Support OIDC backchannel logouts (#11414)

If configured an OIDC IdP can log a user's session out of Synapse when they log out of the identity provider. The IdP sends a request directly to Synapse (and must be configured with an endpoint) when a user logs out.
2025-05-05 03:44:56 -04:00 · 2022-10-31 18:07:30 +01:00 · 2022-10-31 18:07:30 +01:00 · cc3a52b33d
commit cc3a52b33d
parent 15bdb0da52
13 changed files with 960 additions and 66 deletions
--- a/tests/test_utils/oidc.py
+++ b/tests/test_utils/oidc.py
@ -51,6 +51,8 @@ class FakeOidcServer:
    get_userinfo_handler: Mock
    post_token_handler: Mock

+    sid_counter: int = 0
+
    def __init__(self, clock: Clock, issuer: str):
        from authlib.jose import ECKey, KeySet

@ -146,7 +148,7 @@ class FakeOidcServer:
        return jws.serialize_compact(protected, json_payload, self._key).decode("utf-8")

    def generate_id_token(self, grant: FakeAuthorizationGrant) -> str:
-        now = self._clock.time()
+        now = int(self._clock.time())
        id_token = {
            **grant.userinfo,
            "iss": self.issuer,
@ -166,6 +168,26 @@ class FakeOidcServer:

        return self._sign(id_token)

+    def generate_logout_token(self, grant: FakeAuthorizationGrant) -> str:
+        now = int(self._clock.time())
+        logout_token = {
+            "iss": self.issuer,
+            "aud": grant.client_id,
+            "iat": now,
+            "jti": random_string(10),
+            "events": {
+                "http://schemas.openid.net/event/backchannel-logout": {},
+            },
+        }
+
+        if grant.sid is not None:
+            logout_token["sid"] = grant.sid
+
+        if "sub" in grant.userinfo:
+            logout_token["sub"] = grant.userinfo["sub"]
+
+        return self._sign(logout_token)
+
    def id_token_override(self, overrides: dict):
        """Temporarily patch the ID token generated by the token endpoint."""
        return patch.object(self, "_id_token_overrides", overrides)
@ -183,7 +205,8 @@ class FakeOidcServer:
        code = random_string(10)
        sid = None
        if with_sid:
-            sid = random_string(10)
+            sid = str(self.sid_counter)
+            self.sid_counter += 1

        grant = FakeAuthorizationGrant(
            userinfo=userinfo,