Add OIDC Back-Channel Logout support

Implement OIDC Back-Channel Logout 1.0 (RFC). When enabled, the IdP can POST a signed logout_token JWT to invalidate user sessions server-side. - Add BackchannelLogoutHandler: JWT verification via jose, jti replay protection with bounded cache, session destruction by sub or sid - Add oidcSessionId column to sessions table with index for fast lookups - Add backchannel logout route (POST /auth/openid/backchannel-logout) - Notify connected clients via socket to redirect to login page - Add authOpenIDBackchannelLogoutEnabled toggle in schema-driven settings UI - Migration v2.34.0 adds oidcSessionId column and index - Polish settings UI: auto-populate loading state, subfolder dropdown options, KeyValueEditor fixes, localized descriptions via descriptionKey, duplicate key detection, success/error toasts - Localize backchannel logout toast (ToastSessionEndedByProvider) - OidcAuthStrategy tests now use real class via require-cache stubbing
2026-04-18 04:59:44 +00:00 · 2026-02-05 17:55:10 +01:00 · 2026-02-05 17:55:10 +01:00 · 073eff74ef
commit 073eff74ef
parent 33bee70a12
16 changed files with 886 additions and 104 deletions
--- a/server/auth/TokenManager.js
+++ b/server/auth/TokenManager.js
@ -157,9 +157,10 @@ class TokenManager {
   * @param {{ id:string, username:string }} user
   * @param {import('express').Request} req
   * @param {string|null} [oidcIdToken=null] - OIDC id_token to store in session for logout
+   * @param {string|null} [oidcSessionId=null] - OIDC session ID (sid claim) for backchannel logout
   * @returns {Promise<{ accessToken:string, refreshToken:string, session:import('../models/Session') }>}
   */
-  async createTokensAndSession(user, req, oidcIdToken = null) {
+  async createTokensAndSession(user, req, oidcIdToken = null, oidcSessionId = null) {
    const ipAddress = requestIp.getClientIp(req)
    const userAgent = req.headers['user-agent']
    const accessToken = this.generateTempAccessToken(user)
@ -168,7 +169,7 @@ class TokenManager {
    // Calculate expiration time for the refresh token
    const expiresAt = new Date(Date.now() + this.RefreshTokenExpiry * 1000)

-    const session = await Database.sessionModel.createSession(user.id, ipAddress, userAgent, refreshToken, expiresAt, oidcIdToken)
+    const session = await Database.sessionModel.createSession(user.id, ipAddress, userAgent, refreshToken, expiresAt, oidcIdToken, oidcSessionId)

    return {
      accessToken,