Bind OIDC logout URLs to the requesting session#1313
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6e22fdc6a8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
lovasoa
force-pushed
the
ophir.lojkine/fix-oidc-logout-session-binding
branch
from
8e359d2 to
d52f0fa
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 823c469ed6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6521bb49c3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Logout URLs were signed only over the redirect target and a timestamp, so any valid, unexpired logout URL would clear whoever's cookies followed it. The logout signature now also covers the caller's sqlpage_auth cookie, so a logout URL only logs out the session it was issued for. Generation and verification select the same cookie (the last of any duplicates, matching how RequestInfo merges them) so the check stays consistent.
lovasoa
force-pushed
the
ophir.lojkine/fix-oidc-logout-session-binding
branch
from
6521bb4 to
20f78f8
Compare
1 participant
OIDC logout URLs were not session-bound (forced logout)
A logout URL signed only the redirect target and a timestamp, so any valid, unexpired logout URL cleared whoever's cookies followed it. Impact is forced logout, not account takeover.
The signature now also covers the caller's
sqlpage_authcookie, so a logout URL only logs out the session it was issued for. Generation and verification select the same cookie (the last of any duplicates, matching howRequestInfomerges them), keeping the check consistent.Out of scope: an attacker who can plant cookies on the origin, per
SECURITY.md. Unit + mock-IdP integration tests cover session-bound logout and the duplicate-cookie selection.cargo test --test mod oidc(12 tests) and clippy pass.