Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: revoke consent by session id. trigger back channel logout. #2844

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

aarmam
Copy link
Contributor

@aarmam aarmam commented Nov 8, 2021

This pull request introduces feature to revoke consent by session id and option to trigger back channel logout.

Use case:

  1. User logs in from device/browser 1 to client application A. Hydra has created login session 1 (remember=true) and authenticated user.
  2. User logs in from device/browser 1 to client application B by accepting consent.
  3. User performs steps 1, 2 in device/browser 2. Hydra has created login session 2 for the same user.
  4. User initiates log out from client application A using device/browser 1.
  5. Logout provider displays UI page with message "You have been logged out from Application A. You have active sessions in following applications: Application B" and options 5.1) "Logout from all sessions", 5.2) "Resume active sessions"
  6. User selects 5.2 "Resume active sessions"
    6.1 Logout provider performs PUT /oauth2/auth/requests/logout/reject so that user would remain logged in to Application B
    6.2 Logout provider performs DELETE /oauth2/auth/sessions/consent?subject=user1&client=applicationA&login_session_id=session1&trigger_backchannel_logout=true so that user would be logged out from application A (just in case application A did not terminate it's session locally before redirecting to Hydra logout endpoint)

Current situation: application A consent from session 1 and session 2 is revoked; backchannel logout is not triggered.

Proposed solution: application A consent only from session 1 is revoked; backchannel logout is triggered.

Triggering backchannel logout is a separate feature and can be used without login_session_id or with all=true parameter.

Related issue(s)

#2666

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security. vulnerability, I
    confirm that I got green light (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further Comments

Tests and documentation will be commited after inital acceptance of the proposed feature.

@aarmam aarmam requested a review from aeneasr as a code owner November 8, 2021 21:11
@aarmam aarmam mentioned this pull request Nov 10, 2021
7 tasks
@aarmam aarmam marked this pull request as draft November 11, 2021 13:01
@aarmam aarmam force-pushed the feature/revoke-consent-sessions branch from b6b020f to b17a044 Compare November 24, 2021 08:33
@aarmam aarmam force-pushed the feature/revoke-consent-sessions branch from b17a044 to a8fdf3a Compare December 8, 2021 09:50
@aarmam aarmam force-pushed the feature/revoke-consent-sessions branch 2 times, most recently from 220a774 to 5fd7354 Compare March 16, 2022 14:05
@codecov
Copy link

codecov bot commented Mar 16, 2022

Codecov Report

Merging #2844 (1bea1b7) into master (6e1f545) will increase coverage by 0.08%.
The diff coverage is 82.35%.

❗ Current head 1bea1b7 differs from pull request most recent head 1ea545b. Consider uploading reports for the commit 1ea545b to get more accurate results

@@            Coverage Diff             @@
##           master    #2844      +/-   ##
==========================================
+ Coverage   76.85%   76.93%   +0.08%     
==========================================
  Files         124      124              
  Lines        9164     9253      +89     
==========================================
+ Hits         7043     7119      +76     
- Misses       1672     1680       +8     
- Partials      449      454       +5     
Impacted Files Coverage Δ
client/client.go 76.41% <ø> (ø)
consent/manager.go 100.00% <ø> (ø)
consent/handler.go 66.96% <53.84%> (+0.19%) ⬆️
consent/strategy_default.go 69.93% <84.00%> (+0.42%) ⬆️
persistence/sql/persister_consent.go 87.96% <95.65%> (+0.55%) ⬆️
consent/manager_test_helpers.go 97.93% <100.00%> (ø)

... and 1 file with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@aarmam aarmam force-pushed the feature/revoke-consent-sessions branch 9 times, most recently from 4eea405 to f6586ae Compare March 30, 2022 21:46
@aarmam aarmam marked this pull request as ready for review April 4, 2022 06:07
@aarmam aarmam mentioned this pull request Apr 13, 2022
5 tasks
@aarmam aarmam force-pushed the feature/revoke-consent-sessions branch from f6586ae to 954c972 Compare April 19, 2022 08:01
@aarmam aarmam force-pushed the feature/revoke-consent-sessions branch 2 times, most recently from daf3ad0 to e6b1579 Compare May 11, 2022 08:04
@aarmam aarmam marked this pull request as draft September 6, 2022 10:48
@aarmam aarmam force-pushed the feature/revoke-consent-sessions branch 6 times, most recently from 5921eee to 6a88521 Compare December 25, 2022 20:12
@aarmam aarmam force-pushed the feature/revoke-consent-sessions branch 2 times, most recently from f305bec to a819270 Compare December 25, 2022 20:38
@aarmam aarmam marked this pull request as ready for review December 25, 2022 21:15
@web-kat
Copy link

web-kat commented Apr 5, 2023

@aeneasr aside from being out of date with master, is there anything holding this body of work back?

@aarmam aarmam force-pushed the feature/revoke-consent-sessions branch from a819270 to f5cd46d Compare April 5, 2023 14:24
@aarmam aarmam force-pushed the feature/revoke-consent-sessions branch from 5da0e32 to 1ea545b Compare April 6, 2023 09:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants