endsession

package

v2.2.0 Latest Latest Go to latest Published: Jun 21, 2026 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/roidmc/kexcore-oidc

Links

Open Source Insights

Documentation ¶

Overview ¶

Package endsession implements the OIDC RP-Initiated Logout endpoint plugin.

It handles GET/POST /end_session (OIDC Session Management §5), allowing relying parties to initiate logout of the end-user.

Index ¶

type Config
type LogoutHook
type LogoutHookFunc
- func (f LogoutHookFunc) PostLogout(ctx context.Context, userID, clientID, sid string)
type Plugin
- func New(ctx *storm.PluginContext) *Plugin
- func NewWithConfig(cfg Config) *Plugin

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Config ¶

type Config struct {
	Store            storm.SessionStore
	ClientStore      storm.ClientStore
	KeyStore         protocol.KeyStore
	DefaultLogoutURI string
	// Offset is the clock skew tolerance for token validation (default: 0).
	Offset time.Duration
	// MaxAgeIAT is the maximum allowed age of the id_token_hint's iat claim.
	// Per OIDC Session Management §5, expired tokens can still be trusted for logout.
	// Set to 0 to disable iat_max_age checking.
	MaxAgeIAT time.Duration
	// MaxAge is the maximum allowed time since auth_time.
	// Set to 0 to disable auth_time max_age checking.
	MaxAge  time.Duration
	Decoder *protocol.Decoder
	// LogoutHook is called after a session is terminated.
	// Use this to trigger back-channel logout, audit logging, etc.
	LogoutHook LogoutHook
	// LogoutTemplate overrides the default logout HTML template.
	// The template receives a map with "Title", "Heading", and "Message" keys.
	// If nil, the embedded default template is used.
	LogoutTemplate *template.Template
}

Config holds the dependencies for the EndSession plugin.

type LogoutHook ¶

type LogoutHook interface {
	PostLogout(ctx context.Context, userID, clientID, sid string)
}

LogoutHook is called after a session is terminated. Implementations can use this to trigger back-channel logout, audit logging, or other post-logout actions.

type LogoutHookFunc ¶

type LogoutHookFunc func(ctx context.Context, userID, clientID, sid string)

LogoutHookFunc is a convenience adapter for LogoutHook.

func (LogoutHookFunc) PostLogout ¶

func (f LogoutHookFunc) PostLogout(ctx context.Context, userID, clientID, sid string)

type Plugin ¶

type Plugin struct {
	// contains filtered or unexported fields
}

Plugin implements the OIDC End Session endpoint.

func New ¶

func New(ctx *storm.PluginContext) *Plugin

New creates a new EndSession plugin from a PluginContext.

func NewWithConfig ¶

func NewWithConfig(cfg Config) *Plugin

NewWithConfig creates a new EndSession plugin with explicit config.

func (*Plugin) Category ¶

func (p *Plugin) Category() storm.PluginCategory

Category returns CategoryStandard — endsession is optional but enabled by default.

func (*Plugin) Contribute ¶

func (p *Plugin) Contribute(ctx context.Context, cfg *protocol.DiscoveryConfiguration)

Contribute returns the discovery fields for the end_session endpoint.

func (*Plugin) Name ¶

func (p *Plugin) Name() string

Name returns the plugin name.

func (*Plugin) Register ¶

func (p *Plugin) Register(r chi.Router)

Register installs the /end_session route.

OIDC standard endpoint: GET/POST /end_session (OIDC Session Management §5)

func (*Plugin) Requires ¶

func (p *Plugin) Requires() []string

Requires returns the storage dependencies.

func (*Plugin) SetLogoutHook ¶

func (p *Plugin) SetLogoutHook(hook interface{})

SetLogoutHook sets the logout hook for post-logout actions. This is used by Engine to auto-connect BackChannel plugin.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL