpgXOYUs5tFKiRBZ8YXY448gX4Z-k5x7W3UJTimqSH_2nw3FLuU32FI2vtf4ToUKEcoUdrIqoAwZ1et19E7Q_NCG2y1nez0LpD8PKgfeX1OVHdQm7434-9FS-R_eMcxqZ6mqZO2QDuign8SPHTR-KooAe8B-0MpZb7QF3YtMSQk8RlrMUcAYwv8R8dvFergCjauH0hOHvtKPq6Smj0VuimelEUZfp94r3pBQ',
- p:
- '9i2D_PLFPnFfztYccTGxzgiXezRpMsXD2Z9PA7uxw0sXnkV1TjZkSc3V_59RxyiTtvYlNCbGYShds__ogXouuYqbWaC43_zj3eGqAWL3i5C-k1u4S3ekgKn8AkGjlqCObuyLRsPvDfBkv1wo2tfIAEoNg_sHYIIRkTq68g58if8',
- q:
- 'yL6UUD_MB_pCHwf6LvNC2k0lfHHOxfW3lOo_XTqt9dg9yTO21OS4BF7Uce1kFJJIfuGrK6cMmusHKkSsJm1_khR3G9owokrBDFOZ_iSWvt3qIG5K3CNgl1_C8NqTeyKEVziCCiaL9CZpwfqHIVNnDCchGNkpVRqsfHmzPEnXnW8',
- dp:
- 'rFf3FEn9rpZ-pXYeGVzaBszbCAUMNOBhGWS_U3S-oWNb2JD169iGY2j4DWpDPTN6Hle6egU_UtuIpjBdXO_l8D1KPvgXFbCc8kQ-2ZOojAu8b7uBjUvoXa8jX40Gcrhanut5IgSfwlluns1tSLBSM2mkhqZiZr0IgWzlXfqoU48',
- dq:
- 'kihQC-2nO9e19Kn2OeDbt92bgXPLPM6ej0nOQK7MocaDlc6VO4QbhvMUcq6Iw4GOTvM3kVzbDKA6Y0gEnyXyUAWegyTlbARJchQcdrFlICqqoFotHwKS_SO352z9HBYRjP-TjphqJaUiMx2Y7WawDGUg79qNAW2eUDK7kRWiavk',
- qi:
- '8hAW25CmPjLAXpzkMpXpXsvJKdgql0Zjt-OeSVwzQN5dLYmu-Q98Xl5n8H-Nfr8aOmPfHBQ8M9FOMpxbgg8gbqixpkrxcTIGjpuH8RFYXj_0TYSBkCSOoc7tAP7YjOUOGJMqFHDYZVD-gmsCuRwWx3jKFxRrWLS5b8kWzkON0bM',
+ n: 'wQrThQ9HKf8ksCQEzqOu0ofF8DtLJgexeFSQBNnMQetACzt4TbHPpjhTWUIlD8bFCkyx88d2_QV3TewMtfS649Pn5hV6adeYW2TxweAA8HVJxskcqTSa_ktojQ-cD43HIStsbqJhHoFv0UY6z5pwJrVPT-yt38ciKo9Oc9IhEl6TSw-zAnuNW0zPOhKjuiIqpAk1lT3e6cYv83ahx82vpx3ZnV83dT9uRbIbcgIpK4W64YnYb5uDH7hGI8-4GnalZDfdApTu-9Y8lg_1v5ul-eQDsLCkUCPkqBaNiCG3gfZUAKp9rrFRE_cJTv_MJn-y_XSTMWILvTY7vdSMRMo4kQ',
+ d: 'EMHY1K8b1VhxndyykiGBVoM0uoLbJiT60eA9VD53za0XNSJncg8iYGJ5UcE9KF5v0lIQDIJfIN2tmpUIEW96HbbSZZWtt6xgbGaZ2eOREU6NJfVlSIbpgXOYUs5tFKiRBZ8YXY448gX4Z-k5x7W3UJTimqSH_2nw3FLuU32FI2vtf4ToUKEcoUdrIqoAwZ1et19E7Q_NCG2y1nez0LpD8PKgfeX1OVHdQm7434-9FS-R_eMcxqZ6mqZO2QDuign8SPHTR-KooAe8B-0MpZb7QF3YtMSQk8RlrMUcAYwv8R8dvFergCjauH0hOHvtKPq6Smj0VuimelEUZfp94r3pBQ',
+ p: '9i2D_PLFPnFfztYccTGxzgiXezRpMsXD2Z9PA7uxw0sXnkV1TjZkSc3V_59RxyiTtvYlNCbGYShds__ogXouuYqbWaC43_zj3eGqAWL3i5C-k1u4S3ekgKn8AkGjlqCObuyLRsPvDfBkv1wo2tfIAEoNg_sHYIIRkTq68g58if8',
+ q: 'yL6UUD_MB_pCHwf6LvNC2k0lfHHOxfW3lOo_XTqt9dg9yTO21OS4BF7Uce1kFJJIfuGrK6cMmusHKkSsJm1_khR3G9owokrBDFOZ_iSWvt3qIG5K3CNgl1_C8NqTeyKEVziCCiaL9CZpwfqHIVNnDCchGNkpVRqsfHmzPEnXnW8',
+ dp: 'rFf3FEn9rpZ-pXYeGVzaBszbCAUMNOBhGWS_U3S-oWNb2JD169iGY2j4DWpDPTN6Hle6egU_UtuIpjBdXO_l8D1KPvgXFbCc8kQ-2ZOojAu8b7uBjUvoXa8jX40Gcrhanut5IgSfwlluns1tSLBSM2mkhqZiZr0IgWzlXfqoU48',
+ dq: 'kihQC-2nO9e19Kn2OeDbt92bgXPLPM6ej0nOQK7MocaDlc6VO4QbhvMUcq6Iw4GOTvM3kVzbDKA6Y0gEnyXyUAWegyTlbARJchQcdrFlICqqoFotHwKS_SO352z9HBYRjP-TjphqJaUiMx2Y7WawDGUg79qNAW2eUDK7kRWiavk',
+ qi: '8hAW25CmPjLAXpzkMpXpXsvJKdgql0Zjt-OeSVwzQN5dLYmu-Q98Xl5n8H-Nfr8aOmPfHBQ8M9FOMpxbgg8gbqixpkrxcTIGjpuH8RFYXj_0TYSBkCSOoc7tAP7YjOUOGJMqFHDYZVD-gmsCuRwWx3jKFxRrWLS5b8kWzkON0bM',
kty: 'RSA',
use: 'sig',
alg: 'RS256',
@@ -45,3 +39,25 @@ module.exports.makeIdToken = (payload) => {
header: { kid: key.kid },
});
};
+
+module.exports.makeLogoutToken = ({ payload, sid, sub, secret } = {}) => {
+ return JWT.sign(
+ {
+ events: {
+ 'http://schemas.openid.net/event/backchannel-logout': {},
+ },
+ ...(sid && { sid }),
+ ...(sub && { sub }),
+ },
+ secret || key.toPEM(true),
+ {
+ issuer: 'https://op.example.com/',
+ audience: '__test_client_id__',
+ iat: true,
+ jti: crypto.randomBytes(16).toString('hex'),
+ algorithm: secret ? 'HS256' : 'RS256',
+ header: { typ: 'logout+jwt' },
+ ...payload,
+ }
+ );
+};
diff --git a/test/fixture/store.js b/test/fixture/store.js
new file mode 100644
index 00000000..7e7d5369
--- /dev/null
+++ b/test/fixture/store.js
@@ -0,0 +1,17 @@
+const { promisify } = require('util');
+const redis = require('redis-mock');
+const RedisStore = require('connect-redis')({ Store: class Store {} });
+
+module.exports = () => {
+ const client = redis.createClient();
+ const store = new RedisStore({ client: client, prefix: '' });
+ client.asyncSet = promisify(client.set).bind(client);
+ const get = promisify(client.get).bind(client);
+ client.asyncGet = async (id) => {
+ const val = await get(id);
+ return val ? JSON.parse(val) : val;
+ };
+ client.asyncDbsize = promisify(client.dbsize).bind(client);
+ client.asyncTtl = promisify(client.ttl).bind(client);
+ return { client, store };
+};
diff --git a/test/login.tests.js b/test/login.tests.js
index 255804a2..44655bc2 100644
--- a/test/login.tests.js
+++ b/test/login.tests.js
@@ -354,7 +354,6 @@ describe('auth', () => {
baseUrl,
followRedirect: false,
});
- console.log(res);
assert.equal(res.statusCode, 302);
const parsed = url.parse(res.headers.location, true);
@@ -596,7 +595,6 @@ describe('auth', () => {
json: true,
});
assert.equal(res.statusCode, 500);
- console.log(res.body.err.message);
assert.match(
res.body.err.message,
/^Issuer.discover\(\) failed/,
diff --git a/test/logout.tests.js b/test/logout.tests.js
index f7d7b87a..21bfe36e 100644
--- a/test/logout.tests.js
+++ b/test/logout.tests.js
@@ -343,7 +343,6 @@ describe('logout route', async () => {
json: true,
});
assert.equal(res.statusCode, 500);
- console.log(res.body.err.message);
assert.match(
res.body.err.message,
/^Issuer.discover\(\) failed/,