Add OIDC Back-Channel Logout support

mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-03-07 00:19:41 +00:00

Implement OIDC Back-Channel Logout 1.0 (RFC). When enabled, the IdP can
POST a signed logout_token JWT to invalidate user sessions server-side.

- Add BackchannelLogoutHandler: JWT verification via jose, jti replay
  protection with bounded cache, session destruction by sub or sid
- Add oidcSessionId column to sessions table with index for fast lookups
- Add backchannel logout route (POST /auth/openid/backchannel-logout)
- Notify connected clients via socket to redirect to login page
- Add authOpenIDBackchannelLogoutEnabled toggle in schema-driven settings UI
- Migration v2.34.0 adds oidcSessionId column and index
- Polish settings UI: auto-populate loading state, subfolder dropdown
  options, KeyValueEditor fixes, localized descriptions via descriptionKey,
  duplicate key detection, success/error toasts
- Localize backchannel logout toast (ToastSessionEndedByProvider)
- OidcAuthStrategy tests now use real class via require-cache stubbing

This commit is contained in:

Denis Arnst

2026-02-05 17:55:10 +01:00

parent 33bee70a12

commit 073eff74ef

No known key found for this signature in database

GPG key ID: D5866C58940197BF

16 changed files with 886 additions and 104 deletions

									
										1

package.json
									
										View file
										
				@ -48,6 +48,7 @@

				    "lru-cache": "^10.0.3",

				    "node-unrar-js": "^2.0.2",

				    "nodemailer": "^6.9.13",

				    "jose": "^4.15.4",

				    "openid-client": "^5.6.1",

				    "p-throttle": "^4.1.1",

				    "passport": "^0.6.0",

Rows
Columns

Add OIDC Back-Channel Logout support

1 package.json Unescape Escape View file

1

package.json

View file