52c7c6f975
Implements https://openid.net/specs/openid-connect-backchannel-1_0.html When --oidc-backchannel-logout is set (requires --session-store-type=redis), the proxy exposes POST /oauth2/backchannel-logout. The OIDC provider (e.g. Keycloak, Azure AD) can POST a signed logout_token to instantly revoke a user's session server-side without a browser redirect. Changes: - oauthproxy.go: BackChannelLogout handler; route registered only when the flag is set; validates logout_token JWT per spec §2.4 (nonce absence, backchannel-logout event, sid claim) - pkg/apis/sessions/interfaces.go: BackChannelSessionStore interface with ClearBySID(ctx, sessionID) error - pkg/apis/sessions/session_state.go: SessionID field (sid OIDC claim) - pkg/sessions/persistence/manager.go: ClearBySID implementation and a secondary sid→ticketID index written on every Save - pkg/sessions/persistence/manager_test.go: unit tests for ClearBySID - pkg/sessions/tests/mock_store.go: CacheSize() helper for tests - providers/provider_data.go: BackChannelLogoutSupported field - providers/provider_data.go: extracts sid claim into SessionState on login - providers/providers.go: wires oidcConfig.backChannelLogoutEnabled - pkg/apis/options/providers.go: BackChannelLogoutEnabled option - pkg/apis/options/legacy_options.go: --oidc-backchannel-logout flag - oauthproxy_test.go: unit tests for the BackChannelLogout handler - docs: back-channel logout section in keycloak_oidc.md and openid_connect.md Signed-off-by: Antonio Aranda Hernández <aaranda@hortichuelas.es> |
||
|---|---|---|
| .. | ||
| mock_lock.go | ||
| mock_store.go | ||
| session_store_tests.go | ||