Support OIDC backchannel logouts #11414
Conversation
sandhose
force-pushed
the
sandhose/oidc-logout
branch
5 times, most recently
from
44133ce
to
f6bb940
Compare
sandhose
force-pushed
the
sandhose/oidc-logout
branch
2 times, most recently
from
9208fec
to
5aba32c
Compare
|
Removing this from the review queue until #11482 gets worked out. |
sandhose
force-pushed
the
sandhose/oidc-logout
branch
6 times, most recently
from
3bfa785
to
4b3357a
Compare
| @@ -562,6 +569,9 @@ class OidcProviderConfig: | |||
| # "openid" scope is used. | |||
| jwks_uri: Optional[str] | |||
|
|
|||
| # Whether Synapse should react to backchannel logouts | |||
| backchannel_logout_enabled: bool | |||
There was a problem hiding this comment.
It makes me slightly sad to add another configuration option here, but I don't think there's much we can do here to avoid it?
The metadata seems to include whether this feature is supported or not. Can we auto-enable it in those cases?
There was a problem hiding this comment.
I mean, we could probably completely skip the configuration parameter. The only real benefit right now are warnings when the config enables backchannel logouts, but the OP does not advertise proper support.
Right now the behaviour is to delete the device, which does a "hard" logout. From a client perspective, it means it won't keep E2EE data, so you can't get back the deleted device. Maybe that's not the right behaviour, maybe that should be configurable.
Would it make sense to have instead a config parameter backchannel_logout_behaviour with the following values: logout (the default), soft_logout, nothing, and maybe implement soft_logout/other behaviours later?
There was a problem hiding this comment.
Right now the behaviour is to delete the device, which does a "hard" logout. From a client perspective, it means it won't keep E2EE data, so you can't get back the deleted device. Maybe that's not the right behaviour, maybe that should be configurable.
Would it make sense to have instead a config parameter
backchannel_logout_behaviourwith the following values:logout(the default),soft_logout,nothing, and maybe implementsoft_logout/other behaviours later?
I don't think doing a hard logout makes sense, actually. It likely makes more sense to do a soft-logout? I'm not really sure what a backchannel-logout is supposed to represent, but logging out of the IdP causing Synapse to destroy a session, causing a user to lose decryption keys sounds not great.
There was a problem hiding this comment.
I haven't really found a good way to soft-logout a user :(
It looks like soft-logouts are only sent when the token expired.
but logging out of the IdP causing Synapse to destroy a session, causing a user to lose decryption keys sounds not great.
I agree, but on the other hand leaving 'dead' devices on the account doesn't seem great either. Would you be fine with leaving this behaviour for now, see how it feels with whatever customer is asking for this change, and iterate on it later if it makes more sense to do a soft-logout?
synapse/handlers/oidc.py
Outdated
| This extracts the logout_token from the request and try to figure out | ||
| from whom it is coming from. This works by matching the iss claim with | ||
| the issuer and the aud claim with the client_id. |
There was a problem hiding this comment.
I think this is a little more readable?
| This extracts the logout_token from the request and try to figure out | |
| from whom it is coming from. This works by matching the iss claim with | |
| the issuer and the aud claim with the client_id. | |
| This extracts the logout_token from the request and tries to figure out | |
| which account it is associated with. This works by matching the iss claim | |
| with the issuer and the aud claim with the client_id. |
There was a problem hiding this comment.
Ha, I did not properly read your suggestion. It's not "which account it is associated with" but rather "from which IdP it is coming from"
There was a problem hiding this comment.
Isn't this matching to a particular user though, not just the IdP?
There was a problem hiding this comment.
This method specifically matches the IDP, and then passes down to the OidcProvider#handle_backchannel_logout, which then finds the user
There was a problem hiding this comment.
Thanks for the review @clokep! I replied to most comments and will fix some things now
I'd like your thoughts on the caveat I highlighted in the PR message:
One caveat (not sure how to easily fix this): in the following scenario, the user is still logged in even if the OIDC session ended:
- start the OIDC login from an "untrusted" client
- when on the "consent" screen served by Synapse (Continuing will grant http://XXXX/ access to your account.), do not click continue yet
- instead, log out from Keycloak
- click on "continue" on the consent screen: the user is successfully logged in, even if the session ended in Keycloak
| @@ -562,6 +569,9 @@ class OidcProviderConfig: | |||
| # "openid" scope is used. | |||
| jwks_uri: Optional[str] | |||
|
|
|||
| # Whether Synapse should react to backchannel logouts | |||
| backchannel_logout_enabled: bool | |||
There was a problem hiding this comment.
I mean, we could probably completely skip the configuration parameter. The only real benefit right now are warnings when the config enables backchannel logouts, but the OP does not advertise proper support.
Right now the behaviour is to delete the device, which does a "hard" logout. From a client perspective, it means it won't keep E2EE data, so you can't get back the deleted device. Maybe that's not the right behaviour, maybe that should be configurable.
Would it make sense to have instead a config parameter backchannel_logout_behaviour with the following values: logout (the default), soft_logout, nothing, and maybe implement soft_logout/other behaviours later?
This seems like it is probably OK? Shouldn't keycloak be rejecting this if the session ended? |
|
Hello any news ? |
|
What's the thinking on the state of this PR? Is it still wanted; does it need more review; is there something to be done to it? |
sandhose
force-pushed
the
sandhose/oidc-logout
branch
2 times, most recently
from
65650fc
to
6bfda89
Compare
There was a problem hiding this comment.
I'm getting back to the PR. I rebased on top of develop and applied a few fixes.
Still on my todo list is:
- add tests
- add documentation
- figure out what to do with the potential login/logout "race condition"
- merge some of the JWT handling code of the ID token and the logout token
| @@ -562,6 +569,9 @@ class OidcProviderConfig: | |||
| # "openid" scope is used. | |||
| jwks_uri: Optional[str] | |||
|
|
|||
| # Whether Synapse should react to backchannel logouts | |||
| backchannel_logout_enabled: bool | |||
There was a problem hiding this comment.
I haven't really found a good way to soft-logout a user :(
It looks like soft-logouts are only sent when the token expired.
but logging out of the IdP causing Synapse to destroy a session, causing a user to lose decryption keys sounds not great.
I agree, but on the other hand leaving 'dead' devices on the account doesn't seem great either. Would you be fine with leaving this behaviour for now, see how it feels with whatever customer is asking for this change, and iterate on it later if it makes more sense to do a soft-logout?
synapse/handlers/oidc.py
Outdated
| This extracts the logout_token from the request and try to figure out | ||
| from whom it is coming from. This works by matching the iss claim with | ||
| the issuer and the aud claim with the client_id. |
There was a problem hiding this comment.
This method specifically matches the IDP, and then passes down to the OidcProvider#handle_backchannel_logout, which then finds the user
sandhose
force-pushed
the
sandhose/oidc-logout
branch
from
865390f
to
bdf7ed4
Compare
| @@ -1112,6 +1456,7 @@ def _get_secret(self) -> bytes: | |||
| logger.info( | |||
| "Generating new JWT for %s: %s %s", self._oauth_issuer, header, payload | |||
| ) | |||
| jwt = JsonWebToken(header["alg"]) | |||
There was a problem hiding this comment.
What's this change for? Is it ensuring JsonWebToken doesn't explode?
There was a problem hiding this comment.
we were importing authlib.jose.jwt before and it's not the case anymore. I think I did this because it was not available in all versions of authlib?
There was a problem hiding this comment.
🤦 I failed to see where jwt was being used...
It looks like jwt has existed to be imported since at least 0.15?
I don't have a strong opinion about this though.
|
@sandhose Overall this looks reasonable. I'm sure some of the questions I asked were answered previously during our last round of reviews, but I'm afraid those have been lost to time. 😢 Sorry about that! |
Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
sandhose
force-pushed
the
sandhose/oidc-logout
branch
from
1614e02
to
c0b4986
Compare
Synapse 1.71.0 (2022-11-08) =========================== Please note that, as announced in the release notes for Synapse 1.69.0, legacy Prometheus metric names are now disabled by default. They will be removed altogether in Synapse 1.73.0. If not already done, server administrators should update their dashboards and alerting rules to avoid using the deprecated metric names. See the [upgrade notes](https://matrix-org.github.io/synapse/v1.71/upgrade.html#upgrading-to-v1710) for more details. **Note:** in line with our [deprecation policy](https://matrix-org.github.io/synapse/latest/deprecation_policy.html) for platform dependencies, this will be the last release to support PostgreSQL 10, which reaches upstream end-of-life on November 10th, 2022. Future releases of Synapse will require PostgreSQL 11+. Features -------- - Support back-channel logouts from OpenID Connect providers. ([\#11414](matrix-org/synapse#11414)) - Allow use of Postgres and SQLlite full-text search operators in search queries. ([\#11635](matrix-org/synapse#11635), [\#14310](matrix-org/synapse#14310), [\#14311](matrix-org/synapse#14311)) - Implement [MSC3664](matrix-org/matrix-spec-proposals#3664), Pushrules for relations. Contributed by Nico. ([\#11804](matrix-org/synapse#11804)) - Improve aesthetics of HTML templates. Note that these changes do not retroactively apply to templates which have been [customised](https://matrix-org.github.io/synapse/latest/templates.html#templates) by server admins. ([\#13652](matrix-org/synapse#13652)) - Enable write-ahead logging for SQLite installations. Contributed by [@asymmetric](https://github.com/asymmetric). ([\#13897](matrix-org/synapse#13897)) - Show erasure status when [listing users](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#query-user-account) in the Admin API. ([\#14205](matrix-org/synapse#14205)) - Provide a specific error code when a `/sync` request provides a filter which doesn't represent a JSON object. ([\#14262](matrix-org/synapse#14262))
Synapse 1.71.0 (2022-11-08) =========================== Please note that, as announced in the release notes for Synapse 1.69.0, legacy Prometheus metric names are now disabled by default. They will be removed altogether in Synapse 1.73.0. If not already done, server administrators should update their dashboards and alerting rules to avoid using the deprecated metric names. See the [upgrade notes](https://matrix-org.github.io/synapse/v1.71/upgrade.html#upgrading-to-v1710) for more details. **Note:** in line with our [deprecation policy](https://matrix-org.github.io/synapse/latest/deprecation_policy.html) for platform dependencies, this will be the last release to support PostgreSQL 10, which reaches upstream end-of-life on November 10th, 2022. Future releases of Synapse will require PostgreSQL 11+. No significant changes since 1.71.0rc2. Synapse 1.71.0rc2 (2022-11-04) ============================== Improved Documentation ---------------------- - Document the changes to monthly active user metrics due to deprecation of legacy Prometheus metric names. ([\matrix-org#14358](matrix-org#14358), [\matrix-org#14360](matrix-org#14360)) Deprecations and Removals ------------------------- - Disable legacy Prometheus metric names by default. They can still be re-enabled for now, but they will be removed altogether in Synapse 1.73.0. ([\matrix-org#14353](matrix-org#14353)) Internal Changes ---------------- - Run unit tests against Python 3.11. ([\matrix-org#13812](matrix-org#13812)) Synapse 1.71.0rc1 (2022-11-01) ============================== Features -------- - Support back-channel logouts from OpenID Connect providers. ([\matrix-org#11414](matrix-org#11414)) - Allow use of Postgres and SQLlite full-text search operators in search queries. ([\matrix-org#11635](matrix-org#11635), [\matrix-org#14310](matrix-org#14310), [\matrix-org#14311](matrix-org#14311)) - Implement [MSC3664](matrix-org/matrix-spec-proposals#3664), Pushrules for relations. Contributed by Nico. ([\matrix-org#11804](matrix-org#11804)) - Improve aesthetics of HTML templates. Note that these changes do not retroactively apply to templates which have been [customised](https://matrix-org.github.io/synapse/latest/templates.html#templates) by server admins. ([\matrix-org#13652](matrix-org#13652)) - Enable write-ahead logging for SQLite installations. Contributed by [@asymmetric](https://github.com/asymmetric). ([\matrix-org#13897](matrix-org#13897)) - Show erasure status when [listing users](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#query-user-account) in the Admin API. ([\matrix-org#14205](matrix-org#14205)) - Provide a specific error code when a `/sync` request provides a filter which doesn't represent a JSON object. ([\matrix-org#14262](matrix-org#14262)) Bugfixes -------- - Fix a long-standing bug where the `update_synapse_database` script could not be run with multiple databases. Contributed by @thefinn93 @ Beeper. ([\matrix-org#13422](matrix-org#13422)) - Fix a bug which prevented setting an avatar on homeservers which have an explicit port in their `server_name` and have `max_avatar_size` and/or `allowed_avatar_mimetypes` configuration. Contributed by @ashfame. ([\matrix-org#13927](matrix-org#13927)) - Check appservice user interest against the local users instead of all users in the room to align with [MSC3905](matrix-org/matrix-spec-proposals#3905). ([\matrix-org#13958](matrix-org#13958)) - Fix a long-standing bug where Synapse would accidentally include extra information in the response to [`PUT /_matrix/federation/v2/invite/{roomId}/{eventId}`](https://spec.matrix.org/v1.4/server-server-api/#put_matrixfederationv2inviteroomideventid). ([\matrix-org#14064](matrix-org#14064)) - Fix a bug introduced in Synapse 1.64.0 where presence updates could be missing from `/sync` responses. ([\matrix-org#14243](matrix-org#14243)) - Fix a bug introduced in Synapse 1.60.0 which caused an error to be logged when Synapse received a SIGHUP signal if debug logging was enabled. ([\matrix-org#14258](matrix-org#14258)) - Prevent history insertion ([MSC2716](matrix-org/matrix-spec-proposals#2716)) during an partial join ([MSC3706](matrix-org/matrix-spec-proposals#3706)). ([\matrix-org#14291](matrix-org#14291)) - Fix a bug introduced in Synapse 1.34.0 where device names would be returned via a federation user key query request when `allow_device_name_lookup_over_federation` was set to `false`. ([\matrix-org#14304](matrix-org#14304)) - Fix a bug introduced in Synapse 0.34.0 where logs could include error spam when background processes are measured as taking a negative amount of time. ([\matrix-org#14323](matrix-org#14323)) - Fix a bug introduced in Synapse 1.70.0 where clients were unable to PUT new [dehydrated devices](matrix-org/matrix-spec-proposals#2697). ([\matrix-org#14336](matrix-org#14336)) Improved Documentation ---------------------- - Explain how to disable the use of [`trusted_key_servers`](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#trusted_key_servers). ([\matrix-org#13999](matrix-org#13999)) - Add workers settings to [configuration manual](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#individual-worker-configuration). ([\matrix-org#14086](matrix-org#14086)) - Correct the name of the config option [`encryption_enabled_by_default_for_room_type`](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#encryption_enabled_by_default_for_room_type). ([\matrix-org#14110](matrix-org#14110)) - Update docstrings of `SynapseError` and `FederationError` to bettter describe what they are used for and the effects of using them are. ([\matrix-org#14191](matrix-org#14191)) Internal Changes ---------------- - Remove unused `@lru_cache` decorator. ([\matrix-org#13595](matrix-org#13595)) - Save login tokens in database and prevent login token reuse. ([\matrix-org#13844](matrix-org#13844)) - Refactor OIDC tests to better mimic an actual OIDC provider. ([\matrix-org#13910](matrix-org#13910)) - Fix type annotation causing import time error in the Complement forking launcher. ([\matrix-org#14084](matrix-org#14084)) - Refactor [MSC3030](matrix-org/matrix-spec-proposals#3030) `/timestamp_to_event` endpoint to loop over federation destinations with standard pattern and error handling. ([\matrix-org#14096](matrix-org#14096)) - Add initial power level event to batch of bulk persisted events when creating a new room. ([\matrix-org#14228](matrix-org#14228)) - Refactor `/key/` endpoints to use `RestServlet` classes. ([\matrix-org#14229](matrix-org#14229)) - Switch to using the `matrix-org/backend-meta` version of `triage-incoming` for new issues in CI. ([\matrix-org#14230](matrix-org#14230)) - Build wheels on macos 11, not 10.15. ([\matrix-org#14249](matrix-org#14249)) - Add debugging to help diagnose lost device list updates. ([\matrix-org#14268](matrix-org#14268)) - Add Rust cache to CI for `trial` runs. ([\matrix-org#14287](matrix-org#14287)) - Improve type hinting of `RawHeaders`. ([\matrix-org#14303](matrix-org#14303)) - Use Poetry 1.2.0 in the Twisted Trunk CI job. ([\matrix-org#14305](matrix-org#14305)) <details> <summary>Dependency updates</summary> Runtime: - Bump anyhow from 1.0.65 to 1.0.66. ([\matrix-org#14278](matrix-org#14278)) - Bump jinja2 from 3.0.3 to 3.1.2. ([\matrix-org#14271](matrix-org#14271)) - Bump prometheus-client from 0.14.0 to 0.15.0. ([\matrix-org#14274](matrix-org#14274)) - Bump psycopg2 from 2.9.4 to 2.9.5. ([\matrix-org#14331](matrix-org#14331)) - Bump pysaml2 from 7.1.2 to 7.2.1. ([\matrix-org#14270](matrix-org#14270)) - Bump sentry-sdk from 1.5.11 to 1.10.1. ([\matrix-org#14330](matrix-org#14330)) - Bump serde from 1.0.145 to 1.0.147. ([\matrix-org#14277](matrix-org#14277)) - Bump serde_json from 1.0.86 to 1.0.87. ([\matrix-org#14279](matrix-org#14279)) Tooling and CI: - Bump black from 22.3.0 to 22.10.0. ([\matrix-org#14328](matrix-org#14328)) - Bump flake8-bugbear from 21.3.2 to 22.9.23. ([\matrix-org#14042](matrix-org#14042)) - Bump peaceiris/actions-gh-pages from 3.8.0 to 3.9.0. ([\matrix-org#14276](matrix-org#14276)) - Bump peaceiris/actions-mdbook from 1.1.14 to 1.2.0. ([\matrix-org#14275](matrix-org#14275)) - Bump setuptools-rust from 1.5.1 to 1.5.2. ([\matrix-org#14273](matrix-org#14273)) - Bump twine from 3.8.0 to 4.0.1. ([\matrix-org#14332](matrix-org#14332)) - Bump types-opentracing from 2.4.7 to 2.4.10. ([\matrix-org#14133](matrix-org#14133)) - Bump types-requests from 2.28.11 to 2.28.11.2. ([\matrix-org#14272](matrix-org#14272)) </details>
Fixes #11326
Based on #11482.
Tested (and works) with Keycloak.
How to test this?
{public_url}/_synapse/client/oidc/backchannel_logoutBackchannel Logout Session Requiredis enabled on that client{keycloak}/auth/realms/{realms}/account/#/(which is the self-service console) and click "Sign Out"There is a Docker Compose stack here to help with testing: https://github.com/sandhose/synapse-keycloak-devstack
Additionally, there are two edge cases which can be tested (and which are covered by tests):
localpart_templateis not set and the user chooses a username themselvesPull Request Checklist
EventStoretoEventWorkerStore.".code blocks.(run the linters)