-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement OIDC session handling #5278
Comments
Thanks for the suggestion @timhallmann, and for the offer to contribute. Overall though, I'm not keen to expand the maintenance & support surface area of OIDC without some proven demand for such additions. There's essentially two feature requests in here (OIDC session handling and OIDC logout support), can you split this into separate feature requests to allow for each to gain support and discussion individually? |
I decided against proposing to implement custom sessions (on top of Laravels) as I didn't want to broaden the scope even further. However, if other issues also run into similar limitations, it would definitely be a better solution.
Our use case: My department is looking into using BookStack for our internal user-facing documentation. We'd prefer consistent behavior across all user-facing applications and for the logout to be as simple as the login, especially on shared laboratory computers. Also, it makes our IT security happy. :) Obviously, that might not be enough to justify the maintenance and support cost. If that's the case, I'll probably have to implement and maintain this myself.
Sure, will do. |
Describe the feature you'd like
Once a user successfully logs into BookStack, their session becomes largely independent from the session at the OpenID Provider. While BookStack does support RP-Initiated Logout, it doesn't utilize the OPs session lifetime.
In the event that the OP sets a session lifetime, BookStack should deem a user as unauthenticated once the session expires. However, if the OP supplies a refresh_token, BookStack should use this token to refresh the session in the background, thus allowing the users session to persist. This refresh should be transparent to the user.
Describe the benefits this would bring to existing BookStack users
Can the goal of this request already be achieved via other means?
No. (While it might technically be possible to accomplish this through the logical theme system, that's likely to get quite ugly.)
Have you searched for an existing open/closed issue?
How long have you been using BookStack?
Not using yet, just scoping
Additional context
Prior discussion in #3715 (RP-Initiated Logout).
Related feature request: #5279 (Implement OIDC Front-Channel / Back-Channel Logout).
I'm open to implementing this feature myself, but I lack prior experience with Laravel and PHP, so I have some questions about the applications architecture and Laravel.
Here's my preliminary plan for managing the session lifetime:
Alternatively, implement custom sessions.
Notes / Considerations:
/ajax/logged-in
before saving and prompting the user to reauthenticate if necessary.iframe
polling described in OpenID Connect Session Management 1.0 as it doesn't work for Back-Channel Logouts.The text was updated successfully, but these errors were encountered: