Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add ability to revoke login sessions by SessionID #3450

Merged
merged 7 commits into from
Mar 13, 2023
Merged

feat: add ability to revoke login sessions by SessionID #3450

merged 7 commits into from
Mar 13, 2023

Conversation

sgal
Copy link
Contributor

@sgal sgal commented Feb 26, 2023

Added support to revokeOAuth2LoginSessions API to revoke a single session by a SessionID (sid claim in the id_token) and execute an OpenID Connect Back-channel logout.

Related issue(s)

#3448

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further Comments

consent/handler.go Outdated Show resolved Hide resolved
// has to re-authenticate at the Ory OAuth2 Provider. This endpoint does not invalidate any tokens and
// does not work with OpenID Connect Front- or Back-channel logout.
// If you send the subject in a query param, all authentication sessions that belong to that subject are revoked.
// No OpennID Connect Front- or Back-channel logout is performed in this case.
Copy link
Contributor Author

@sgal sgal Feb 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like part of this can be fixed as well (back-channel), maybe outside of this change.

return nil
}

if err := s.executeBackChannelLogout(r.Context(), r, loginSession.Subject, sid); err != nil {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything from here until the end of the function is the same as in completeLogout function. Is this the correct direction to take here?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That looks good to me! Since this is called via an API, we won't have front-channel log-out (because no browser is involved). I think this is fine, but should probably be clarified in the API / function doc. You may opt to create a new function with the flow as to avoid duplication, but it's not required since it's only 2 functional statements

@sgal sgal changed the title [WIP] feat: add ability to revoke login sessions by SessionID feat: add ability to revoke login sessions by SessionID Feb 26, 2023
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks quite good already! We'll a few tests for this but then this can ship

consent/handler.go Outdated Show resolved Hide resolved
s.r.AuditLogger().
WithRequest(r).
WithField("subject", loginSession.Subject).
Info("User logout completed!")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clarify that this is the headless flow

return nil
}

if err := s.executeBackChannelLogout(r.Context(), r, loginSession.Subject, sid); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That looks good to me! Since this is called via an API, we won't have front-channel log-out (because no browser is involved). I think this is fine, but should probably be clarified in the API / function doc. You may opt to create a new function with the flow as to avoid duplication, but it's not required since it's only 2 functional statements

@codecov
Copy link

codecov bot commented Feb 28, 2023

Codecov Report

Merging #3450 (a5090fe) into master (ffe4943) will decrease coverage by 0.01%.
The diff coverage is 58.06%.

❗ Current head a5090fe differs from pull request most recent head 43bc7d9. Consider uploading reports for the commit 43bc7d9 to get more accurate results

@@            Coverage Diff             @@
##           master    #3450      +/-   ##
==========================================
- Coverage   76.86%   76.85%   -0.01%     
==========================================
  Files         123      123              
  Lines        9108     9131      +23     
==========================================
+ Hits         7001     7018      +17     
- Misses       1663     1666       +3     
- Partials      444      447       +3     
Impacted Files Coverage Δ
consent/strategy_default.go 69.50% <54.54%> (-0.09%) ⬇️
consent/handler.go 66.77% <66.66%> (+0.76%) ⬆️

... and 1 file with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

consent/strategy_logout_test.go Outdated Show resolved Hide resolved
consent/strategy_logout_test.go Outdated Show resolved Hide resolved
@@ -490,4 +509,24 @@ func TestLogoutFlows(t *testing.T) {

wg.Wait()
})

t.Run("case=should execute backchannel logout in headless flow with sid", func(t *testing.T) {
sid := make(chan string, 2)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a buffered channel here to make sure that we have both values in it and do not block the goroutine that tries to read it.

@sgal sgal marked this pull request as ready for review March 3, 2023 09:47
@hperl hperl self-requested a review March 6, 2023 09:53
Copy link
Contributor

@hperl hperl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this looks very good! I have some small comments and then it's ready to merge :)

consent/handler.go Outdated Show resolved Hide resolved
consent/strategy_default.go Outdated Show resolved Hide resolved
@sgal
Copy link
Contributor Author

sgal commented Mar 7, 2023

@hperl Fixed the comments, please have a look.

hperl
hperl previously approved these changes Mar 7, 2023
Copy link
Contributor

@hperl hperl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes, LGTM! 🎉

@aeneasr aeneasr merged commit b42482b into ory:master Mar 13, 2023
@sgal sgal deleted the add-revoke-login-session-by-sid branch March 13, 2023 10:10
@kabirbaidhya
Copy link

Hey @aeneasr, when are you planning to release this change?

harnash pushed a commit to Wikia/ory-hydra that referenced this pull request Apr 12, 2023
API `revokeOAuth2LoginSessions` can now revoke a single session by a SessionID (`sid` claim in the id_token) and execute an OpenID Connect Back-channel logout.

Closes ory#3448
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants