strapi-plugin-oidc 1.5.1 → 1.5.2

package/README.md

@@ -36,27 +36,15 @@ module.exports = ({ env }) => ({
       OIDC_TOKEN_ENDPOINT: env('OIDC_TOKEN_ENDPOINT'),
       OIDC_USERINFO_ENDPOINT: env('OIDC_USERINFO_ENDPOINT'),
 
-      // Optional
+      // Optional — defaults shown
       OIDC_SCOPE: 'openid profile email',
       OIDC_GRANT_TYPE: 'authorization_code',
       OIDC_FAMILY_NAME_FIELD: 'family_name',
       OIDC_GIVEN_NAME_FIELD: 'given_name',
+      OIDC_END_SESSION_ENDPOINT: '', // Provider end-session URL; omit to redirect to Strapi login
       OIDC_SSO_BUTTON_TEXT: 'Login via SSO',
-      OIDC_ENFORCE: null, // null = use Admin UI toggle; true/false = override
-      REMEMBER_ME: false,
-
-      // Optional — RP-Initiated Logout
-      // Redirects the browser to the provider's end-session page on logout.
-      // Both found in your provider's /.well-known/openid-configuration.
-      OIDC_END_SESSION_ENDPOINT: env('OIDC_END_SESSION_ENDPOINT', ''),
-      OIDC_POST_LOGOUT_REDIRECT_URI: env('OIDC_POST_LOGOUT_REDIRECT_URI', ''),
-
-      // Optional — Backchannel Logout
-      // Allows the provider to revoke Strapi sessions server-to-server.
-      // Set your provider's logout URI to: https://your-strapi.com/strapi-plugin-oidc/logout
-      // Both found in your provider's /.well-known/openid-configuration.
-      OIDC_ISSUER: env('OIDC_ISSUER', ''),
-      OIDC_JWKS_URI: env('OIDC_JWKS_URI', ''),
+      OIDC_ENFORCE: null, // null = use Admin UI toggle; true/false = override in config
+      REMEMBER_ME: false, // Persist session across browser restarts
     },
   },
 });
@@ -146,6 +134,7 @@ This plugin is a hard fork of [`strapi-plugin-sso`](https://github.com/yasudaclo
 
 - Removed alternative SSO methods to simplify the plugin.
 - Redesigned the Whitelist and Role management UI (switched to native Strapi cards, added pagination, etc.).
+- Added an OIDC logout redirect URL.
 - Added an option to "Enforce OIDC login" with an admin toggle (automatically disabled if the whitelist is empty).
 - Migrated the testing framework to Vitest and added comprehensive test coverage for controllers and services.
 - Cleaned up dead code and unused dependencies to improve maintainability.
@@ -157,8 +146,4 @@ This plugin is a hard fork of [`strapi-plugin-sso`](https://github.com/yasudaclo
   - Bulk delete all entries with a confirmation dialog.
   - Unsaved changes confirmation when navigating away from the settings page.
   - Programmatic API for managing the whitelist via Strapi API tokens (list, register, import, delete, delete all).
-- **RP-Initiated Logout** (OpenID Connect RP-Initiated Logout 1.0): on logout, Strapi redirects the browser to the provider's end-session endpoint with `id_token_hint` and `post_logout_redirect_uri`, cleanly terminating the SSO session. Configured via `OIDC_END_SESSION_ENDPOINT` and `OIDC_POST_LOGOUT_REDIRECT_URI`.
-- **Backchannel Logout** (OIDC Back-Channel Logout 1.0): `POST /strapi-plugin-oidc/logout` accepts a signed logout token from the provider, validates it, and revokes the user's Strapi admin session — keeping Strapi in sync when a user logs out elsewhere. Configured via `OIDC_ISSUER` and `OIDC_JWKS_URI`.
-- Renamed config keys to match OIDC discovery document field names: `OIDC_LOGOUT_URL` → `OIDC_END_SESSION_ENDPOINT`, `OIDC_USER_INFO_ENDPOINT` → `OIDC_USERINFO_ENDPOINT`, `OIDC_SCOPES` → `OIDC_SCOPE`.
-- Security hardening: PKCE (`S256`), server-side `state` generation (CSRF protection), nonce validation (ID token replay prevention), `Authorization: Bearer` header for userinfo requests, generic error messages on callback failure.
 - Added misc. quality of life improvements and bug fixes.

package/dist/server/index.js

@@ -1,7 +1,6 @@
 "use strict";
 Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: "Module" } });
 const node_crypto = require("node:crypto");
-const jose = require("jose");
 const pkceChallenge = require("pkce-challenge");
 const strapiUtils = require("@strapi/utils");
 const generator = require("generate-password");
@@ -25,17 +24,6 @@ function resolveEnforceOIDC(strapi2, dbValue) {
   if (configValue !== null) return configValue;
   return dbValue ?? false;
 }
-const revoked = /* @__PURE__ */ new Map();
-const CLEANUP_DELAY_MS = 24 * 60 * 60 * 1e3;
-function revokeUser(userId) {
-  revoked.set(userId, Date.now());
-  setTimeout(() => revoked.delete(userId), CLEANUP_DELAY_MS);
-}
-function isUserRevoked(userId, iat) {
-  const logoutTime = revoked.get(userId);
-  if (!logoutTime) return false;
-  return iat * 1e3 <= logoutTime;
-}
 async function bootstrap({ strapi: strapi2 }) {
   const enforceOidcMiddleware = async (ctx, next) => {
     const adminUrl = strapi2.config.get("admin.url", "/admin");
@@ -88,36 +76,9 @@ async function bootstrap({ strapi: strapi2 }) {
     }
     await next();
   };
-  const denylistMiddleware = async (ctx, next) => {
-    const auth = ctx.request.headers.authorization;
-    if (auth?.startsWith("Bearer ")) {
-      try {
-        const payload = JSON.parse(
-          Buffer.from(auth.slice(7).split(".")[1], "base64url").toString()
-        );
-        if (payload.id && isUserRevoked(String(payload.id), payload.iat ?? 0)) {
-          ctx.status = 401;
-          ctx.body = {
-            data: null,
-            error: {
-              status: 401,
-              name: "UnauthorizedError",
-              message: "Session revoked",
-              details: {}
-            }
-          };
-          return;
-        }
-      } catch {
-      }
-    }
-    await next();
-  };
   if (strapi2.server.app && Array.isArray(strapi2.server.app.middleware)) {
     strapi2.server.app.middleware.unshift(enforceOidcMiddleware);
-    strapi2.server.app.middleware.unshift(denylistMiddleware);
   } else {
-    strapi2.server.use(denylistMiddleware);
     strapi2.server.use(enforceOidcMiddleware);
   }
   const actions = [
@@ -208,12 +169,6 @@ const config = {
     OIDC_FAMILY_NAME_FIELD: "family_name",
     OIDC_GIVEN_NAME_FIELD: "given_name",
     OIDC_END_SESSION_ENDPOINT: "",
-    OIDC_POST_LOGOUT_REDIRECT_URI: "",
-    // Where to land after the provider has logged the user out (RP-Initiated Logout)
-    OIDC_ISSUER: "",
-    // Provider issuer URL — used to validate iss claim in backchannel logout tokens
-    OIDC_JWKS_URI: "",
-    // Provider JWKS endpoint — required for backchannel logout token signature verification
     OIDC_SSO_BUTTON_TEXT: "Login via SSO",
     OIDC_ENFORCE: null
     // null = use DB setting; true/false = override DB (useful for lockout recovery)
@@ -266,9 +221,7 @@ function getExpiredCookieOptions(strapi2, ctx) {
 function clearAuthCookies(strapi2, ctx) {
   const options2 = getExpiredCookieOptions(strapi2, ctx);
   ctx.cookies.set("strapi_admin_refresh", "", options2);
-  const rootPathOptions = { ...options2, path: "/" };
-  ctx.cookies.set("oidc_authenticated", "", rootPathOptions);
-  ctx.cookies.set("oidc_id_token", "", rootPathOptions);
+  ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
 }
 const REQUIRED_CONFIG_KEYS = [
   "OIDC_CLIENT_ID",
@@ -350,8 +303,7 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
   if (!userResponse.ok) {
     throw new Error("Failed to fetch user info");
   }
-  const userInfo = await userResponse.json();
-  return { userInfo, idToken: tokenData.id_token };
+  return userResponse.json();
 }
 async function registerNewUser(userService, oauthService2, roleService2, email, userResponseData, whitelistUser, config2, ctx) {
   let roles2 = [];
@@ -417,11 +369,7 @@ async function oidcSignInCallback(ctx) {
   params.append("grant_type", config2.OIDC_GRANT_TYPE);
   params.append("code_verifier", codeVerifier ?? "");
   try {
-    const { userInfo: userResponseData, idToken } = await exchangeTokenAndFetchUserInfo(
-      config2,
-      params,
-      oidcNonce ?? ""
-    );
+    const userResponseData = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
     const { activateUser, jwtToken } = await handleUserAuthentication(
       userService,
       oauthService2,
@@ -431,15 +379,6 @@ async function oidcSignInCallback(ctx) {
       config2,
       ctx
     );
-    if (idToken) {
-      const isProduction = strapi.config.get("environment") === "production";
-      ctx.cookies.set("oidc_id_token", idToken, {
-        httpOnly: true,
-        secure: isProduction && ctx.request.secure,
-        path: "/",
-        sameSite: "lax"
-      });
-    }
     const nonce = node_crypto.randomUUID();
     const html = oauthService2.renderSignUpSuccess(jwtToken, activateUser, nonce);
     ctx.set("Content-Security-Policy", `script-src 'nonce-${nonce}'`);
@@ -453,90 +392,18 @@ async function logout(ctx) {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   const logoutUrl = config2.OIDC_END_SESSION_ENDPOINT;
   const isOidcSession = !!ctx.cookies.get("oidc_authenticated");
-  const idToken = ctx.cookies.get("oidc_id_token");
   clearAuthCookies(strapi, ctx);
   if (logoutUrl && isOidcSession) {
-    const url = new URL(logoutUrl);
-    if (idToken) url.searchParams.set("id_token_hint", idToken);
-    if (config2.OIDC_POST_LOGOUT_REDIRECT_URI) {
-      url.searchParams.set("post_logout_redirect_uri", config2.OIDC_POST_LOGOUT_REDIRECT_URI);
-    }
-    ctx.redirect(url.toString());
+    ctx.redirect(logoutUrl);
   } else {
     const adminPanelUrl = strapi.config.get("admin.url", "/admin");
     ctx.redirect(`${adminPanelUrl}/auth/login`);
   }
 }
-const jwksCache = /* @__PURE__ */ new Map();
-function getJWKS(uri) {
-  const cached = jwksCache.get(uri);
-  if (cached) return cached;
-  const jwks = jose.createRemoteJWKSet(new URL(uri));
-  jwksCache.set(uri, jwks);
-  return jwks;
-}
-async function backchannelLogout(ctx) {
-  const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
-  const logoutToken = ctx.request.body?.logout_token;
-  if (!logoutToken) {
-    ctx.status = 400;
-    ctx.body = { error: "Missing logout_token" };
-    return;
-  }
-  if (!config2.OIDC_JWKS_URI || !config2.OIDC_ISSUER) {
-    ctx.status = 501;
-    ctx.body = {
-      error: "OIDC_JWKS_URI and OIDC_ISSUER must both be configured to enable backchannel logout"
-    };
-    return;
-  }
-  try {
-    const JWKS = getJWKS(config2.OIDC_JWKS_URI);
-    const verifyOptions = {
-      issuer: config2.OIDC_ISSUER,
-      audience: config2.OIDC_CLIENT_ID || void 0
-    };
-    const { payload } = await jose.jwtVerify(logoutToken, JWKS, verifyOptions);
-    if ("nonce" in payload) {
-      ctx.status = 400;
-      ctx.body = { error: "logout_token must not contain nonce" };
-      return;
-    }
-    const events = payload.events;
-    if (!events?.["http://schemas.openid.net/event/backchannel-logout"]) {
-      ctx.status = 400;
-      ctx.body = { error: "logout_token missing backchannel-logout event" };
-      return;
-    }
-    if (!payload.sub && !("sid" in payload)) {
-      ctx.status = 400;
-      ctx.body = { error: "logout_token must contain sub or sid" };
-      return;
-    }
-    if (payload.sub) {
-      const userService = strapi.service("admin::user");
-      const user = await userService.findOneByEmail(payload.sub);
-      if (user) {
-        revokeUser(String(user.id));
-        const sessionManager = strapi.sessionManager;
-        if (sessionManager) {
-          await sessionManager("admin").invalidateRefreshToken(String(user.id));
-        }
-      }
-    }
-    ctx.status = 200;
-    ctx.body = "";
-  } catch (e) {
-    strapi.log.error("Backchannel logout failed:", e);
-    ctx.status = 400;
-    ctx.body = { error: "Invalid logout_token" };
-  }
-}
 const oidc = {
   oidcSignIn,
   oidcSignInCallback,
-  logout,
-  backchannelLogout
+  logout
 };
 async function find(ctx) {
   const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
@@ -793,12 +660,6 @@ const routes = {
         handler: "oidc.logout",
         config: { auth: false }
       },
-      {
-        method: "POST",
-        path: "/logout",
-        handler: "oidc.backchannelLogout",
-        config: { auth: false }
-      },
       {
         method: "GET",
         path: "/whitelist",

package/dist/server/index.mjs

@@ -1,5 +1,4 @@
 import { randomUUID, randomBytes } from "node:crypto";
-import { jwtVerify, createRemoteJWKSet } from "jose";
 import pkceChallenge from "pkce-challenge";
 import strapiUtils from "@strapi/utils";
 import generator from "generate-password";
@@ -19,17 +18,6 @@ function resolveEnforceOIDC(strapi2, dbValue) {
   if (configValue !== null) return configValue;
   return dbValue ?? false;
 }
-const revoked = /* @__PURE__ */ new Map();
-const CLEANUP_DELAY_MS = 24 * 60 * 60 * 1e3;
-function revokeUser(userId) {
-  revoked.set(userId, Date.now());
-  setTimeout(() => revoked.delete(userId), CLEANUP_DELAY_MS);
-}
-function isUserRevoked(userId, iat) {
-  const logoutTime = revoked.get(userId);
-  if (!logoutTime) return false;
-  return iat * 1e3 <= logoutTime;
-}
 async function bootstrap({ strapi: strapi2 }) {
   const enforceOidcMiddleware = async (ctx, next) => {
     const adminUrl = strapi2.config.get("admin.url", "/admin");
@@ -82,36 +70,9 @@ async function bootstrap({ strapi: strapi2 }) {
     }
     await next();
   };
-  const denylistMiddleware = async (ctx, next) => {
-    const auth = ctx.request.headers.authorization;
-    if (auth?.startsWith("Bearer ")) {
-      try {
-        const payload = JSON.parse(
-          Buffer.from(auth.slice(7).split(".")[1], "base64url").toString()
-        );
-        if (payload.id && isUserRevoked(String(payload.id), payload.iat ?? 0)) {
-          ctx.status = 401;
-          ctx.body = {
-            data: null,
-            error: {
-              status: 401,
-              name: "UnauthorizedError",
-              message: "Session revoked",
-              details: {}
-            }
-          };
-          return;
-        }
-      } catch {
-      }
-    }
-    await next();
-  };
   if (strapi2.server.app && Array.isArray(strapi2.server.app.middleware)) {
     strapi2.server.app.middleware.unshift(enforceOidcMiddleware);
-    strapi2.server.app.middleware.unshift(denylistMiddleware);
   } else {
-    strapi2.server.use(denylistMiddleware);
     strapi2.server.use(enforceOidcMiddleware);
   }
   const actions = [
@@ -202,12 +163,6 @@ const config = {
     OIDC_FAMILY_NAME_FIELD: "family_name",
     OIDC_GIVEN_NAME_FIELD: "given_name",
     OIDC_END_SESSION_ENDPOINT: "",
-    OIDC_POST_LOGOUT_REDIRECT_URI: "",
-    // Where to land after the provider has logged the user out (RP-Initiated Logout)
-    OIDC_ISSUER: "",
-    // Provider issuer URL — used to validate iss claim in backchannel logout tokens
-    OIDC_JWKS_URI: "",
-    // Provider JWKS endpoint — required for backchannel logout token signature verification
     OIDC_SSO_BUTTON_TEXT: "Login via SSO",
     OIDC_ENFORCE: null
     // null = use DB setting; true/false = override DB (useful for lockout recovery)
@@ -260,9 +215,7 @@ function getExpiredCookieOptions(strapi2, ctx) {
 function clearAuthCookies(strapi2, ctx) {
   const options2 = getExpiredCookieOptions(strapi2, ctx);
   ctx.cookies.set("strapi_admin_refresh", "", options2);
-  const rootPathOptions = { ...options2, path: "/" };
-  ctx.cookies.set("oidc_authenticated", "", rootPathOptions);
-  ctx.cookies.set("oidc_id_token", "", rootPathOptions);
+  ctx.cookies.set("oidc_authenticated", "", { ...options2, path: "/" });
 }
 const REQUIRED_CONFIG_KEYS = [
   "OIDC_CLIENT_ID",
@@ -344,8 +297,7 @@ async function exchangeTokenAndFetchUserInfo(config2, params, expectedNonce) {
   if (!userResponse.ok) {
     throw new Error("Failed to fetch user info");
   }
-  const userInfo = await userResponse.json();
-  return { userInfo, idToken: tokenData.id_token };
+  return userResponse.json();
 }
 async function registerNewUser(userService, oauthService2, roleService2, email, userResponseData, whitelistUser, config2, ctx) {
   let roles2 = [];
@@ -411,11 +363,7 @@ async function oidcSignInCallback(ctx) {
   params.append("grant_type", config2.OIDC_GRANT_TYPE);
   params.append("code_verifier", codeVerifier ?? "");
   try {
-    const { userInfo: userResponseData, idToken } = await exchangeTokenAndFetchUserInfo(
-      config2,
-      params,
-      oidcNonce ?? ""
-    );
+    const userResponseData = await exchangeTokenAndFetchUserInfo(config2, params, oidcNonce ?? "");
     const { activateUser, jwtToken } = await handleUserAuthentication(
       userService,
       oauthService2,
@@ -425,15 +373,6 @@ async function oidcSignInCallback(ctx) {
       config2,
       ctx
     );
-    if (idToken) {
-      const isProduction = strapi.config.get("environment") === "production";
-      ctx.cookies.set("oidc_id_token", idToken, {
-        httpOnly: true,
-        secure: isProduction && ctx.request.secure,
-        path: "/",
-        sameSite: "lax"
-      });
-    }
     const nonce = randomUUID();
     const html = oauthService2.renderSignUpSuccess(jwtToken, activateUser, nonce);
     ctx.set("Content-Security-Policy", `script-src 'nonce-${nonce}'`);
@@ -447,90 +386,18 @@ async function logout(ctx) {
   const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
   const logoutUrl = config2.OIDC_END_SESSION_ENDPOINT;
   const isOidcSession = !!ctx.cookies.get("oidc_authenticated");
-  const idToken = ctx.cookies.get("oidc_id_token");
   clearAuthCookies(strapi, ctx);
   if (logoutUrl && isOidcSession) {
-    const url = new URL(logoutUrl);
-    if (idToken) url.searchParams.set("id_token_hint", idToken);
-    if (config2.OIDC_POST_LOGOUT_REDIRECT_URI) {
-      url.searchParams.set("post_logout_redirect_uri", config2.OIDC_POST_LOGOUT_REDIRECT_URI);
-    }
-    ctx.redirect(url.toString());
+    ctx.redirect(logoutUrl);
   } else {
     const adminPanelUrl = strapi.config.get("admin.url", "/admin");
     ctx.redirect(`${adminPanelUrl}/auth/login`);
   }
 }
-const jwksCache = /* @__PURE__ */ new Map();
-function getJWKS(uri) {
-  const cached = jwksCache.get(uri);
-  if (cached) return cached;
-  const jwks = createRemoteJWKSet(new URL(uri));
-  jwksCache.set(uri, jwks);
-  return jwks;
-}
-async function backchannelLogout(ctx) {
-  const config2 = strapi.config.get("plugin::strapi-plugin-oidc");
-  const logoutToken = ctx.request.body?.logout_token;
-  if (!logoutToken) {
-    ctx.status = 400;
-    ctx.body = { error: "Missing logout_token" };
-    return;
-  }
-  if (!config2.OIDC_JWKS_URI || !config2.OIDC_ISSUER) {
-    ctx.status = 501;
-    ctx.body = {
-      error: "OIDC_JWKS_URI and OIDC_ISSUER must both be configured to enable backchannel logout"
-    };
-    return;
-  }
-  try {
-    const JWKS = getJWKS(config2.OIDC_JWKS_URI);
-    const verifyOptions = {
-      issuer: config2.OIDC_ISSUER,
-      audience: config2.OIDC_CLIENT_ID || void 0
-    };
-    const { payload } = await jwtVerify(logoutToken, JWKS, verifyOptions);
-    if ("nonce" in payload) {
-      ctx.status = 400;
-      ctx.body = { error: "logout_token must not contain nonce" };
-      return;
-    }
-    const events = payload.events;
-    if (!events?.["http://schemas.openid.net/event/backchannel-logout"]) {
-      ctx.status = 400;
-      ctx.body = { error: "logout_token missing backchannel-logout event" };
-      return;
-    }
-    if (!payload.sub && !("sid" in payload)) {
-      ctx.status = 400;
-      ctx.body = { error: "logout_token must contain sub or sid" };
-      return;
-    }
-    if (payload.sub) {
-      const userService = strapi.service("admin::user");
-      const user = await userService.findOneByEmail(payload.sub);
-      if (user) {
-        revokeUser(String(user.id));
-        const sessionManager = strapi.sessionManager;
-        if (sessionManager) {
-          await sessionManager("admin").invalidateRefreshToken(String(user.id));
-        }
-      }
-    }
-    ctx.status = 200;
-    ctx.body = "";
-  } catch (e) {
-    strapi.log.error("Backchannel logout failed:", e);
-    ctx.status = 400;
-    ctx.body = { error: "Invalid logout_token" };
-  }
-}
 const oidc = {
   oidcSignIn,
   oidcSignInCallback,
-  logout,
-  backchannelLogout
+  logout
 };
 async function find(ctx) {
   const roleService2 = strapi.plugin("strapi-plugin-oidc").service("role");
@@ -787,12 +654,6 @@ const routes = {
         handler: "oidc.logout",
         config: { auth: false }
       },
-      {
-        method: "POST",
-        path: "/logout",
-        handler: "oidc.backchannelLogout",
-        config: { auth: false }
-      },
       {
         method: "GET",
         path: "/whitelist",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.5.1",
+  "version": "1.5.2",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",
@@ -50,7 +50,6 @@
     "@strapi/icons": "^2.2.0",
     "@strapi/utils": "^5.41.1",
     "generate-password": "^1.7.1",
-    "jose": "^6.2.2",
     "pkce-challenge": "^6.0.0",
     "react-intl": "^6.8.9"
   },
@@ -82,8 +81,6 @@
     "@eslint/eslintrc": "^3.3.5",
     "@eslint/js": "^10.0.1",
     "@strapi/sdk-plugin": "^6.0.1",
-    "@strapi/types": "^5.41.1",
-    "@types/koa": "^2.16.4",
     "@types/node": "^25.5.2",
     "@types/supertest": "^7.2.0",
     "@vitest/coverage-v8": "^4.1.2",