diff options
author | Quentin Gliech <quenting@element.io> | 2022-10-31 18:07:30 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-10-31 13:07:30 -0400 |
commit | cc3a52b33df72bb4230367536b924a6d1f510d36 (patch) | |
tree | 1a3bf6576c1a4d0239cbe3354fa348793e0b7aaa /synapse/storage/databases | |
parent | Bump sentry-sdk from 1.5.11 to 1.10.1 (#14330) (diff) | |
download | synapse-cc3a52b33df72bb4230367536b924a6d1f510d36.tar.xz |
Support OIDC backchannel logouts (#11414)
If configured an OIDC IdP can log a user's session out of Synapse when they log out of the identity provider. The IdP sends a request directly to Synapse (and must be configured with an endpoint) when a user logs out.
Diffstat (limited to 'synapse/storage/databases')
-rw-r--r-- | synapse/storage/databases/main/registration.py | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/synapse/storage/databases/main/registration.py b/synapse/storage/databases/main/registration.py index 0255295317..5167089e03 100644 --- a/synapse/storage/databases/main/registration.py +++ b/synapse/storage/databases/main/registration.py @@ -1920,6 +1920,27 @@ class RegistrationWorkerStore(CacheInvalidationWorkerStore): self._clock.time_msec(), ) + async def invalidate_login_tokens_by_session_id( + self, auth_provider_id: str, auth_provider_session_id: str + ) -> None: + """Invalidate login tokens with the given IdP session ID. + + Args: + auth_provider_id: The SSO Identity Provider that the user authenticated with + to get this token + auth_provider_session_id: The session ID advertised by the SSO Identity + Provider + """ + await self.db_pool.simple_update( + table="login_tokens", + keyvalues={ + "auth_provider_id": auth_provider_id, + "auth_provider_session_id": auth_provider_session_id, + }, + updatevalues={"used_ts": self._clock.time_msec()}, + desc="invalidate_login_tokens_by_session_id", + ) + @cached() async def is_guest(self, user_id: str) -> bool: res = await self.db_pool.simple_select_one_onecol( |