Front Channel Logout (#9958)

Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com>
Co-authored-by: changelog-bot <changelog-bot>

changelog/v1.18.0-beta20/fc_logout.yaml

@@ -0,0 +1,6 @@
+changelog:
+  - type: NON_USER_FACING
+    issueLink: https://github.com/solo-io/gloo/issues/9510
+    resolvesIssue: false
+    description: >-
+      Add API support for OIDC [Front Channel Logout](https://openid.net/specs/openid-connect-frontchannel-1_0-final.html) with the OidcAuthorizationCode.FrontChannelLogout field

docs/content/guides/security/auth/extauth/oauth/_index.md

@@ -170,6 +170,39 @@ You can also override the revocation endpoint through the [DiscoveryOverride fie
 If the authorization server has a service error, Gloo logs out the user, but does not retry revoking the access token. Check the logs and your identity provider for errors, and manually revoke the access token.
 {{% /notice %}}
 
+### Front Channel Logout
+
+Gloo also supports Front Channel Logout [RFC](https://openid.net/specs/openid-connect-frontchannel-1_0-final.html). Front channel logout is used when the OpenId provider is handling multiple logged in sessions and the logout endpoint should log out of all of them. The endpoint defined in `frontChannelLogout.path`
+is registered with the OP and is called for each application when the user goes to the `logoutPath` endpoint.
+
+
+{{< highlight yaml "hl_lines=20-21" >}}
+apiVersion: enterprise.gloo.solo.io/v1
+kind: AuthConfig
+metadata:
+  name: oidc-dex
+  namespace: gloo-system
+spec:
+  configs:
+  - oauth2:
+      oidcAuthorizationCode:
+        appUrl: http://localhost:8080/
+        callbackPath: /callback
+        clientId: gloo
+        clientSecretRef:
+          name: oauth
+          namespace: gloo-system
+        issuerUrl: http://dex.gloo-system.svc.cluster.local:32000/
+        scopes:
+        - email
+        logoutPath: /logout
+        frontChannelLogout:
+          path: /front_channel_logout
+{{< /highlight >}}
+
+
+
+
 ## Sessions in Cookies
 
 You can store the ID token, access token, and other tokens that are returned from your OIDC provider in a cookie on the client side. To do this, you configure your cookie options, such as the `keyPrefix` that you want to add to the token name, in the `oauth2.oidcAuthorizationCode.session.cookie` section of your authconfig as shown in the following example. After a client successfully authenticates with the OIDC provider, the tokens are stored in the `Set-Cookie` response header and sent to the client. If you set a `keyPrefix` value in your cookie configuration, the prefix is added to the name of the token before it is sent to the client, such as `Set-Cookie: <myprefix>_id-token=<ID_token>`. To prove successful authentication with the OIDC provider in subsequent requests, clients send their tokens in a `Cookie` header. 

install/helm/gloo/crds/enterprise.gloo.solo.io_v1_AuthConfig.yaml

@@ -649,6 +649,11 @@ spec:
                                   type: string
                                   x-kubernetes-int-or-string: true
                               type: object
+                            frontChannelLogout:
+                              properties:
+                                path:
+                                  type: string
+                              type: object
                             headers:
                               properties:
                                 accessTokenHeader:

projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto

@@ -857,6 +857,16 @@ message OidcAuthorizationCode {
         // To turn on Redis user session caching, use the `userSessionConfig` field.
         RedisOptions claims_caching_options = 4;
     }
+
+    // For the moment this is just path, but we may want to configure things like iss/sid validation
+    message FrontChannelLogout {
+        // Path to use for front channel logout. Should not be the same as logout or callback paths.
+        string path=1;
+    }
+
+    // Configuration for front channel logout. This is used to log out the user from multiple apps/clients associated with one OpenId Provider (OP).
+    // The path is registered with the OP and is called for each app/client that the user is logged into when the logout endpoint is called.
+    FrontChannelLogout front_channel_logout = 28;
 }
 
 message PlainOAuth2 {
@@ -1861,6 +1871,16 @@ message ExtAuthConfig {
             // To turn on Redis user session caching, use the `userSessionConfig` field.
             RedisOptions claims_caching_options = 4;
         }
+
+       // For the moment this is just path, but we may want to configure things like iss/sid validation
+        message FrontChannelLogout {
+            // Path to use for front channel logout. Should not be the same as logout or callback paths.
+            string path=1;
+        }
+
+    // Configuration for front channel logout. This is used to log out the user from multiple apps/clients associated with one OpenId Provider (OP).
+    // The path is registered with the OP and is called for each app/client that the user is logged into when the logout endpoint is called.
+        FrontChannelLogout front_channel_logout = 28;
     }
 
     message AccessTokenValidationConfig {