Delete keycloak session and Django session if user is self logging out

Author: davinotdavid

assets/app/vue/views/MailView/views/SecuritySettingsView/components/AccountActivity.vue

@@ -24,7 +24,10 @@ const signOut = async (id: string) => {
   if (window.confirm(t('views.mail.views.securitySettings.signOutConfirmation'))) {
     try {
       await signOutSession(id);
-      window.location.href = '/';
+
+      // Reload to refresh the data
+      // and auto-redirect to home in case the user signed themselves out
+      window.location.reload();
     } catch (error) {
       console.log(error);
       errorMessage.value = t('views.mail.views.securitySettings.errorSigningOutSession', { error: error });

src/thunderbird_accounts/authentication/api.py

@@ -1,9 +1,12 @@
+import logging
+
 from rest_framework.decorators import api_view, authentication_classes
 from rest_framework.authentication import SessionAuthentication
 from rest_framework.exceptions import NotAuthenticated, ValidationError
 from rest_framework.request import Request
 from rest_framework.response import Response
 
+from thunderbird_accounts.authentication.middleware import AccountsOIDCBackend
 from thunderbird_accounts.authentication.serializers import UserProfileSerializer
 from thunderbird_accounts.authentication.clients import KeycloakClient
 
@@ -25,19 +28,10 @@ def get_active_sessions(request: Request):
         keycloak_client = KeycloakClient()
         sessions = keycloak_client.get_active_sessions(request.user.oidc_id)
 
-        # Print all keys from request.session
-        print(request.session.keys())
-        print(request.session.items())
-        print(request.session.values())
-        print(request.session.get('session_id'))
-        print(request.session.get('session_key'))
-        print(request.session.get('session_data'))
-        print(request.session.get('session_expiry'))
-        print(request.session.get('session_created'))
-        print(request.session.get('session_updated'))
         return Response(sessions)
     except Exception as e:
-        raise ValidationError(f'Error fetching active sessions: {e}')
+        logging.exception(f'Error fetching active sessions: {e}')
+        raise ValidationError('Error fetching active sessions')
 
 
 @api_view(['POST'])
@@ -51,8 +45,30 @@ def sign_out_session(request: Request):
     if not session_id:
         raise ValidationError('session_id is required')
 
+    oidc_id_token = request.session.get('oidc_id_token')
+
+    if not oidc_id_token:
+        raise ValidationError('No oidc_id_token found in session')
+
     try:
+        # Sign out from the Keycloak session
         keycloak_client = KeycloakClient()
-        return Response(keycloak_client.sign_out_session(session_id))
+        keycloak_client.sign_out_session(session_id)
+
+        # Verify if the request's keycloak session_id matches the one in the ID token
+        auth_backend = AccountsOIDCBackend()
+        payload = auth_backend.verify_token(oidc_id_token)
+        keycloak_session_id = payload.get('sid')
+
+        if not keycloak_session_id:
+            raise ValidationError("'sid' claim not found in ID token. Did you enable back-channel logout in Keycloak?")
+
+        if keycloak_session_id == session_id:
+            # If so, delete current session data and cookie from Django as well
+            request.session.flush()
+
+        return Response({'success': True})
+
     except Exception as e:
-        raise ValidationError(f'Error signing out session: {e}')
+        logging.exception(f'Error signing out session: {e}')
+        raise ValidationError('Error signing out session')

src/thunderbird_accounts/settings.py

@@ -323,6 +323,8 @@ def before_send(event: Event, hint: Hint) -> Event | None:
     OIDC_OP_JWKS_ENDPOINT = os.getenv('OIDC_URL_JWKS')
     OIDC_STORE_ACCESS_TOKEN = True  # Needed to talk to jmap
     ALLOW_LOGOUT_GET_METHOD = True
+    OIDC_STORE_ID_TOKEN = True # Needed to store the ID token in the session for session verification
+    OIDC_USE_NONCE = False # Needed for .verify_token() check on the OIDC backend for session verification
 
     def oidc_logout(request):
         return f'{os.getenv("OIDC_URL_LOGOUT")}?client_id={OIDC_RP_CLIENT_ID}'
@@ -346,6 +348,8 @@ def oidc_logout(request):
     OIDC_OP_TOKEN_ENDPOINT = None
     OIDC_OP_USER_ENDPOINT = None
     OIDC_OP_JWKS_ENDPOINT = None
+    OIDC_STORE_ID_TOKEN = None
+    OIDC_USE_NONCE = None
 
 STALWART_BASE_JMAP_URL = os.getenv('STALWART_BASE_JMAP_URL')
 STALWART_BASE_API_URL = os.getenv('STALWART_BASE_API_URL')