Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OIDC RISC events #11514

Open
matrixbot opened this issue Dec 19, 2023 · 0 comments
Open

Support OIDC RISC events #11514

matrixbot opened this issue Dec 19, 2023 · 0 comments
Labels
T-Enhancement

Comments

@matrixbot
Copy link
Collaborator

matrixbot commented Dec 19, 2023
edited

This issue has been migrated from #11514.

OIDC Back-Channel Logouts (#11326) is a step in the direction of properly syncing user sessions when something happens on the OIDC side. There are a lot of other cases where for example the account gets disabled or locked, and it is not reflected on Synapse's side.

There is a working group in the OpenID foundation called RISC (Risc Incident Sharing and Coordination) which tries to define a standard way to signal account security events (account locked, unlocked, removed, compromised) based on RFC8417: Security Event Token. This would allow us to react when the following events happen on the IdP side, according to the spec draft:

  • Account Credential Change Required signals that the account identified by the subject was required to change a credential. For example the user was required to go through a password change.
  • Account Purged signals that the account identified by the subject has been permanently deleted.
  • Account Disabled signals that the account identified by the subject has been disabled. The actual reason why the account was disabled might be specified with the nested reason attribute described below. The account may be enabled in the future.
  • Identifier Changed signals that the identifier specified in the subject has changed.
  • Identifier Recycled signals that the identifier specified in the subject was recycled and now it belongs to a new user.
  • A Credential Compromise event signals that the identifier specified in the subject was found to be compromised.
  • Opt-In/Out related events. Users must be able to opt-in or out of RISC events between the IdP and the app, hence those events.
  • Recovery Activated signals that the account identified by the subject activated a recovery flow.
  • Recovery Information Changed signals that the account identified by the subject has changed some of its recovery information. For example a recovery email address was added or removed.
  • Sessions Revoked signals that all the sessions for the account identified by the subject have been revoked.

Not all events are relevant to Synapse, but I definitely find those interesting.

The good news for us is that security event token look a lot like logout tokens from the OIDC back-channel logouts (which was by the way intended by the OIDC folks), so a lot of the implementation is already done in the OIDC back-channel logout PR.
The bad news is that RISC is not widely adopted by OIDC providers. I know Google adopted it and brands this as Cross-Account Protection, but it is not supported by Keycloak, Auth0, etc.

Note that this will also be useful in the "OIDC-native" world.

I originally posted this in matrix-org/synapse#11500 (comment)
@matrixbot matrixbot changed the title Dummy issue Support OIDC RISC events Dec 21, 2023
@matrixbot matrixbot reopened this Dec 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
T-Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@matrixbot