feat: faster OIDC front/back-channel logout

Author: alnr

consent/manager.go

@@ -52,8 +52,7 @@ type (
 		CreateForcedObfuscatedLoginSession(ctx context.Context, session *ForcedObfuscatedLoginSession) error
 		GetForcedObfuscatedLoginSession(ctx context.Context, client, obfuscated string) (*ForcedObfuscatedLoginSession, error)
 
-		ListUserAuthenticatedClientsWithFrontChannelLogout(ctx context.Context, subject, sid string) ([]client.Client, error)
-		ListUserAuthenticatedClientsWithBackChannelLogout(ctx context.Context, subject, sid string) ([]client.Client, error)
+		ListClientsWithLogoutURLsForSubjectAndSID(ctx context.Context, subject, sid string) (withFrontChannelURL, withBackChannelURL []client.Client, err error)
 
 		CreateLogoutRequest(ctx context.Context, request *flow.LogoutRequest) error
 		GetLogoutRequest(ctx context.Context, challenge string) (*flow.LogoutRequest, error)

consent/strategy_default.go

@@ -705,12 +705,7 @@ func (s *DefaultStrategy) verifyConsent(ctx context.Context, _ http.ResponseWrit
 	return session, f, nil
 }
 
-func (s *DefaultStrategy) generateFrontChannelLogoutURLs(ctx context.Context, subject, sid string) ([]string, error) {
-	clients, err := s.r.ConsentManager().ListUserAuthenticatedClientsWithFrontChannelLogout(ctx, subject, sid)
-	if err != nil {
-		return nil, err
-	}
-
+func (s *DefaultStrategy) generateFrontChannelLogoutURLs(ctx context.Context, clients []client.Client, sid string) ([]string, error) {
 	var urls []string
 	for _, c := range clients {
 		u, err := url.Parse(c.FrontChannelLogoutURI)
@@ -727,11 +722,9 @@ func (s *DefaultStrategy) generateFrontChannelLogoutURLs(ctx context.Context, su
 	return urls, nil
 }
 
-func (s *DefaultStrategy) executeBackChannelLogout(r *http.Request, subject, sid string) error {
-	ctx := r.Context()
-	clients, err := s.r.ConsentManager().ListUserAuthenticatedClientsWithBackChannelLogout(ctx, subject, sid)
-	if err != nil {
-		return err
+func (s *DefaultStrategy) executeBackChannelLogout(ctx context.Context, clients []client.Client, sid string) error {
+	if len(clients) == 0 {
+		return nil
 	}
 
 	openIDKeyID, err := s.r.OpenIDJWTStrategy().GetPublicKeyID(ctx)
@@ -774,7 +767,7 @@ func (s *DefaultStrategy) executeBackChannelLogout(r *http.Request, subject, sid
 	span := trace.SpanFromContext(ctx)
 	cl := s.r.HTTPClient(ctx)
 	execute := func(t task) {
-		log := s.r.Logger().WithRequest(r).
+		log := s.r.Logger().
 			WithField("client_id", t.clientID).
 			WithField("backchannel_logout_url", t.url)
 
@@ -999,9 +992,8 @@ func (s *DefaultStrategy) issueLogoutVerifier(ctx context.Context, w http.Respon
 	return nil, errorsx.WithStack(ErrAbortOAuth2Request)
 }
 
-func (s *DefaultStrategy) performBackChannelLogoutAndDeleteSession(r *http.Request, subject string, sid string) error {
-	ctx := r.Context()
-	if err := s.executeBackChannelLogout(r, subject, sid); err != nil {
+func (s *DefaultStrategy) performBackChannelLogoutAndDeleteSession(ctx context.Context, clients []client.Client, sid string) error {
+	if err := s.executeBackChannelLogout(ctx, clients, sid); err != nil {
 		return err
 	}
 
@@ -1028,7 +1020,7 @@ func (s *DefaultStrategy) performBackChannelLogoutAndDeleteSession(r *http.Reque
 func (s *DefaultStrategy) completeLogout(ctx context.Context, w http.ResponseWriter, r *http.Request) (*flow.LogoutResult, error) {
 	verifier := r.URL.Query().Get("logout_verifier")
 
-	lr, err := s.r.ConsentManager().VerifyAndInvalidateLogoutRequest(r.Context(), verifier)
+	lr, err := s.r.ConsentManager().VerifyAndInvalidateLogoutRequest(ctx, verifier)
 	if err != nil {
 		return nil, err
 	}
@@ -1069,12 +1061,17 @@ func (s *DefaultStrategy) completeLogout(ctx context.Context, w http.ResponseWri
 
 	_, _ = s.revokeAuthenticationCookie(w, r, store) // Cookie removal is optional
 
-	urls, err := s.generateFrontChannelLogoutURLs(r.Context(), lr.Subject, lr.SessionID)
+	frontChannelClients, backChannelClients, err := s.r.ConsentManager().ListClientsWithLogoutURLsForSubjectAndSID(ctx, lr.Subject, lr.SessionID)
 	if err != nil {
 		return nil, err
 	}
 
-	if err := s.performBackChannelLogoutAndDeleteSession(r, lr.Subject, lr.SessionID); err != nil {
+	urls, err := s.generateFrontChannelLogoutURLs(ctx, frontChannelClients, lr.SessionID)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := s.performBackChannelLogoutAndDeleteSession(ctx, backChannelClients, lr.SessionID); err != nil {
 		return nil, err
 	}
 
@@ -1110,7 +1107,12 @@ func (s *DefaultStrategy) HandleHeadlessLogout(ctx context.Context, _ http.Respo
 		return lsErr
 	}
 
-	if err := s.performBackChannelLogoutAndDeleteSession(r, loginSession.Subject, sid); err != nil {
+	_, clients, err := s.r.ConsentManager().ListClientsWithLogoutURLsForSubjectAndSID(ctx, loginSession.Subject, sid)
+	if err != nil {
+		return err
+	}
+
+	if err := s.performBackChannelLogoutAndDeleteSession(ctx, clients, sid); err != nil {
 		return err
 	}
 

consent/test/manager_test_helpers.go

@@ -974,16 +974,11 @@ func ManagerTests(deps Deps, m consent.Manager, clientManager client.Manager, fo
 						}
 					}
 
-					t.Run(fmt.Sprintf("method=ListUserAuthenticatedClientsWithFrontChannelLogout/session=%s/subject=%s", ls.ID, ls.Subject), func(t *testing.T) {
-						actual, err := m.ListUserAuthenticatedClientsWithFrontChannelLogout(ctx, ls.Subject, ls.ID)
+					t.Run(fmt.Sprintf("method=ListClientsWithLogoutURLsForSubjectAndSID/session=%s/subject=%s", ls.ID, ls.Subject), func(t *testing.T) {
+						front, back, err := m.ListClientsWithLogoutURLsForSubjectAndSID(ctx, ls.Subject, ls.ID)
 						require.NoError(t, err)
-						check(t, frontChannels, actual)
-					})
-
-					t.Run(fmt.Sprintf("method=ListUserAuthenticatedClientsWithBackChannelLogout/session=%s", ls.ID), func(t *testing.T) {
-						actual, err := m.ListUserAuthenticatedClientsWithBackChannelLogout(ctx, ls.Subject, ls.ID)
-						require.NoError(t, err)
-						check(t, backChannels, actual)
+						check(t, frontChannels, front)
+						check(t, backChannels, back)
 					})
 				}
 			})

persistence/sql/migrations/20250206111700000000_flow_login_session_id_idx.cockroach.autocommit.down.sql

@@ -0,0 +1 @@
+DROP INDEX IF EXISTS hydra_oauth2_flow@hydra_oauth2_flow_nid_sid_subject_idx;

persistence/sql/migrations/20250206111700000000_flow_login_session_id_idx.cockroach.autocommit.up.sql

@@ -0,0 +1 @@
+CREATE INDEX IF NOT EXISTS hydra_oauth2_flow_nid_sid_subject_idx ON hydra_oauth2_flow (nid, login_session_id, subject) STORING (client_id) WHERE login_session_id IS NOT NULL;

persistence/sql/persister_consent.go

@@ -618,49 +618,66 @@ func (p *Persister) filterExpiredConsentRequests(ctx context.Context, requests [
 	return result, nil
 }
 
-func (p *Persister) ListUserAuthenticatedClientsWithFrontChannelLogout(ctx context.Context, subject, sid string) (_ []client.Client, err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.ListUserAuthenticatedClientsWithFrontChannelLogout")
+func (p *Persister) ListClientsWithLogoutURLsForSubjectAndSID(ctx context.Context, subject, sid string) (withFrontChannelURL, withBackChannelURL []client.Client, err error) {
+	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.ListClientsWithLogoutURLsForSubjectAndSID",
+		trace.WithAttributes(attribute.String("sid", sid)))
 	defer otelx.End(span, &err)
 
-	return p.listUserAuthenticatedClients(ctx, subject, sid, "front")
-}
+	var (
+		cols                   = pop.NewModel(new(client.Client), ctx).Columns().Readable()
+		clientTable, flowTable = p.clientFlowTableNamesWithQueryHint(p.Connection(ctx).Dialect.Name())
 
-func (p *Persister) ListUserAuthenticatedClientsWithBackChannelLogout(ctx context.Context, subject, sid string) (_ []client.Client, err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.ListUserAuthenticatedClientsWithBackChannelLogout")
-	defer otelx.End(span, &err)
-
-	return p.listUserAuthenticatedClients(ctx, subject, sid, "back")
-}
+		q = fmt.Sprintf(`
+		SELECT %s FROM %s c
+		WHERE id IN (
+			SELECT DISTINCT client_id
+			FROM %s f
+			WHERE
+				f.nid = ?
+				AND f.login_session_id = ?
+				AND f.subject = ?
+		)
+		AND	c.nid = ?
+		AND (
+			(c.frontchannel_logout_uri IS NOT NULL AND c.frontchannel_logout_uri != '')
+			OR c.backchannel_logout_uri != ''
+		)`,
+			cols.QuotedString(p.Connection(ctx).Dialect),
+			clientTable,
+			flowTable)
+
+		nid = p.NetworkID(ctx)
+		cs  []client.Client
+	)
 
-func (p *Persister) listUserAuthenticatedClients(ctx context.Context, subject, sid, channel string) (cs []client.Client, err error) {
-	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.listUserAuthenticatedClients",
-		trace.WithAttributes(attribute.String("sid", sid)))
-	defer otelx.End(span, &err)
+	err = p.Connection(ctx).RawQuery(q, nid, sid, subject, nid).All(&cs)
+	if errors.Is(err, sql.ErrNoRows) {
+		return nil, nil, nil
+	}
+	if err != nil {
+		return nil, nil, sqlcon.HandleError(err)
+	}
 
-	if err := p.Connection(ctx).RawQuery(
-		/* #nosec G201 - channel can either be "front" or "back" */
-		fmt.Sprintf(`
-SELECT DISTINCT c.* FROM hydra_client as c
-JOIN hydra_oauth2_flow as f ON (c.id = f.client_id AND c.nid = f.nid)
-WHERE
-	f.subject=? AND
-	c.%schannel_logout_uri != '' AND
-	c.%schannel_logout_uri IS NOT NULL AND
-	f.login_session_id = ? AND
-	f.nid = ? AND
-	c.nid = ?`,
-			channel,
-			channel,
-		),
-		subject,
-		sid,
-		p.NetworkID(ctx),
-		p.NetworkID(ctx),
-	).All(&cs); err != nil {
-		return nil, sqlcon.HandleError(err)
+	for _, c := range cs {
+		if c.FrontChannelLogoutURI != "" {
+			withFrontChannelURL = append(withFrontChannelURL, c)
+		}
+		if c.BackChannelLogoutURI != "" {
+			withBackChannelURL = append(withBackChannelURL, c)
+		}
 	}
 
-	return cs, nil
+	return withFrontChannelURL, withBackChannelURL, nil
+}
+
+func (p *Persister) clientFlowTableNamesWithQueryHint(dialect string) (clientTable, flowTable string) {
+	switch dialect {
+	case "cockroach":
+		return "hydra_client@primary", "hydra_oauth2_flow@hydra_oauth2_flow_nid_sid_subject_idx"
+	// TODO: more
+	default:
+		return "hydra_client", "hydra_oauth2_flow"
+	}
 }
 
 func (p *Persister) CreateLogoutRequest(ctx context.Context, request *flow.LogoutRequest) (err error) {

persistence/sql/persister_nid_test.go

@@ -1584,11 +1584,11 @@ func (s *PersisterTestSuite) TestListUserAuthenticatedClientsWithBackChannelLogo
 			})
 			require.NoError(t, err)
 
-			cs, err := r.Persister().ListUserAuthenticatedClientsWithBackChannelLogout(s.t1, "sub", t1f1.SessionID.String())
+			_, cs, err := r.Persister().ListClientsWithLogoutURLsForSubjectAndSID(s.t1, "sub", t1f1.SessionID.String())
 			require.NoError(t, err)
 			require.Equal(t, 1, len(cs))
 
-			cs, err = r.Persister().ListUserAuthenticatedClientsWithBackChannelLogout(s.t2, "sub", t1f1.SessionID.String())
+			_, cs, err = r.Persister().ListClientsWithLogoutURLsForSubjectAndSID(s.t2, "sub", t1f1.SessionID.String())
 			require.NoError(t, err)
 			require.Equal(t, 2, len(cs))
 		})
@@ -1667,11 +1667,11 @@ func (s *PersisterTestSuite) TestListUserAuthenticatedClientsWithFrontChannelLog
 			})
 			require.NoError(t, err)
 
-			cs, err := r.Persister().ListUserAuthenticatedClientsWithFrontChannelLogout(s.t1, "sub", t1f1.SessionID.String())
+			cs, _, err := r.Persister().ListClientsWithLogoutURLsForSubjectAndSID(s.t1, "sub", t1f1.SessionID.String())
 			require.NoError(t, err)
 			require.Equal(t, 1, len(cs))
 
-			cs, err = r.Persister().ListUserAuthenticatedClientsWithFrontChannelLogout(s.t2, "sub", t1f1.SessionID.String())
+			cs, _, err = r.Persister().ListClientsWithLogoutURLsForSubjectAndSID(s.t2, "sub", t1f1.SessionID.String())
 			require.NoError(t, err)
 			require.Equal(t, 2, len(cs))
 		})

persistence/sql/persister_test.go

@@ -38,7 +38,7 @@ func init() {
 
 func testRegistry(t *testing.T, ctx context.Context, k string, t1 driver.Registry, t2 driver.Registry) {
 	t.Run("package=client/manager="+k, func(t *testing.T) {
-		t.Run("case=create-get-update-delete", client.TestHelperCreateGetUpdateDeleteClient(k, t1.Persister().Connection(context.Background()), t1.ClientManager(), t2.ClientManager()))
+		t.Run("case=create-get-update-delete", client.TestHelperCreateGetUpdateDeleteClient(k, t1.Persister().Connection(ctx), t1.ClientManager(), t2.ClientManager()))
 
 		t.Run("case=autogenerate-key", client.TestHelperClientAutoGenerateKey(k, t1.ClientManager()))