Antonio Aranda Hernández 52c7c6f975 feat: add OIDC back-channel logout support ... Implements https://openid.net/specs/openid-connect-backchannel-1_0.html When --oidc-backchannel-logout is set (requires --session-store-type=redis), the proxy exposes POST /oauth2/backchannel-logout. The OIDC provider (e.g. Keycloak, Azure AD) can POST a signed logout_token to instantly revoke a user's session server-side without a browser redirect. Changes: - oauthproxy.go: BackChannelLogout handler; route registered only when the flag is set; validates logout_token JWT per spec §2.4 (nonce absence, backchannel-logout event, sid claim) - pkg/apis/sessions/interfaces.go: BackChannelSessionStore interface with ClearBySID(ctx, sessionID) error - pkg/apis/sessions/session_state.go: SessionID field (sid OIDC claim) - pkg/sessions/persistence/manager.go: ClearBySID implementation and a secondary sid→ticketID index written on every Save - pkg/sessions/persistence/manager_test.go: unit tests for ClearBySID - pkg/sessions/tests/mock_store.go: CacheSize() helper for tests - providers/provider_data.go: BackChannelLogoutSupported field - providers/provider_data.go: extracts sid claim into SessionState on login - providers/providers.go: wires oidcConfig.backChannelLogoutEnabled - pkg/apis/options/providers.go: BackChannelLogoutEnabled option - pkg/apis/options/legacy_options.go: --oidc-backchannel-logout flag - oauthproxy_test.go: unit tests for the BackChannelLogout handler - docs: back-channel logout section in keycloak_oidc.md and openid_connect.md Signed-off-by: Antonio Aranda Hernández <aaranda@hortichuelas.es>		2026-06-03 12:23:25 +02:00
..
ip	Move RealClientIP code to IP packages	2020-05-23 15:17:41 +01:00
middleware	Merge commit from fork	2026-04-13 18:22:56 +02:00
options	feat: add OIDC back-channel logout support	2026-06-03 12:23:25 +02:00
sessions	feat: add OIDC back-channel logout support	2026-06-03 12:23:25 +02:00