providers/proxy: improve SLO by backchannel logging out sessions (#7099)

* outposts: add support for provider-specific websocket messages Signed-off-by: Jens Langhammer <jens@goauthentik.io> * providers/proxy: add custom signal on logout to logout in provider Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-10-09 01:06:52 +02:00
parent f60b65c25f
commit 4db365c947
14 changed files with 134 additions and 7 deletions
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@ -280,7 +280,9 @@ func (a *Application) handleSignOut(rw http.ResponseWriter, r *http.Request) {
 		"id_token_hint": []string{cc.RawToken},
 	}
 	redirect += "?" + uv.Encode()
-	err = a.Logout(r.Context(), cc.Sub)
+	err = a.Logout(r.Context(), func(c Claims) bool {
+		return c.Sub == cc.Sub
+	})
 	if err != nil {
 		a.log.WithError(err).Warning("failed to logout of other sessions")
 	}
--- a/internal/outpost/proxyv2/application/claims.go
+++ b/internal/outpost/proxyv2/application/claims.go
@ -11,10 +11,11 @@ type Claims struct {
 	Exp               int          `json:"exp"`
 	Email             string       `json:"email"`
 	Verified          bool         `json:"email_verified"`
-	Proxy             *ProxyClaims `json:"ak_proxy"`
 	Name              string       `json:"name"`
 	PreferredUsername string       `json:"preferred_username"`
 	Groups            []string     `json:"groups"`
+	Sid               string       `json:"sid"`
+	Proxy             *ProxyClaims `json:"ak_proxy"`

 	RawToken string
 }
--- a/internal/outpost/proxyv2/application/session.go
+++ b/internal/outpost/proxyv2/application/session.go
@ -88,7 +88,7 @@ func (a *Application) getAllCodecs() []securecookie.Codec {
 	return cs
 }

-func (a *Application) Logout(ctx context.Context, sub string) error {
+func (a *Application) Logout(ctx context.Context, filter func(c Claims) bool) error {
 	if _, ok := a.sessions.(*sessions.FilesystemStore); ok {
 		files, err := os.ReadDir(os.TempDir())
 		if err != nil {
@ -118,7 +118,7 @@ func (a *Application) Logout(ctx context.Context, sub string) error {
 				continue
 			}
 			claims := s.Values[constants.SessionClaims].(Claims)
-			if claims.Sub == sub {
+			if filter(claims) {
 				a.log.WithField("path", fullPath).Trace("deleting session")
 				err := os.Remove(fullPath)
 				if err != nil {
@ -153,7 +153,7 @@ func (a *Application) Logout(ctx context.Context, sub string) error {
 				continue
 			}
 			claims := c.(Claims)
-			if claims.Sub == sub {
+			if filter(claims) {
 				a.log.WithField("key", key).Trace("deleting session")
 				_, err := client.Del(ctx, key).Result()
 				if err != nil {