Previously the check only rejected email_verified === false, allowing
logins when the claim was missing entirely. Since the admin opted in,
the IdP is expected to provide the claim.
Cover validateGroupClaim, isValidRedirectUri, isValidWebCallbackUrl,
updateUserPermissions, and verifyUser with 40 new tests (51 total).
Tests cover open redirect prevention, group claim validation,
auto-registration flows, permission updates, and error handling.
Implement OIDC Back-Channel Logout 1.0 (RFC). When enabled, the IdP can
POST a signed logout_token JWT to invalidate user sessions server-side.
- Add BackchannelLogoutHandler: JWT verification via jose, jti replay
protection with bounded cache, session destruction by sub or sid
- Add oidcSessionId column to sessions table with index for fast lookups
- Add backchannel logout route (POST /auth/openid/backchannel-logout)
- Notify connected clients via socket to redirect to login page
- Add authOpenIDBackchannelLogoutEnabled toggle in schema-driven settings UI
- Migration v2.34.0 adds oidcSessionId column and index
- Polish settings UI: auto-populate loading state, subfolder dropdown
options, KeyValueEditor fixes, localized descriptions via descriptionKey,
duplicate key detection, success/error toasts
- Localize backchannel logout toast (ToastSessionEndedByProvider)
- OidcAuthStrategy tests now use real class via require-cache stubbing
