Added back channel logout endpoint without context by shepilov · Pull Request #4704 · cozy/cozy-stack

shepilov · 2026-03-20T16:56:09Z

The previous design had three practical problems:

The provider had to know stack’s internal OIDC context name to call back channel logout.
When sid was available, stack could still end up logging out more than the current OIDC session

With this PR:

Cozy now supports POST /oidc/logout in addition to the existing POST /oidc/:context/logout
context is resolved server-side from the logout token and existing sid bindings
local browser sessions are bound to OIDC sid
OIDC-derived OAuth clients are also bound to OIDC sid
backchannel logout can revoke both bound browser sessions and bound OAuth clients
the existing contextful endpoint remains supported

…r Flagship app

shepilov requested a review from a team as a code owner March 20, 2026 16:56

shepilov force-pushed the feat/backchannel-logout-without-context branch 4 times, most recently from 8f9301e to 1200bcf Compare March 23, 2026 19:16

taratatach reviewed Mar 24, 2026

View reviewed changes

Comment thread web/oidc/oidc.go Outdated

Comment thread web/oidc/oidc.go Outdated

Comment thread web/oidc/oidc.go Outdated

Comment thread web/oidc/oidc.go Outdated

Comment thread model/oauth/client.go Outdated

Comment thread model/session/oidc_sessions.go

shepilov force-pushed the feat/backchannel-logout-without-context branch from 1200bcf to 3005b31 Compare March 24, 2026 11:22

shepilov added 9 commits March 24, 2026 13:29

feat: Added Redis index to connect a stack session with an OIDC session

5ccc5b1

feat: Back channel logout endpoint without context

7d5b1b4

feat: Added more tests for back channel logout endpoint

bc81bf0

feat: Store also in redis client_id to support back channel logout fo…

7c91143

…r Flagship app

feat: Refactored a little bit session store and more logs added

1b4917f

refactor: extract oidc provider utilities and add config requirements

dfe4d39

refactor: extract oidc sid bindings into a dedicated package

341d0eb

fix: Code cleanup after oidc logout refactoring

5a26bce

fix: For tha OIDC logout make token validation mandatory

6441b5f

shepilov force-pushed the feat/backchannel-logout-without-context branch from de9166b to 6441b5f Compare March 24, 2026 12:29

shepilov added 2 commits March 24, 2026 13:55

fix: Removed duplicate constant for back channel logout event

859b60b

fix: Rename variable to avoid confusion between slices and maps

ff12018

taratatach approved these changes Mar 24, 2026

View reviewed changes

shepilov merged commit 2cae26d into master Mar 24, 2026
4 checks passed

shepilov deleted the feat/backchannel-logout-without-context branch March 24, 2026 17:23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Added back channel logout endpoint without context#4704

Added back channel logout endpoint without context#4704
shepilov merged 11 commits intomasterfrom
feat/backchannel-logout-without-context

shepilov commented Mar 20, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

shepilov commented Mar 20, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants