Page MenuHomePhabricator
Create Task
Maniphest T327147

Add optional support for "backchannel logout"
Closed, ResolvedPublicFeature
Actions

Description

Feature summary:
Add

  • performBackChannelLogout( $requestData ) to PluggableAuthPlugin
  • REST endpoint that can be registered with an external authentication provider, which calls this function
  • Using it should be made configurable

There are some open questions though:

  • How to deal with Multiple-Plugin-Setups? Do we need an ID as part of the REST endpoint?
  • What exactly to pass to that function? Just raw request data? Is pre-processing/validation required?

Use case(s)

  • If a user logs out from a central authentication system, all sessions in connected applications should also be terminated

Benefits:
It improves security, as it prevents that a user needs to end sessions on multiple applications
At least two extensions may use this:

  • Extension:OpenIDConnect
  • Extension:SimpleSAMLphp (probably)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add backchannel logoutmediawiki/extensions/OpenIDConnectREL1_43+242 -95
Add optional support for backchannel logoutmediawiki/extensions/PluggableAuthREL1_43+140 -1
Add backchannel logoutmediawiki/extensions/OpenIDConnectmaster+242 -95
Add optional support for backchannel logoutmediawiki/extensions/PluggableAuthmaster+140 -1
Customize query in gerrit

Related Objects

Event Timeline

Osnard created this task.Jan 17 2023, 7:40 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 17 2023, 7:40 AM
Osnard claimed this task.Jan 17 2023, 7:40 AM
Osnard triaged this task as Low priority.

I am going to provide a patch upon the current V7 changeset-stack

Suplanus subscribed.Jan 17 2023, 3:05 PM
Tgr subscribed.Feb 22 2023, 7:36 AM
Osnard added a comment.Jan 19 2024, 10:17 AM

FTR: There is a somewhat similar ticket for Extension:SimpleSAMLphp -> T246350
Unfortunately this can not be solved with the proposed implementation, as the logout request from the SAML IdP will not be send to the wiki, but to the SimpleSAMLphp Service Provider.

gerritbot added a comment.Jan 15 2025, 3:32 PM

Change #903216 had a related patch set uploaded (by Cicalese; author: Robert Vogel):

[mediawiki/extensions/PluggableAuth@master] Add optional support for backchannel logout

https://gerrit.wikimedia.org/r/903216

gerritbot added a project: Patch-For-Review.Jan 15 2025, 3:32 PM

Change #991792 had a related patch set uploaded (by Cicalese; author: Robert Vogel):

[mediawiki/extensions/OpenIDConnect@master] Add backchannel logout

https://gerrit.wikimedia.org/r/991792

cicalese moved this task from Backlog to In Progress on the MediaWiki-extensions-Pluggable-Auth board.Jan 24 2025, 7:28 PM
gerritbot added a comment.Feb 23 2025, 2:23 PM

Change #903216 merged by jenkins-bot:

[mediawiki/extensions/PluggableAuth@master] Add optional support for backchannel logout

https://gerrit.wikimedia.org/r/903216

gerritbot added a comment.Feb 23 2025, 2:25 PM

Change #991792 merged by jenkins-bot:

[mediawiki/extensions/OpenIDConnect@master] Add backchannel logout

https://gerrit.wikimedia.org/r/991792

gerritbot added a comment.Feb 23 2025, 2:25 PM

Change #1121759 had a related patch set uploaded (by Cicalese; author: Robert Vogel):

[mediawiki/extensions/PluggableAuth@REL1_43] Add optional support for backchannel logout

https://gerrit.wikimedia.org/r/1121759

gerritbot added a comment.Feb 23 2025, 2:32 PM

Change #1121759 merged by jenkins-bot:

[mediawiki/extensions/PluggableAuth@REL1_43] Add optional support for backchannel logout

https://gerrit.wikimedia.org/r/1121759

gerritbot added a comment.Feb 23 2025, 2:34 PM

Change #1121760 had a related patch set uploaded (by Cicalese; author: Robert Vogel):

[mediawiki/extensions/OpenIDConnect@REL1_43] Add backchannel logout

https://gerrit.wikimedia.org/r/1121760

gerritbot added a comment.Feb 23 2025, 2:53 PM

Change #1121760 abandoned by Cicalese:

[mediawiki/extensions/OpenIDConnect@REL1_43] Add backchannel logout

Reason:

need to backport other patches first

https://gerrit.wikimedia.org/r/1121760

gerritbot added a comment.Feb 23 2025, 3:02 PM

Change #1121760 restored by Cicalese:

[mediawiki/extensions/OpenIDConnect@REL1_43] Add backchannel logout

https://gerrit.wikimedia.org/r/1121760

gerritbot added a comment.Feb 23 2025, 4:29 PM

Change #1121760 merged by jenkins-bot:

[mediawiki/extensions/OpenIDConnect@REL1_43] Add backchannel logout

https://gerrit.wikimedia.org/r/1121760

cicalese closed this task as Resolved.Feb 23 2025, 4:39 PM
cicalese moved this task from In Progress to Closed on the MediaWiki-extensions-Pluggable-Auth board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits