backchannel logout token verification

[d3vv3]

Describe the problem you'd like to have solved

There is currently no implementation of backchannel-logout stated here.

Describe the ideal solution

There should be some sort of path for it (/backchannel-logout for example) to handle the logout_token verification.

Alternatives and current work-arounds

Accessing somehow the private key stated from the lib/appSession.js file and use:

jose.JWT.LogoutToken.verify(
  logout_token,
  keyOrStore,
  {
    issuer: 'https://op.example.com',
    audience: 'urn:example:client_id',
    algorithms: ['PS256']
  }
);

[adamjmcgrath]

Hi @d3vv3 - thanks for your suggestion.

Do you have any opinions on how this SDK (or your app) would invalidate the session upon receiving the logout event?

[d3vv3]

If I just decode the logout token, someone could be using his session to logout another user (if he had his logout token compromissed). To invalidate the session, it would be enough to do a session.destroy() of some sort.

On the meantime, how can I access the private key to verify it on my own?

Also I am leaving here a backchannel logout summary for other people (Keycloak example):

1. User sends logout request from one application
2. The application sends logout request to Keycloak
3. The Keycloak server invalidates the user session
4. The Keycloak server then sends a backchannel request to application with an admin url that are associated with the session
5. When an application receives the logout request it invalidates the corresponding HTTP session

Validation of the logout token is specified here

[adamjmcgrath]

Thanks for that @d3vv3

On the meantime, how can I access the private key to verify it on my own?

You use a public key to verify the token in the same way you verify an ID Token, using the AS's well-known jwks_uri or a shared secret (client secret)

5. When an application receives the logout request it invalidates the corresponding HTTP session

This is what I'm interested in, how you would go about invalidating the session (especially a stateless session like the default for this SDK)

[adamjmcgrath]

Hi @d3vv3 - I have a branch with Back-Channel Logout implemented here https://github.com/auth0/express-openid-connect/blob/back-channel-logout/BACK_CHANNEL_LOGOUT.md

If you're planning on trying it out, would love to hear your feedback

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️