strapi-plugin-oidc 1.4.3 → 1.5.0

package/README.md

@@ -34,17 +34,31 @@ module.exports = ({ env }) => ({
       OIDC_REDIRECT_URI: env('OIDC_REDIRECT_URI'), // https://your-strapi.com/strapi-plugin-oidc/oidc/callback
       OIDC_AUTHORIZATION_ENDPOINT: env('OIDC_AUTHORIZATION_ENDPOINT'),
       OIDC_TOKEN_ENDPOINT: env('OIDC_TOKEN_ENDPOINT'),
-      OIDC_USER_INFO_ENDPOINT: env('OIDC_USER_INFO_ENDPOINT'),
+      OIDC_USERINFO_ENDPOINT: env('OIDC_USERINFO_ENDPOINT'),
 
       // Optional — defaults shown
-      OIDC_SCOPES: 'openid profile email',
+      OIDC_SCOPE: 'openid profile email',
       OIDC_GRANT_TYPE: 'authorization_code',
-      OIDC_FAMILY_NAME_FIELD: 'family_name',
-      OIDC_GIVEN_NAME_FIELD: 'given_name',
-      OIDC_LOGOUT_URL: '', // Provider logout URL; omit to redirect to Strapi login
+      OIDC_FAMILY_NAME_FIELD: 'family_name', // claim name for the user's last name
+      OIDC_GIVEN_NAME_FIELD: 'given_name', // claim name for the user's first name
       OIDC_SSO_BUTTON_TEXT: 'Login via SSO',
       OIDC_ENFORCE: null, // null = use Admin UI toggle; true/false = override in config
       REMEMBER_ME: false, // Persist session across browser restarts
+
+      // Optional — RP-Initiated Logout (GET /strapi-plugin-oidc/logout)
+      // Set OIDC_END_SESSION_ENDPOINT to redirect OIDC sessions to your provider's
+      // end-session page on logout. Without it, logout only clears the local session.
+      // Find this URL in your provider's /.well-known/openid-configuration as end_session_endpoint.
+      OIDC_END_SESSION_ENDPOINT: env('OIDC_END_SESSION_ENDPOINT', ''),
+      OIDC_POST_LOGOUT_REDIRECT_URI: env('OIDC_POST_LOGOUT_REDIRECT_URI', ''), // where to land after the provider logs the user out
+
+      // Optional — Backchannel Logout (POST /strapi-plugin-oidc/logout)
+      // When configured, your provider can notify Strapi when a user logs out elsewhere
+      // (e.g. from another app or directly from the provider UI), revoking their Strapi session.
+      // Set the logout URI in your provider to: https://your-strapi.com/strapi-plugin-oidc/logout
+      // Both values are required together — find them in your provider's /.well-known/openid-configuration.
+      OIDC_ISSUER: env('OIDC_ISSUER', ''), // validates the iss claim; required for backchannel logout
+      OIDC_JWKS_URI: env('OIDC_JWKS_URI', ''), // verifies logout token signatures; required for backchannel logout
     },
   },
 });

package/dist/server/index.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: "Module" } });
 const node_crypto = require("node:crypto");
+const jose = require("jose");
 const pkceChallenge = require("pkce-challenge");
 const strapiUtils = require("@strapi/utils");
 const generator = require("generate-password");
@@ -161,14 +162,20 @@ const config = {
     OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
     OIDC_CLIENT_ID: "",
     OIDC_CLIENT_SECRET: "",
-    OIDC_SCOPES: "openid profile email",
+    OIDC_SCOPE: "openid profile email",
     OIDC_AUTHORIZATION_ENDPOINT: "",
     OIDC_TOKEN_ENDPOINT: "",
-    OIDC_USER_INFO_ENDPOINT: "",
+    OIDC_USERINFO_ENDPOINT: "",
     OIDC_GRANT_TYPE: "authorization_code",
     OIDC_FAMILY_NAME_FIELD: "family_name",
     OIDC_GIVEN_NAME_FIELD: "given_name",
-    OIDC_LOGOUT_URL: "",
+    OIDC_END_SESSION_ENDPOINT: "",
+    OIDC_POST_LOGOUT_REDIRECT_URI: "",
+    // Where to land after the provider has logged the user out (RP-Initiated Logout)
+    OIDC_ISSUER: "",
+    // Provider issuer URL — used to validate iss claim in backchannel logout tokens
+    OIDC_JWKS_URI: "",
+    // Provider JWKS endpoint — required for backchannel logout token signature verification
     OIDC_SSO_BUTTON_TEXT: "Login via SSO",
     OIDC_ENFORCE: null
     // null = use DB setting; true/false = override DB (useful for lockout recovery)
@@ -221,15 +228,17 @@ function getExpiredCookieOptions(strapi2, ctx) {
 function clearAuthCookies(strapi2, ctx) {
   const options2 = getExpiredCookieOptions(strapi2, ctx);
   ctx.cookies.set("strapi_admin_refresh", "", options2);
-  ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
+  const rootPathOptions = { ...options2, path: "/" };
+  ctx.cookies.set("oidc_authenticated", "", rootPathOptions);
+  ctx.cookies.set("oidc_id_token", "", rootPathOptions);
 }
 const REQUIRED_CONFIG_KEYS = [
   "OIDC_CLIENT_ID",
   "OIDC_CLIENT_SECRET",
   "OIDC_REDIRECT_URI",
-  "OIDC_SCOPES",
+  "OIDC_SCOPE",
   "OIDC_TOKEN_ENDPOINT",
-  "OIDC_USER_INFO_ENDPOINT",
+  "OIDC_USERINFO_ENDPOINT",
   "OIDC_GRANT_TYPE",
   "OIDC_FAMILY_NAME_FIELD",
   "OIDC_GIVEN_NAME_FIELD",
@@ -245,7 +254,7 @@ function configValidation() {
   );
 }
 async function oidcSignIn(ctx) {
-  const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPES, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
+  const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPE, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
   const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge__default.default();
   const state = node_crypto.randomBytes(32).toString("base64url");
   const nonce = node_crypto.randomBytes(32).toString("base64url");
@@ -264,7 +273,7 @@ async function oidcSignIn(ctx) {
   params.append("response_type", "code");
   params.append("client_id", OIDC_CLIENT_ID);
   params.append("redirect_uri", OIDC_REDIRECT_URI);
-  params.append("scope", OIDC_SCOPES);
+  params.append("scope", OIDC_SCOPE);
   params.append("code_challenge", codeChallenge);
   params.append("code_challenge_method", "S256");
   params.append("state", state);
@@ -297,13 +306,14 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
       throw new Error("Failed to parse ID token");
     }
   }
-  const userResponse = await fetch(config2.OIDC_USER_INFO_ENDPOINT, {
+  const userResponse = await fetch(config2.OIDC_USERINFO_ENDPOINT, {
     headers: { Authorization: `Bearer ${tokenData.access_token}` }
   });
   if (!userResponse.ok) {
     throw new Error("Failed to fetch user info");
   }
-  return userResponse.json();
+  const userInfo = await userResponse.json();
+  return { userInfo, idToken: tokenData.id_token };
 }
 async function registerNewUser(userService, oauthService2, roleService2, email, userResponseData, whitelistUser, config2, ctx) {
   let roles2 = [];
@@ -369,7 +379,11 @@ async function oidcSignInCallback(ctx) {
   params.append("grant_type", config2.OIDC_GRANT_TYPE);
   params.append("code_verifier", codeVerifier ?? "");
   try {
-    const userResponseData = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
+    const { userInfo: userResponseData, idToken } = await exchangeTokenAndFetchUserInfo(
+      config2,
+      params,
+      oidcNonce ?? ""
+    );
     const { activateUser, jwtToken } = await handleUserAuthentication(
       userService,
       oauthService2,
@@ -379,6 +393,15 @@ async function oidcSignInCallback(ctx) {
       config2,
       ctx
     );
+    if (idToken) {
+      const isProduction = strapi.config.get("environment") === "production";
+      ctx.cookies.set("oidc_id_token", idToken, {
+        httpOnly: true,
+        secure: isProduction && ctx.request.secure,
+        path: "/",
+        sameSite: "lax"
+      });
+    }
     const nonce = node_crypto.randomUUID();
     const html = oauthService2.renderSignUpSuccess(jwtToken, activateUser, nonce);
     ctx.set("Content-Security-Policy", `script-src 'nonce-${nonce}'`);
@@ -390,20 +413,91 @@ async function oidcSignInCallback(ctx) {
 }
 async function logout(ctx) {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
-  const logoutUrl = config2.OIDC_LOGOUT_URL;
+  const logoutUrl = config2.OIDC_END_SESSION_ENDPOINT;
   const isOidcSession = !!ctx.cookies.get("oidc_authenticated");
+  const idToken = ctx.cookies.get("oidc_id_token");
   clearAuthCookies(strapi, ctx);
   if (logoutUrl && isOidcSession) {
-    ctx.redirect(logoutUrl);
+    const url = new URL(logoutUrl);
+    if (idToken) url.searchParams.set("id_token_hint", idToken);
+    if (config2.OIDC_POST_LOGOUT_REDIRECT_URI) {
+      url.searchParams.set("post_logout_redirect_uri", config2.OIDC_POST_LOGOUT_REDIRECT_URI);
+    }
+    ctx.redirect(url.toString());
   } else {
     const adminPanelUrl = strapi.config.get("admin.url", "/admin");
     ctx.redirect(`${adminPanelUrl}/auth/login`);
   }
 }
+const jwksCache = /* @__PURE__ */ new Map();
+function getJWKS(uri) {
+  const cached = jwksCache.get(uri);
+  if (cached) return cached;
+  const jwks = jose.createRemoteJWKSet(new URL(uri));
+  jwksCache.set(uri, jwks);
+  return jwks;
+}
+async function backchannelLogout(ctx) {
+  const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
+  const logoutToken = ctx.request.body?.logout_token;
+  if (!logoutToken) {
+    ctx.status = 400;
+    ctx.body = { error: "Missing logout_token" };
+    return;
+  }
+  if (!config2.OIDC_JWKS_URI || !config2.OIDC_ISSUER) {
+    ctx.status = 501;
+    ctx.body = {
+      error: "OIDC_JWKS_URI and OIDC_ISSUER must both be configured to enable backchannel logout"
+    };
+    return;
+  }
+  try {
+    const JWKS = getJWKS(config2.OIDC_JWKS_URI);
+    const verifyOptions = {
+      issuer: config2.OIDC_ISSUER,
+      audience: config2.OIDC_CLIENT_ID || void 0
+    };
+    const { payload } = await jose.jwtVerify(logoutToken, JWKS, verifyOptions);
+    if ("nonce" in payload) {
+      ctx.status = 400;
+      ctx.body = { error: "logout_token must not contain nonce" };
+      return;
+    }
+    const events = payload.events;
+    if (!events?.["http://schemas.openid.net/event/backchannel-logout"]) {
+      ctx.status = 400;
+      ctx.body = { error: "logout_token missing backchannel-logout event" };
+      return;
+    }
+    if (!payload.sub && !("sid" in payload)) {
+      ctx.status = 400;
+      ctx.body = { error: "logout_token must contain sub or sid" };
+      return;
+    }
+    if (payload.sub) {
+      const userService = strapi.service("admin::user");
+      const user = await userService.findOneByEmail(payload.sub);
+      if (user) {
+        const sessionManager = strapi.sessionManager;
+        if (sessionManager) {
+          await sessionManager("admin").invalidateRefreshToken(String(user.id));
+        }
+      }
+    }
+    ctx.status = 200;
+    ctx.body = "";
+  } catch (e) {
+    strapi.log.error("Backchannel logout failed:", e);
+    ctx.status = 400;
+    ctx.body = { error: "Invalid logout_token" };
+  }
+}
 const oidc = {
   oidcSignIn,
   oidcSignInCallback,
-  logout
+  logout,
+  backchannelLogout
 };
 async function find(ctx) {
   const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
@@ -660,6 +754,12 @@ const routes = {
         handler: "oidc.logout",
         config: { auth: false }
       },
+      {
+        method: "POST",
+        path: "/logout",
+        handler: "oidc.backchannelLogout",
+        config: { auth: false }
+      },
       {
         method: "GET",
         path: "/whitelist",

package/dist/server/index.mjs

@@ -1,4 +1,5 @@
 import { randomUUID, randomBytes } from "node:crypto";
+import { jwtVerify, createRemoteJWKSet } from "jose";
 import pkceChallenge from "pkce-challenge";
 import strapiUtils from "@strapi/utils";
 import generator from "generate-password";
@@ -155,14 +156,20 @@ const config = {
     OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
     OIDC_CLIENT_ID: "",
     OIDC_CLIENT_SECRET: "",
-    OIDC_SCOPES: "openid profile email",
+    OIDC_SCOPE: "openid profile email",
     OIDC_AUTHORIZATION_ENDPOINT: "",
     OIDC_TOKEN_ENDPOINT: "",
-    OIDC_USER_INFO_ENDPOINT: "",
+    OIDC_USERINFO_ENDPOINT: "",
     OIDC_GRANT_TYPE: "authorization_code",
     OIDC_FAMILY_NAME_FIELD: "family_name",
     OIDC_GIVEN_NAME_FIELD: "given_name",
-    OIDC_LOGOUT_URL: "",
+    OIDC_END_SESSION_ENDPOINT: "",
+    OIDC_POST_LOGOUT_REDIRECT_URI: "",
+    // Where to land after the provider has logged the user out (RP-Initiated Logout)
+    OIDC_ISSUER: "",
+    // Provider issuer URL — used to validate iss claim in backchannel logout tokens
+    OIDC_JWKS_URI: "",
+    // Provider JWKS endpoint — required for backchannel logout token signature verification
     OIDC_SSO_BUTTON_TEXT: "Login via SSO",
     OIDC_ENFORCE: null
     // null = use DB setting; true/false = override DB (useful for lockout recovery)
@@ -215,15 +222,17 @@ function getExpiredCookieOptions(strapi2, ctx) {
 function clearAuthCookies(strapi2, ctx) {
   const options2 = getExpiredCookieOptions(strapi2, ctx);
   ctx.cookies.set("strapi_admin_refresh", "", options2);
-  ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
+  const rootPathOptions = { ...options2, path: "/" };
+  ctx.cookies.set("oidc_authenticated", "", rootPathOptions);
+  ctx.cookies.set("oidc_id_token", "", rootPathOptions);
 }
 const REQUIRED_CONFIG_KEYS = [
   "OIDC_CLIENT_ID",
   "OIDC_CLIENT_SECRET",
   "OIDC_REDIRECT_URI",
-  "OIDC_SCOPES",
+  "OIDC_SCOPE",
   "OIDC_TOKEN_ENDPOINT",
-  "OIDC_USER_INFO_ENDPOINT",
+  "OIDC_USERINFO_ENDPOINT",
   "OIDC_GRANT_TYPE",
   "OIDC_FAMILY_NAME_FIELD",
   "OIDC_GIVEN_NAME_FIELD",
@@ -239,7 +248,7 @@ function configValidation() {
   );
 }
 async function oidcSignIn(ctx) {
-  const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPES, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
+  const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPE, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
   const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge();
   const state = randomBytes(32).toString("base64url");
   const nonce = randomBytes(32).toString("base64url");
@@ -258,7 +267,7 @@ async function oidcSignIn(ctx) {
   params.append("response_type", "code");
   params.append("client_id", OIDC_CLIENT_ID);
   params.append("redirect_uri", OIDC_REDIRECT_URI);
-  params.append("scope", OIDC_SCOPES);
+  params.append("scope", OIDC_SCOPE);
   params.append("code_challenge", codeChallenge);
   params.append("code_challenge_method", "S256");
   params.append("state", state);
@@ -291,13 +300,14 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
       throw new Error("Failed to parse ID token");
     }
   }
-  const userResponse = await fetch(config2.OIDC_USER_INFO_ENDPOINT, {
+  const userResponse = await fetch(config2.OIDC_USERINFO_ENDPOINT, {
     headers: { Authorization: `Bearer ${tokenData.access_token}` }
   });
   if (!userResponse.ok) {
     throw new Error("Failed to fetch user info");
   }
-  return userResponse.json();
+  const userInfo = await userResponse.json();
+  return { userInfo, idToken: tokenData.id_token };
 }
 async function registerNewUser(userService, oauthService2, roleService2, email, userResponseData, whitelistUser, config2, ctx) {
   let roles2 = [];
@@ -363,7 +373,11 @@ async function oidcSignInCallback(ctx) {
   params.append("grant_type", config2.OIDC_GRANT_TYPE);
   params.append("code_verifier", codeVerifier ?? "");
   try {
-    const userResponseData = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
+    const { userInfo: userResponseData, idToken } = await exchangeTokenAndFetchUserInfo(
+      config2,
+      params,
+      oidcNonce ?? ""
+    );
     const { activateUser, jwtToken } = await handleUserAuthentication(
       userService,
       oauthService2,
@@ -373,6 +387,15 @@ async function oidcSignInCallback(ctx) {
       config2,
       ctx
     );
+    if (idToken) {
+      const isProduction = strapi.config.get("environment") === "production";
+      ctx.cookies.set("oidc_id_token", idToken, {
+        httpOnly: true,
+        secure: isProduction && ctx.request.secure,
+        path: "/",
+        sameSite: "lax"
+      });
+    }
     const nonce = randomUUID();
     const html = oauthService2.renderSignUpSuccess(jwtToken, activateUser, nonce);
     ctx.set("Content-Security-Policy", `script-src 'nonce-${nonce}'`);
@@ -384,20 +407,91 @@ async function oidcSignInCallback(ctx) {
 }
 async function logout(ctx) {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
-  const logoutUrl = config2.OIDC_LOGOUT_URL;
+  const logoutUrl = config2.OIDC_END_SESSION_ENDPOINT;
   const isOidcSession = !!ctx.cookies.get("oidc_authenticated");
+  const idToken = ctx.cookies.get("oidc_id_token");
   clearAuthCookies(strapi, ctx);
   if (logoutUrl && isOidcSession) {
-    ctx.redirect(logoutUrl);
+    const url = new URL(logoutUrl);
+    if (idToken) url.searchParams.set("id_token_hint", idToken);
+    if (config2.OIDC_POST_LOGOUT_REDIRECT_URI) {
+      url.searchParams.set("post_logout_redirect_uri", config2.OIDC_POST_LOGOUT_REDIRECT_URI);
+    }
+    ctx.redirect(url.toString());
   } else {
     const adminPanelUrl = strapi.config.get("admin.url", "/admin");
     ctx.redirect(`${adminPanelUrl}/auth/login`);
   }
 }
+const jwksCache = /* @__PURE__ */ new Map();
+function getJWKS(uri) {
+  const cached = jwksCache.get(uri);
+  if (cached) return cached;
+  const jwks = createRemoteJWKSet(new URL(uri));
+  jwksCache.set(uri, jwks);
+  return jwks;
+}
+async function backchannelLogout(ctx) {
+  const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
+  const logoutToken = ctx.request.body?.logout_token;
+  if (!logoutToken) {
+    ctx.status = 400;
+    ctx.body = { error: "Missing logout_token" };
+    return;
+  }
+  if (!config2.OIDC_JWKS_URI || !config2.OIDC_ISSUER) {
+    ctx.status = 501;
+    ctx.body = {
+      error: "OIDC_JWKS_URI and OIDC_ISSUER must both be configured to enable backchannel logout"
+    };
+    return;
+  }
+  try {
+    const JWKS = getJWKS(config2.OIDC_JWKS_URI);
+    const verifyOptions = {
+      issuer: config2.OIDC_ISSUER,
+      audience: config2.OIDC_CLIENT_ID || void 0
+    };
+    const { payload } = await jwtVerify(logoutToken, JWKS, verifyOptions);
+    if ("nonce" in payload) {
+      ctx.status = 400;
+      ctx.body = { error: "logout_token must not contain nonce" };
+      return;
+    }
+    const events = payload.events;
+    if (!events?.["http://schemas.openid.net/event/backchannel-logout"]) {
+      ctx.status = 400;
+      ctx.body = { error: "logout_token missing backchannel-logout event" };
+      return;
+    }
+    if (!payload.sub && !("sid" in payload)) {
+      ctx.status = 400;
+      ctx.body = { error: "logout_token must contain sub or sid" };
+      return;
+    }
+    if (payload.sub) {
+      const userService = strapi.service("admin::user");
+      const user = await userService.findOneByEmail(payload.sub);
+      if (user) {
+        const sessionManager = strapi.sessionManager;
+        if (sessionManager) {
+          await sessionManager("admin").invalidateRefreshToken(String(user.id));
+        }
+      }
+    }
+    ctx.status = 200;
+    ctx.body = "";
+  } catch (e) {
+    strapi.log.error("Backchannel logout failed:", e);
+    ctx.status = 400;
+    ctx.body = { error: "Invalid logout_token" };
+  }
+}
 const oidc = {
   oidcSignIn,
   oidcSignInCallback,
-  logout
+  logout,
+  backchannelLogout
 };
 async function find(ctx) {
   const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
@@ -654,6 +748,12 @@ const routes = {
         handler: "oidc.logout",
         config: { auth: false }
       },
+      {
+        method: "POST",
+        path: "/logout",
+        handler: "oidc.backchannelLogout",
+        config: { auth: false }
+      },
       {
         method: "GET",
         path: "/whitelist",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.4.3",
+  "version": "1.5.0",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",
@@ -50,6 +50,7 @@
     "@strapi/icons": "^2.2.0",
     "@strapi/utils": "^5.41.1",
     "generate-password": "^1.7.1",
+    "jose": "^6.2.2",
     "pkce-challenge": "^6.0.0",
     "react-intl": "^6.8.9"
   },
@@ -81,6 +82,8 @@
     "@eslint/eslintrc": "^3.3.5",
     "@eslint/js": "^10.0.1",
     "@strapi/sdk-plugin": "^6.0.1",
+    "@strapi/types": "^5.41.1",
+    "@types/koa": "^2.16.4",
     "@types/node": "^25.5.2",
     "@types/supertest": "^7.2.0",
     "@vitest/coverage-v8": "^4.1.2",