refactor(oidc): Remove support for OIDC RP-Initiated logout

Token revocation was split out from MSC2964 to MSC4254, and RP-Initiated logout is now mentioned only as an alternative. Signed-off-by: Kévin Commaille <[email protected]>
matrix-org · Feb 24, 2025 · d4b92de · d4b92de
1 parent 25d3999
commit d4b92de
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 159 deletions.
diff --git a/bindings/matrix-sdk-ffi/src/client.rs b/bindings/matrix-sdk-ffi/src/client.rs
@@ -800,10 +800,8 @@ impl Client {
         Ok(Arc::new(session_verification_controller))
     }
 
-    /// Log out the current user. This method returns an optional URL that
-    /// should be presented to the user to complete logout (in the case of
-    /// Session having been authenticated using OIDC).
-    pub async fn logout(&self) -> Result<Option<String>, ClientError> {
+    /// Log the current user out.
+    pub async fn logout(&self) -> Result<(), ClientError> {
         let Some(auth_api) = self.inner.auth_api() else {
             return Err(anyhow!("Missing authentication API").into());
         };
@@ -812,19 +810,13 @@ impl Client {
             AuthApi::Matrix(a) => {
                 tracing::info!("Logging out via the homeserver.");
                 a.logout().await?;
-                Ok(None)
+                Ok(())
             }
 
             AuthApi::Oidc(api) => {
                 tracing::info!("Logging out via OIDC.");
-                let end_session_builder = api.logout().await?;
-
-                if let Some(builder) = end_session_builder {
-                    let url = builder.build()?.url;
-                    return Ok(Some(url.to_string()));
-                }
-
-                Ok(None)
+                api.logout().await?;
+                Ok(())
             }
             _ => Err(anyhow!("Unknown authentication API").into()),
         }

diff --git a/crates/matrix-sdk/src/authentication/oidc/cross_process.rs b/crates/matrix-sdk/src/authentication/oidc/cross_process.rs
@@ -609,11 +609,7 @@ mod tests {
         // Restore the session.
         oidc.restore_session(tests::mock_session(tokens.clone())).await?;
 
-        let end_session_builder = oidc.logout().await?;
-
-        // No end session builder because our test impl doesn't provide an end session
-        // endpoint.
-        assert!(end_session_builder.is_none());
+        oidc.logout().await?;
 
         // Both the access token and the refresh tokens have been invalidated.
         {

diff --git a/crates/matrix-sdk/src/authentication/oidc/end_session_builder.rs b/crates/matrix-sdk/src/authentication/oidc/end_session_builder.rs
diff --git a/crates/matrix-sdk/src/authentication/oidc/mod.rs b/crates/matrix-sdk/src/authentication/oidc/mod.rs
@@ -183,7 +183,6 @@ mod auth_code_builder;
 mod backend;
 mod cross_process;
 mod data_serde;
-mod end_session_builder;
 #[cfg(all(feature = "e2e-encryption", not(target_arch = "wasm32")))]
 pub mod qrcode;
 pub mod registrations;
@@ -193,7 +192,6 @@ mod tests;
 pub use self::{
     auth_code_builder::{OidcAuthCodeUrlBuilder, OidcAuthorizationData},
     cross_process::CrossProcessRefreshLockError,
-    end_session_builder::{OidcEndSessionData, OidcEndSessionUrlBuilder},
 };
 use self::{
     backend::{server::OidcServer, OidcBackend},
@@ -1469,13 +1467,7 @@ impl Oidc {
     }
 
     /// Log out from the currently authenticated session.
-    ///
-    /// On success, if the provider supports [RP-Initiated Logout], an
-    /// [`OidcEndSessionUrlBuilder`] will be provided to build the URL allowing
-    /// the user to log out from their account in the provider's interface.
-    ///
-    /// [RP-Initiated Logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0.html
-    pub async fn logout(&self) -> Result<Option<OidcEndSessionUrlBuilder>, OidcError> {
+    pub async fn logout(&self) -> Result<(), OidcError> {
         let provider_metadata = self.provider_metadata().await?;
         let client_credentials = self.data().ok_or(OidcError::NotAuthenticated)?.credentials();
 
@@ -1506,20 +1498,11 @@ impl Oidc {
                 .await?;
         }
 
-        let end_session_builder =
-            provider_metadata.end_session_endpoint.clone().map(|end_session_endpoint| {
-                OidcEndSessionUrlBuilder::new(
-                    self.clone(),
-                    end_session_endpoint,
-                    client_credentials.client_id().to_owned(),
-                )
-            });
-
         if let Some(manager) = self.ctx().cross_process_token_refresh_manager.get() {
             manager.on_logout().await?;
         }
 
-        Ok(end_session_builder)
+        Ok(())
     }
 }
 

diff --git a/examples/oidc_cli/src/main.rs b/examples/oidc_cli/src/main.rs
@@ -610,22 +610,13 @@ impl OidcCli {
     /// Log out from this session.
     async fn logout(&self) -> anyhow::Result<()> {
         // Log out via OIDC.
-        let url_builder = self.client.oidc().logout().await?;
+        self.client.oidc().logout().await?;
 
         // Delete the stored session and database.
         let data_dir = self.session_file.parent().expect("The file has a parent directory");
         fs::remove_dir_all(data_dir).await?;
 
         println!("\nLogged out successfully");
-
-        if let Some(url_builder) = url_builder {
-            let data = url_builder.build()?;
-            println!(
-                "\nTo log out from your account in the provider's interface, visit: {}",
-                data.url
-            );
-        }
-
         println!("\nExiting…");
 
         Ok(())