strapi-plugin-oidc 1.5.0 → 1.5.1

package/README.md

@@ -36,29 +36,27 @@ module.exports = ({ env }) => ({
       OIDC_TOKEN_ENDPOINT: env('OIDC_TOKEN_ENDPOINT'),
       OIDC_USERINFO_ENDPOINT: env('OIDC_USERINFO_ENDPOINT'),
 
-      // Optional — defaults shown
+      // Optional
       OIDC_SCOPE: 'openid profile email',
       OIDC_GRANT_TYPE: 'authorization_code',
-      OIDC_FAMILY_NAME_FIELD: 'family_name', // claim name for the user's last name
-      OIDC_GIVEN_NAME_FIELD: 'given_name', // claim name for the user's first name
+      OIDC_FAMILY_NAME_FIELD: 'family_name',
+      OIDC_GIVEN_NAME_FIELD: 'given_name',
       OIDC_SSO_BUTTON_TEXT: 'Login via SSO',
-      OIDC_ENFORCE: null, // null = use Admin UI toggle; true/false = override in config
-      REMEMBER_ME: false, // Persist session across browser restarts
+      OIDC_ENFORCE: null, // null = use Admin UI toggle; true/false = override
+      REMEMBER_ME: false,
 
-      // Optional — RP-Initiated Logout (GET /strapi-plugin-oidc/logout)
-      // Set OIDC_END_SESSION_ENDPOINT to redirect OIDC sessions to your provider's
-      // end-session page on logout. Without it, logout only clears the local session.
-      // Find this URL in your provider's /.well-known/openid-configuration as end_session_endpoint.
+      // Optional — RP-Initiated Logout
+      // Redirects the browser to the provider's end-session page on logout.
+      // Both found in your provider's /.well-known/openid-configuration.
       OIDC_END_SESSION_ENDPOINT: env('OIDC_END_SESSION_ENDPOINT', ''),
-      OIDC_POST_LOGOUT_REDIRECT_URI: env('OIDC_POST_LOGOUT_REDIRECT_URI', ''), // where to land after the provider logs the user out
-
-      // Optional — Backchannel Logout (POST /strapi-plugin-oidc/logout)
-      // When configured, your provider can notify Strapi when a user logs out elsewhere
-      // (e.g. from another app or directly from the provider UI), revoking their Strapi session.
-      // Set the logout URI in your provider to: https://your-strapi.com/strapi-plugin-oidc/logout
-      // Both values are required together — find them in your provider's /.well-known/openid-configuration.
-      OIDC_ISSUER: env('OIDC_ISSUER', ''), // validates the iss claim; required for backchannel logout
-      OIDC_JWKS_URI: env('OIDC_JWKS_URI', ''), // verifies logout token signatures; required for backchannel logout
+      OIDC_POST_LOGOUT_REDIRECT_URI: env('OIDC_POST_LOGOUT_REDIRECT_URI', ''),
+
+      // Optional — Backchannel Logout
+      // Allows the provider to revoke Strapi sessions server-to-server.
+      // Set your provider's logout URI to: https://your-strapi.com/strapi-plugin-oidc/logout
+      // Both found in your provider's /.well-known/openid-configuration.
+      OIDC_ISSUER: env('OIDC_ISSUER', ''),
+      OIDC_JWKS_URI: env('OIDC_JWKS_URI', ''),
     },
   },
 });
@@ -148,7 +146,6 @@ This plugin is a hard fork of [`strapi-plugin-sso`](https://github.com/yasudaclo
 
 - Removed alternative SSO methods to simplify the plugin.
 - Redesigned the Whitelist and Role management UI (switched to native Strapi cards, added pagination, etc.).
-- Added an OIDC logout redirect URL.
 - Added an option to "Enforce OIDC login" with an admin toggle (automatically disabled if the whitelist is empty).
 - Migrated the testing framework to Vitest and added comprehensive test coverage for controllers and services.
 - Cleaned up dead code and unused dependencies to improve maintainability.
@@ -160,4 +157,8 @@ This plugin is a hard fork of [`strapi-plugin-sso`](https://github.com/yasudaclo
   - Bulk delete all entries with a confirmation dialog.
   - Unsaved changes confirmation when navigating away from the settings page.
   - Programmatic API for managing the whitelist via Strapi API tokens (list, register, import, delete, delete all).
+- **RP-Initiated Logout** (OpenID Connect RP-Initiated Logout 1.0): on logout, Strapi redirects the browser to the provider's end-session endpoint with `id_token_hint` and `post_logout_redirect_uri`, cleanly terminating the SSO session. Configured via `OIDC_END_SESSION_ENDPOINT` and `OIDC_POST_LOGOUT_REDIRECT_URI`.
+- **Backchannel Logout** (OIDC Back-Channel Logout 1.0): `POST /strapi-plugin-oidc/logout` accepts a signed logout token from the provider, validates it, and revokes the user's Strapi admin session — keeping Strapi in sync when a user logs out elsewhere. Configured via `OIDC_ISSUER` and `OIDC_JWKS_URI`.
+- Renamed config keys to match OIDC discovery document field names: `OIDC_LOGOUT_URL` → `OIDC_END_SESSION_ENDPOINT`, `OIDC_USER_INFO_ENDPOINT` → `OIDC_USERINFO_ENDPOINT`, `OIDC_SCOPES` → `OIDC_SCOPE`.
+- Security hardening: PKCE (`S256`), server-side `state` generation (CSRF protection), nonce validation (ID token replay prevention), `Authorization: Bearer` header for userinfo requests, generic error messages on callback failure.
 - Added misc. quality of life improvements and bug fixes.

package/dist/server/index.js

@@ -25,6 +25,17 @@ function resolveEnforceOIDC(strapi2, dbValue) {
   if (configValue !== null) return configValue;
   return dbValue ?? false;
 }
+const revoked = /* @__PURE__ */ new Map();
+const CLEANUP_DELAY_MS = 24 * 60 * 60 * 1e3;
+function revokeUser(userId) {
+  revoked.set(userId, Date.now());
+  setTimeout(() => revoked.delete(userId), CLEANUP_DELAY_MS);
+}
+function isUserRevoked(userId, iat) {
+  const logoutTime = revoked.get(userId);
+  if (!logoutTime) return false;
+  return iat * 1e3 <= logoutTime;
+}
 async function bootstrap({ strapi: strapi2 }) {
   const enforceOidcMiddleware = async (ctx, next) => {
     const adminUrl = strapi2.config.get("admin.url", "/admin");
@@ -77,9 +88,36 @@ async function bootstrap({ strapi: strapi2 }) {
     }
     await next();
   };
+  const denylistMiddleware = async (ctx, next) => {
+    const auth = ctx.request.headers.authorization;
+    if (auth?.startsWith("Bearer ")) {
+      try {
+        const payload = JSON.parse(
+          Buffer.from(auth.slice(7).split(".")[1], "base64url").toString()
+        );
+        if (payload.id && isUserRevoked(String(payload.id), payload.iat ?? 0)) {
+          ctx.status = 401;
+          ctx.body = {
+            data: null,
+            error: {
+              status: 401,
+              name: "UnauthorizedError",
+              message: "Session revoked",
+              details: {}
+            }
+          };
+          return;
+        }
+      } catch {
+      }
+    }
+    await next();
+  };
   if (strapi2.server.app && Array.isArray(strapi2.server.app.middleware)) {
     strapi2.server.app.middleware.unshift(enforceOidcMiddleware);
+    strapi2.server.app.middleware.unshift(denylistMiddleware);
   } else {
+    strapi2.server.use(denylistMiddleware);
     strapi2.server.use(enforceOidcMiddleware);
   }
   const actions = [
@@ -479,6 +517,7 @@ async function backchannelLogout(ctx) {
       const userService = strapi.service("admin::user");
       const user = await userService.findOneByEmail(payload.sub);
       if (user) {
+        revokeUser(String(user.id));
         const sessionManager = strapi.sessionManager;
         if (sessionManager) {
           await sessionManager("admin").invalidateRefreshToken(String(user.id));

package/dist/server/index.mjs

@@ -19,6 +19,17 @@ function resolveEnforceOIDC(strapi2, dbValue) {
   if (configValue !== null) return configValue;
   return dbValue ?? false;
 }
+const revoked = /* @__PURE__ */ new Map();
+const CLEANUP_DELAY_MS = 24 * 60 * 60 * 1e3;
+function revokeUser(userId) {
+  revoked.set(userId, Date.now());
+  setTimeout(() => revoked.delete(userId), CLEANUP_DELAY_MS);
+}
+function isUserRevoked(userId, iat) {
+  const logoutTime = revoked.get(userId);
+  if (!logoutTime) return false;
+  return iat * 1e3 <= logoutTime;
+}
 async function bootstrap({ strapi: strapi2 }) {
   const enforceOidcMiddleware = async (ctx, next) => {
     const adminUrl = strapi2.config.get("admin.url", "/admin");
@@ -71,9 +82,36 @@ async function bootstrap({ strapi: strapi2 }) {
     }
     await next();
   };
+  const denylistMiddleware = async (ctx, next) => {
+    const auth = ctx.request.headers.authorization;
+    if (auth?.startsWith("Bearer ")) {
+      try {
+        const payload = JSON.parse(
+          Buffer.from(auth.slice(7).split(".")[1], "base64url").toString()
+        );
+        if (payload.id && isUserRevoked(String(payload.id), payload.iat ?? 0)) {
+          ctx.status = 401;
+          ctx.body = {
+            data: null,
+            error: {
+              status: 401,
+              name: "UnauthorizedError",
+              message: "Session revoked",
+              details: {}
+            }
+          };
+          return;
+        }
+      } catch {
+      }
+    }
+    await next();
+  };
   if (strapi2.server.app && Array.isArray(strapi2.server.app.middleware)) {
     strapi2.server.app.middleware.unshift(enforceOidcMiddleware);
+    strapi2.server.app.middleware.unshift(denylistMiddleware);
   } else {
+    strapi2.server.use(denylistMiddleware);
     strapi2.server.use(enforceOidcMiddleware);
   }
   const actions = [
@@ -473,6 +511,7 @@ async function backchannelLogout(ctx) {
       const userService = strapi.service("admin::user");
       const user = await userService.findOneByEmail(payload.sub);
       if (user) {
+        revokeUser(String(user.id));
         const sessionManager = strapi.sessionManager;
         if (sessionManager) {
           await sessionManager("admin").invalidateRefreshToken(String(user.id));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.5.0",
+  "version": "1.5.1",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",