start front channel logout flow

Author: peconia

app/controllers/rpi_auth/auth_controller.rb

@@ -53,8 +53,67 @@ def failure
       redirect_to '/'
     end
 
+    def frontchannel_logout
+      # Front-channel logout: The identity provider redirects the user's browser here
+      # in an iframe with 'iss' and 'sid' parameters if the Hydra client has been configured to do so.
+      # Since this is a user request, we have their session cookie and can reset the session directly.
+
+      validation_error = validate_frontchannel_logout
+      return head :bad_request if validation_error
+
+      # All validations passed - reset the session
+      reset_session
+      head :ok
+    end
+
     private
 
+    def validate_frontchannel_logout
+      error = check_iframe || check_issuer || check_sid_param || check_current_user || check_sid_match
+      log_validation_error(error) if error
+      error
+    end
+
+    def request_in_iframe?
+      request.headers['Sec-Fetch-Dest'] == 'iframe'
+    end
+
+    def check_iframe
+      return 'request not in iframe' unless request_in_iframe?
+
+      nil
+    end
+
+    def check_issuer
+      iss = params[:iss]
+      return 'issuer mismatch or missing' unless iss && RpiAuth.configuration.issuer.chomp('/') == iss.chomp('/')
+
+      nil
+    end
+
+    def check_sid_param
+      return 'sid parameter missing' unless params[:sid].present?
+
+      nil
+    end
+
+    def check_current_user
+      return 'no current user' unless current_user
+      return 'current user has no sid (old session), rejecting for security' if current_user.sid.nil?
+
+      nil
+    end
+
+    def check_sid_match
+      return nil if current_user.sid == params[:sid]
+
+      "sid mismatch (expected: #{current_user.sid}, got: #{params[:sid]})"
+    end
+
+    def log_validation_error(message)
+      Rails.logger.warn("Front-channel logout: #{message}")
+    end
+
     def run_login_success_callback
       return unless RpiAuth.configuration.on_login_success.is_a?(Proc)
 

config/routes.rb

@@ -9,6 +9,8 @@
 
   get RpiAuth::Engine::CALLBACK_PATH, to: 'rpi_auth/auth#callback', as: 'rpi_auth_callback'
   get RpiAuth::Engine::LOGOUT_PATH, to: 'rpi_auth/auth#destroy', as: 'rpi_auth_logout'
+  get RpiAuth::Engine::FRONTCHANNEL_LOGOUT_PATH, to: 'rpi_auth/auth#frontchannel_logout',
+                                                 as: 'rpi_auth_frontchannel_logout'
 
   # This route can be used in testing to log in, avoiding the need to interact
   # with shadow root in the RPF global nav.

lib/rpi_auth/engine.rb

@@ -12,6 +12,7 @@ class Engine < ::Rails::Engine
     LOGIN_PATH = '/auth/rpi'
     CALLBACK_PATH = '/rpi_auth/auth/callback'
     LOGOUT_PATH = '/rpi_auth/logout'
+    FRONTCHANNEL_LOGOUT_PATH = '/rpi_auth/frontchannel_logout'
     TEST_PATH = '/rpi_auth/test'
 
     ENABLE_TEST_PATH = Rails.env.development? || Rails.env.test?

lib/rpi_auth/models/authenticatable.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require 'json'
+require 'base64'
+
 module RpiAuth
   module Models
     module Authenticatable
@@ -16,6 +19,7 @@ module Authenticatable
         postcode
         profile
         roles
+        sid
       ].freeze
 
       included do
@@ -41,8 +45,37 @@ def from_omniauth(auth)
           args = auth.extra.raw_info.to_h.slice(*PROFILE_KEYS)
           args['user_id'] = auth.uid
 
+          # Extract sid from id_token if not already in raw_info
+          # sid may be nil if not available (backward compatible with old sessions)
+          args['sid'] ||= extract_sid(auth)
+
           new(args)
         end
+
+        private
+
+        def extract_sid(auth)
+          # Decode sid from id_token (raw_info is already checked via slice above)
+          id_token = auth.extra&.id_token || auth.credentials&.id_token
+          return unless id_token
+
+          decode_sid_from_token(id_token)
+        end
+
+        def decode_sid_from_token(id_token)
+          parts = id_token.split('.')
+          return unless parts.length == 3
+
+          payload = parts[1]
+          payload += '=' * (4 - (payload.length % 4)) if payload.length % 4 != 0
+          decoded_payload = Base64.urlsafe_decode64(payload)
+          claims = JSON.parse(decoded_payload)
+
+          claims['sid']
+        rescue StandardError => e
+          Rails.logger.warn("Failed to extract sid from id_token: #{e.message}")
+          nil
+        end
       end
     end
   end