Skip to content

Session management #1543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Session management #1543

wants to merge 2 commits into from

Conversation

lullis
Copy link
Contributor

@lullis lullis commented Jan 27, 2025
edited
Loading

Fixes #1130

Description of the Change

Implementation of OIDC Session Management. This PR:

  • Adds some settings variables to enable OIDC Session Management
  • Adds checks to validate OIDC Session Management settings - if it is enabled, then Django will require a OIDC_SESSION_MANAGEMENT_DEFAULT_KEY to be present.
  • Adds the session_state parameter to the parameters given to the end user client upon succcessful authorization. The session state is calculate by a salted hash combination of client id, origin and "OP user agent state", which for the intents of session management is itself just a hashed value of the session key for authenticated users, and OIDC_SESSION_MANAGEMENT_DEFAULT_KEY if the user is not authenticated. This is enough for the OP to indicate whether the end user session has changed (logged in, logged out)
  • Add a OIDCSessionManagementMiddleware that sets a cookie with the value of "OP user agent state"
  • Adds a SessionIFrameView endpoint for the "OP IFrame"

Checklist

  • PR only contains one change (considered splitting up PR)
  • unit-test added
  • documentation updated
  • CHANGELOG.md updated (only for user relevant changes)
  • author name in AUTHORS

@lullis lullis force-pushed the session_management branch 7 times, most recently from 926e384 to 27f2c7b Compare January 29, 2025 23:22
@dopry
Copy link
Contributor

dopry commented Jan 31, 2025

@lullis Thank you for working on this. I've only given it a cursory review, but it looks like a great start. It'll probably be late next week before I can look at this closely. Ping me again if I don't manage to get you a review by next Friday.

@lullis lullis force-pushed the session_management branch from 27f2c7b to cd68405 Compare April 11, 2025 11:12
@lullis lullis mentioned this pull request Apr 11, 2025
Open
2 tasks
@lullis lullis force-pushed the session_management branch 7 times, most recently from ec3ccd9 to 3c3d1bf Compare April 27, 2025 19:01
@lullis lullis marked this pull request as ready for review April 27, 2025 19:02
@lullis
OIDC Session management (https://openid.net/specs/openid-connect-sess…
5b77eeb 
…ion-1_0.html)

To enable it, user must add OIDC_SESSION_MANAGEMENT_ENABLED and provide
OIDC_SESSION_MANAGEMENT_DEFAULT_SESSION_KEY on OAUTH2_PROVIDER settings,
and add the proper middleware.

This PR contains:

 - change in AuthorizationView to return 'session_state' parameter in
   authentication response
 - a SessionIFrameView as part of the OIDC views, which renders the content
   of the iframe used by RPs to keep track of session state changes.
 - middleware that sets the cookie
 - Documentation
 - Test for the changed authentication view
@lullis lullis force-pushed the session_management branch from 3c3d1bf to 5b77eeb Compare April 27, 2025 19:21
@jazzband jazzband deleted a comment from codecov bot Apr 27, 2025
@lullis lullis requested review from charleswhchan and Qup42 April 27, 2025 20:42
@Qup42
Copy link
Contributor

Qup42 commented Apr 28, 2025

@lullis I'm quite busy at the moment. I think that I should be able to have a look at this in the next ~3 months. Do please remind me if I forget it.

@lullis
Copy link
Contributor Author

lullis commented Jul 5, 2025

@Qup42, just pinging to remind you about this PR.

@dopry
Copy link
Contributor

dopry commented Jul 11, 2025

@lullis any guidance on testing procedures for this PR?

@lullis
Copy link
Contributor Author

lullis commented Jul 12, 2025

@dopry I got a small app going to test these features at https://codeberg.org/raphael/oidc-client-testbed.

I won't make any strong claims about its overall quality (I relied on Cursor to generate a lot of the boilerplate and the vue components), but I did check the actual functionality and it works well enough to check the session frame part.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@charleswhchan charleswhchan Awaiting requested review from charleswhchan

@Qup42 Qup42 Awaiting requested review from Qup42

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OpenID Connect Session Management 1.0
3 participants
@lullis @dopry @Qup42