-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: backchannel logout request client tls configuration #2875
base: master
Are you sure you want to change the base?
Conversation
Codecov Report
@@ Coverage Diff @@
## master #2875 +/- ##
==========================================
+ Coverage 76.85% 76.92% +0.07%
==========================================
Files 124 124
Lines 9175 9212 +37
==========================================
+ Hits 7051 7086 +35
- Misses 1674 1675 +1
- Partials 450 451 +1
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
dbd2976
to
30e5db8
Compare
30e5db8
to
b80598c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking great! :) Could you please add a guide that explains how to use this feature in this doc: https://github.com/ory/hydra/blob/master/docs/docs/guides/logout.mdx ?
Thank you!
Thank you, this looks great! The CI is failing because some files are formatted incorrectly. To format them, run:
Thank you! |
While the PR is being worked on I will mark it as a draft. That declutters our review backlog :) Once you're done with your changes and would like someone to review them, mark the PR as ready and request a review from one of the maintainers. Thank you! |
99c099f
to
8d3e42f
Compare
8d3e42f
to
29612a5
Compare
7a1e8ac
to
34039db
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! I've got one question. This PR is currently targeting exactly one backchannel logout URL. However, most environments will have 1..n backchannel logout URLs, depending on the clients that define those URLs. To me it appears that setting this TLS configuration at a global level will be problematic if you have two or more OAuth2 clients with separate TLS configs (e.g. one special TLS config and one regular HTTPs with a public certificate).
What's your take on this?
34039db
to
f3182f8
Compare
This is how its implemented before this PR also - global golang default for all backchannel requests?
And I did not add this problem with current implementation? Just reiterating my thoughts so I'm not missing anything: :)
This is functionality is MVP for us, but it could be further extended to check client specific settings when iterating over clients in executeBackChannelLogout() and it would not go in conflict with current implementation - in contrary would give possibility to further override these global settings when needed? |
249d2c0
to
bd96bd4
Compare
7c266d7
to
2b96742
Compare
f4bb8e8
to
4914aa4
Compare
f60fcad
to
4f7cf12
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @aarmam as always for your great contributions! After thinking about this for quite some time, I don't think that we should merge this feature upstream. The reason is the following:
The backchannel logout URL is something that is configured on a per-client basis. Adding a config option which allows us only to configure a global TLS certificate does not really match the underlying principle that an authorization server can have almost unlimited backchannel logout targets.
If we were to introduce this, we would need to keep for backwards compatibility and also add to Ory Network. Therefore, we can't merge the feature as is.
One option is to add this feature to the client configuration. However, I think that the backchannel logout URL should use TLS with a trusted certificate, and not trust untrusted certificates. To work around this on local environments, one could use Caddy or something similar to add a trusted CA to the OS certificate store, or set up LE in staging environments.
So generally speaking, I don't think we should add TLS exceptions here. It will only open questions like: Why does JWKs fetching not have a custom TLS certificate? Or webhooks, or feature X, Y, Z
Thanks! :)
This is actually not what this pr introduces. I'll give you an example: client.default.tls:
min_version: tls12
max_version: tls13
cipher_suites:
- TLS_AES_128_GCM_SHA256
client.back_channel_logout.tls:
cipher_suites:
- TLS_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 This configuration limits all outgoing TLS connections to use min/max tls versions and specified cipher suites - thats all this pr introduces. It does not configure global TLS certificate nor trusted certificates - just global outgoing connection settings for min/max tls version and cypher suites. |
14acfc3
to
8443a87
Compare
8443a87
to
9b42cc6
Compare
9b42cc6
to
87e14c7
Compare
This pull request introduces feature to configure backchannel logout request client TLS min/max versions and supported cipher suites.
Feature update:
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
[email protected]) from the maintainers to push
the changes.
works.