Some IdPs (e.g. Authentik) don't echo the nonce in the id_token for
the authorization code flow, causing "nonce mismatch, got: undefined"
errors when the mobile app attempts SSO login. The mobile flow already
uses PKCE which provides equivalent replay protection, so nonce is not
needed. Web flow continues to use nonce for defense-in-depth.
The group claim was assumed to always be an array, which crashes with
providers like Zitadel that return an object with role names as keys
(e.g. { "admin": {...}, "user": {...} }). Normalize all common formats:
array, single string, and object (extract keys).
Fixes#4744
Previously the check only rejected email_verified === false, allowing
logins when the claim was missing entirely. Since the admin opted in,
the IdP is expected to provide the claim.
Cover validateGroupClaim, isValidRedirectUri, isValidWebCallbackUrl,
updateUserPermissions, and verifyUser with 40 new tests (51 total).
Tests cover open redirect prevention, group claim validation,
auto-registration flows, permission updates, and error handling.
Implement OIDC Back-Channel Logout 1.0 (RFC). When enabled, the IdP can
POST a signed logout_token JWT to invalidate user sessions server-side.
- Add BackchannelLogoutHandler: JWT verification via jose, jti replay
protection with bounded cache, session destruction by sub or sid
- Add oidcSessionId column to sessions table with index for fast lookups
- Add backchannel logout route (POST /auth/openid/backchannel-logout)
- Notify connected clients via socket to redirect to login page
- Add authOpenIDBackchannelLogoutEnabled toggle in schema-driven settings UI
- Migration v2.34.0 adds oidcSessionId column and index
- Polish settings UI: auto-populate loading state, subfolder dropdown
options, KeyValueEditor fixes, localized descriptions via descriptionKey,
duplicate key detection, success/error toasts
- Localize backchannel logout toast (ToastSessionEndedByProvider)
- OidcAuthStrategy tests now use real class via require-cache stubbing
