feat: add front/backchannel logout params to client cli

cmd/cli/handler_client.go

@@ -102,23 +102,27 @@ func (h *ClientHandler) CreateClient(cmd *cobra.Command, args []string) {
  cmdx.Must(err, "Failed to load encryption key: %s", err)
 
  cc := models.OAuth2Client{
- ClientID: flagx.MustGetString(cmd, "id"),
- ClientSecret: secret,
- ResponseTypes: flagx.MustGetStringSlice(cmd, "response-types"),
- Scope: strings.Join(flagx.MustGetStringSlice(cmd, "scope"), " "),
- GrantTypes: flagx.MustGetStringSlice(cmd, "grant-types"),
- RedirectUris: flagx.MustGetStringSlice(cmd, "callbacks"),
- ClientName: flagx.MustGetString(cmd, "name"),
- TokenEndpointAuthMethod: flagx.MustGetString(cmd, "token-endpoint-auth-method"),
- JwksURI: flagx.MustGetString(cmd, "jwks-uri"),
- TosURI: flagx.MustGetString(cmd, "tos-uri"),
- PolicyURI: flagx.MustGetString(cmd, "policy-uri"),
- LogoURI: flagx.MustGetString(cmd, "logo-uri"),
- ClientURI: flagx.MustGetString(cmd, "client-uri"),
- AllowedCorsOrigins: flagx.MustGetStringSlice(cmd, "allowed-cors-origins"),
- SubjectType: flagx.MustGetString(cmd, "subject-type"),
- Audience: flagx.MustGetStringSlice(cmd, "audience"),
- PostLogoutRedirectUris: flagx.MustGetStringSlice(cmd, "post-logout-callbacks"),
+ ClientID: flagx.MustGetString(cmd, "id"),
+ ClientSecret: secret,
+ ResponseTypes: flagx.MustGetStringSlice(cmd, "response-types"),
+ Scope: strings.Join(flagx.MustGetStringSlice(cmd, "scope"), " "),
+ GrantTypes: flagx.MustGetStringSlice(cmd, "grant-types"),
+ RedirectUris: flagx.MustGetStringSlice(cmd, "callbacks"),
+ ClientName: flagx.MustGetString(cmd, "name"),
+ TokenEndpointAuthMethod: flagx.MustGetString(cmd, "token-endpoint-auth-method"),
+ JwksURI: flagx.MustGetString(cmd, "jwks-uri"),
+ TosURI: flagx.MustGetString(cmd, "tos-uri"),
+ PolicyURI: flagx.MustGetString(cmd, "policy-uri"),
+ LogoURI: flagx.MustGetString(cmd, "logo-uri"),
+ ClientURI: flagx.MustGetString(cmd, "client-uri"),
+ AllowedCorsOrigins: flagx.MustGetStringSlice(cmd, "allowed-cors-origins"),
+ SubjectType: flagx.MustGetString(cmd, "subject-type"),
+ Audience: flagx.MustGetStringSlice(cmd, "audience"),
+ PostLogoutRedirectUris: flagx.MustGetStringSlice(cmd, "post-logout-callbacks"),
+ BackchannelLogoutSessionRequired: flagx.MustGetBool(cmd, "backchannel-logout-session-required"),
+ BackchannelLogoutURI: flagx.MustGetString(cmd, "backchannel-logout-callback"),
+ FrontchannelLogoutSessionRequired: flagx.MustGetBool(cmd, "frontchannel-logout-session-required"),
+ FrontchannelLogoutURI: flagx.MustGetString(cmd, "frontchannel-logout-callback"),
  }
 
  response, err := m.Admin.CreateOAuth2Client(admin.NewCreateOAuth2ClientParams().WithBody(&cc))
@@ -163,23 +167,27 @@ func (h *ClientHandler) UpdateClient(cmd *cobra.Command, args []string) {
 
  id := args[0]
  cc := models.OAuth2Client{
- ClientID: id,
- ClientSecret: newSecret,
- ResponseTypes: flagx.MustGetStringSlice(cmd, "response-types"),
- Scope: strings.Join(flagx.MustGetStringSlice(cmd, "scope"), " "),
- GrantTypes: flagx.MustGetStringSlice(cmd, "grant-types"),
- RedirectUris: flagx.MustGetStringSlice(cmd, "callbacks"),
- ClientName: flagx.MustGetString(cmd, "name"),
- TokenEndpointAuthMethod: flagx.MustGetString(cmd, "token-endpoint-auth-method"),
- JwksURI: flagx.MustGetString(cmd, "jwks-uri"),
- TosURI: flagx.MustGetString(cmd, "tos-uri"),
- PolicyURI: flagx.MustGetString(cmd, "policy-uri"),
- LogoURI: flagx.MustGetString(cmd, "logo-uri"),
- ClientURI: flagx.MustGetString(cmd, "client-uri"),
- AllowedCorsOrigins: flagx.MustGetStringSlice(cmd, "allowed-cors-origins"),
- SubjectType: flagx.MustGetString(cmd, "subject-type"),
- Audience: flagx.MustGetStringSlice(cmd, "audience"),
- PostLogoutRedirectUris: flagx.MustGetStringSlice(cmd, "post-logout-callbacks"),
+ ClientID: id,
+ ClientSecret: newSecret,
+ ResponseTypes: flagx.MustGetStringSlice(cmd, "response-types"),
+ Scope: strings.Join(flagx.MustGetStringSlice(cmd, "scope"), " "),
+ GrantTypes: flagx.MustGetStringSlice(cmd, "grant-types"),
+ RedirectUris: flagx.MustGetStringSlice(cmd, "callbacks"),
+ ClientName: flagx.MustGetString(cmd, "name"),
+ TokenEndpointAuthMethod: flagx.MustGetString(cmd, "token-endpoint-auth-method"),
+ JwksURI: flagx.MustGetString(cmd, "jwks-uri"),
+ TosURI: flagx.MustGetString(cmd, "tos-uri"),
+ PolicyURI: flagx.MustGetString(cmd, "policy-uri"),
+ LogoURI: flagx.MustGetString(cmd, "logo-uri"),
+ ClientURI: flagx.MustGetString(cmd, "client-uri"),
+ AllowedCorsOrigins: flagx.MustGetStringSlice(cmd, "allowed-cors-origins"),
+ SubjectType: flagx.MustGetString(cmd, "subject-type"),
+ Audience: flagx.MustGetStringSlice(cmd, "audience"),
+ PostLogoutRedirectUris: flagx.MustGetStringSlice(cmd, "post-logout-callbacks"),
+ BackchannelLogoutSessionRequired: flagx.MustGetBool(cmd, "backchannel-logout-session-required"),
+ BackchannelLogoutURI: flagx.MustGetString(cmd, "backchannel-logout-callback"),
+ FrontchannelLogoutSessionRequired: flagx.MustGetBool(cmd, "frontchannel-logout-session-required"),
+ FrontchannelLogoutURI: flagx.MustGetString(cmd, "frontchannel-logout-callback"),
  }
 
  response, err := m.Admin.UpdateOAuth2Client(admin.NewUpdateOAuth2ClientParams().WithID(id).WithBody(&cc))

cmd/clients_create.go

@@ -63,6 +63,14 @@ func init() {
  clientsCreateCmd.Flags().StringP("name", "n", "", "The client's name")
  clientsCreateCmd.Flags().StringSlice("post-logout-callbacks", []string{}, "List of allowed URLs to be redirected to after a logout")
 
+ // back-channel logout options
+ clientsCreateCmd.Flags().Bool("backchannel-logout-session-required", false, "Boolean flag specifying whether the client requires that a sid (session ID) Claim be included in the Logout Token to identify the client session with the OP when the backchannel-logout-callback is used. If omitted, the default value is false.")
+ clientsCreateCmd.Flags().String("backchannel-logout-callback", "", "Client URL that will cause the client to log itself out when sent a Logout Token by Hydra.")
+
+ // front-channel logout options
+ clientsCreateCmd.Flags().Bool("frontchannel-logout-session-required", false, "Boolean flag specifying whether the client requires that a sid (session ID) Claim be included in the Logout Token to identify the client session with the OP when the frontchannel-logout-callback is used. If omitted, the default value is false.")
+ clientsCreateCmd.Flags().String("frontchannel-logout-callback", "", "Client URL that will cause the client to log itself out when rendered in an iframe by Hydra.")
+
  // encrypt client secret options
  clientsCreateCmd.Flags().String("pgp-key", "", "Base64 encoded PGP encryption key for encrypting client secret")
  clientsCreateCmd.Flags().String("pgp-key-url", "", "PGP encryption key URL for encrypting client secret")

cmd/clients_update.go

@@ -41,6 +41,14 @@ func init() {
  clientsUpdateCmd.Flags().StringP("name", "n", "", "The client's name")
  clientsUpdateCmd.Flags().StringSlice("post-logout-callbacks", []string{}, "List of allowed URLs to be redirected to after a logout")
 
+ // back-channel logout options
+ clientsUpdateCmd.Flags().Bool("backchannel-logout-session-required", false, "Boolean flag specifying whether the client requires that a sid (session ID) Claim be included in the Logout Token to identify the client session with the OP when the backchannel-logout-callback is used. If omitted, the default value is false.")
+ clientsUpdateCmd.Flags().String("backchannel-logout-callback", "", "Client URL that will cause the client to log itself out when sent a Logout Token by Hydra.")
+
+ // front-channel logout options
+ clientsUpdateCmd.Flags().Bool("frontchannel-logout-session-required", false, "Boolean flag specifying whether the client requires that a sid (session ID) Claim be included in the Logout Token to identify the client session with the OP when the frontchannel-logout-callback is used. If omitted, the default value is false.")
+ clientsUpdateCmd.Flags().String("frontchannel-logout-callback", "", "Client URL that will cause the client to log itself out when rendered in an iframe by Hydra.")
+
  // encrypt client secret options
  clientsUpdateCmd.Flags().String("pgp-key", "", "Base64 encoded PGP encryption key for encrypting client secret")
  clientsUpdateCmd.Flags().String("pgp-key-url", "", "PGP encryption key URL for encrypting client secret")

docs/docs/cli/hydra-clients-create.md

@@ -36,27 +36,31 @@ hydra clients create [flags]
 ### Options
 
 ```
- --allowed-cors-origins strings The list of URLs allowed to make CORS requests. Requires CORS_ENABLED.
- --audience strings The audience this client is allowed to request
- -c, --callbacks strings REQUIRED list of allowed callback URLs
- --client-uri string A URL string of a web page providing information about the client
- -g, --grant-types strings A list of allowed grant types (default [authorization_code])
- -h, --help help for create
- --id string Give the client this id
- --jwks-uri string Define the URL where the JSON Web Key Set should be fetched from when performing the "private_key_jwt" client authentication method
- --keybase string Keybase username for encrypting client secret
- --logo-uri string A URL string that references a logo for the client
- -n, --name string The client's name
- --pgp-key string Base64 encoded PGP encryption key for encrypting client secret
- --pgp-key-url string PGP encryption key URL for encrypting client secret
- --policy-uri string A URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data
- --post-logout-callbacks strings List of allowed URLs to be redirected to after a logout
- -r, --response-types strings A list of allowed response types (default [code])
- -a, --scope strings The scope the client is allowed to request
- --secret string Provide the client's secret
- --subject-type string A identifier algorithm. Valid values are "public" and "pairwise" (default "public")
- --token-endpoint-auth-method string Define which authentication method the client may use at the Token Endpoint. Valid values are "client_secret_post", "client_secret_basic", "private_key_jwt", and "none" (default "client_secret_basic")
- --tos-uri string A URL string that points to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client
+ --allowed-cors-origins strings The list of URLs allowed to make CORS requests. Requires CORS_ENABLED.
+ --audience strings The audience this client is allowed to request
+ --backchannel-logout-callback string Client URL that will cause the client to log itself out when sent a Logout Token by Hydra.
+ --backchannel-logout-session-required Boolean flag specifying whether the client requires that a sid (session ID) Claim be included in the Logout Token to identify the client session with the OP when the backchannel-logout-callback is used. If omitted, the default value is false.
+ -c, --callbacks strings REQUIRED list of allowed callback URLs
+ --client-uri string A URL string of a web page providing information about the client
+ --frontchannel-logout-callback string Client URL that will cause the client to log itself out when rendered in an iframe by Hydra.
+ --frontchannel-logout-session-required Boolean flag specifying whether the client requires that a sid (session ID) Claim be included in the Logout Token to identify the client session with the OP when the frontchannel-logout-callback is used. If omitted, the default value is false.
+ -g, --grant-types strings A list of allowed grant types (default [authorization_code])
+ -h, --help help for create
+ --id string Give the client this id
+ --jwks-uri string Define the URL where the JSON Web Key Set should be fetched from when performing the "private_key_jwt" client authentication method
+ --keybase string Keybase username for encrypting client secret
+ --logo-uri string A URL string that references a logo for the client
+ -n, --name string The client's name
+ --pgp-key string Base64 encoded PGP encryption key for encrypting client secret
+ --pgp-key-url string PGP encryption key URL for encrypting client secret
+ --policy-uri string A URL string that points to a human-readable privacy policy document that describes how the deployment organization collects, uses, retains, and discloses personal data
+ --post-logout-callbacks strings List of allowed URLs to be redirected to after a logout
+ -r, --response-types strings A list of allowed response types (default [code])
+ -a, --scope strings The scope the client is allowed to request
+ --secret string Provide the client's secret
+ --subject-type string A identifier algorithm. Valid values are "public" and "pairwise" (default "public")
+ --token-endpoint-auth-method string Define which authentication method the client may use at the Token Endpoint. Valid values are "client_secret_post", "client_secret_basic", "private_key_jwt", and "none" (default "client_secret_basic")
+ --tos-uri string A URL string that points to a human-readable terms of service document for the client that describes a contractual relationship between the end-user and the client that the end-user accepts when authorizing the client
 ```
 
 ### Options inherited from parent commands