fix issue with logout url (#112)

* fix(logout): handle logout requests before OIDC initialization

- [x] Add debug logging to logout handler entry point
- [x] Move logout path check before OIDC initialization to enable logout when provider unavailable
- [x] Move excluded URL and SSE checks before initialization wait
- [x] Add debug logging for initialization wait to diagnose hanging requests
- [x] Add test for logout functionality without OIDC provider availability

* feat(logout): implement OIDC backchannel and front-channel logout

- [x] Add logout token validation and backchannel logout handler
- [x] Add front-channel logout handler with iframe support
- [x] Implement session invalidation cache for distributed deployments
- [x] Add comprehensive logout token claim verification (issuer, audience, events, iat, sid/sub)
- [x] Integrate session invalidation checks into authorization flow
- [x] Add configuration options for enabling backchannel/front-channel logout
- [x] Add extensive test coverage for logout flows and edge cases
- [x] Update documentation with logout configuration examples
- [x] Add middleware routing for logout endpoints
- [x] Extend cache manager with session invalidation cache support

Resolves #110

* fixup! feat(logout): implement OIDC backchannel and front-channel logout

* fixup! Merge branch 'main' into fix-issue-with-logout-url

universal_cache_singleton.go

@@ -13,21 +13,22 @@ import (
 // It runs a single consolidated cleanup goroutine for all caches, reducing
 // goroutine count and CPU overhead compared to per-cache cleanup routines.
 type UniversalCacheManager struct {
-	sharedBackend       backends.CacheBackend
-	ctx                 context.Context
-	tokenTypeCache      *UniversalCache
-	jwkCache            *UniversalCache
-	sessionCache        *UniversalCache
-	introspectionCache  *UniversalCache
-	tokenCache          *UniversalCache
-	metadataCache       *UniversalCache
-	dcrCredentialsCache *UniversalCache // DCR credentials storage for distributed environments
-	logger              *Logger
-	blacklistCache      *UniversalCache
-	cancel              context.CancelFunc
-	wg                  sync.WaitGroup
-	mu                  sync.RWMutex
-	cleanupStarted      bool
+	sharedBackend            backends.CacheBackend
+	ctx                      context.Context
+	tokenTypeCache           *UniversalCache
+	jwkCache                 *UniversalCache
+	sessionCache             *UniversalCache
+	introspectionCache       *UniversalCache
+	tokenCache               *UniversalCache
+	metadataCache            *UniversalCache
+	dcrCredentialsCache      *UniversalCache // DCR credentials storage for distributed environments
+	sessionInvalidationCache *UniversalCache // Session invalidation cache for backchannel/front-channel logout
+	logger                   *Logger
+	blacklistCache           *UniversalCache
+	cancel                   context.CancelFunc
+	wg                       sync.WaitGroup
+	mu                       sync.RWMutex
+	cleanupStarted           bool
 }
 
 var (
@@ -170,6 +171,16 @@ func initializeDefaultCaches(manager *UniversalCacheManager, logger *Logger) {
 		Logger:          logger,
 		SkipAutoCleanup: true, // Managed cleanup
 	})
+
+	// Initialize session invalidation cache for backchannel/front-channel logout
+	// This cache stores invalidated session IDs and subjects to revoke sessions
+	manager.sessionInvalidationCache = NewUniversalCache(UniversalCacheConfig{
+		Type:            CacheTypeSession,
+		MaxSize:         5000,           // Support many concurrent invalidations
+		DefaultTTL:      25 * time.Hour, // Slightly longer than session max age (24h)
+		Logger:          logger,
+		SkipAutoCleanup: true, // Managed cleanup
+	})
 }
 
 // initializeCachesWithRedis initializes caches with Redis/Hybrid backends based on configuration
@@ -363,6 +374,19 @@ func initializeCachesWithRedis(manager *UniversalCacheManager, logger *Logger, r
 		createBackend("dcr"),
 	)
 
+	// Session invalidation cache - CRITICAL for distributed backchannel/front-channel logout
+	// Uses Redis backend to share session invalidations across all Traefik replicas
+	manager.sessionInvalidationCache = NewUniversalCacheWithBackend(
+		UniversalCacheConfig{
+			Type:            CacheTypeSession,
+			MaxSize:         5000,           // Support many concurrent invalidations
+			DefaultTTL:      25 * time.Hour, // Slightly longer than session max age (24h)
+			Logger:          logger,
+			SkipAutoCleanup: true, // Managed cleanup
+		},
+		createBackend("session_invalidation"),
+	)
+
 	logger.Infof("Cache manager initialized with %s backend configuration", redisConfig.CacheMode)
 }
 
@@ -411,6 +435,7 @@ func (m *UniversalCacheManager) performConsolidatedCleanup() {
 		m.introspectionCache,
 		m.tokenTypeCache,
 		m.dcrCredentialsCache,
+		m.sessionInvalidationCache,
 	}
 	m.mu.RUnlock()
 
@@ -452,13 +477,6 @@ func (m *UniversalCacheManager) GetJWKCache() *UniversalCache {
 	return m.jwkCache
 }
 
-// GetSessionCache returns the session cache
-func (m *UniversalCacheManager) GetSessionCache() *UniversalCache {
-	m.mu.RLock()
-	defer m.mu.RUnlock()
-	return m.sessionCache
-}
-
 // GetIntrospectionCache returns the token introspection cache
 func (m *UniversalCacheManager) GetIntrospectionCache() *UniversalCache {
 	m.mu.RLock()
@@ -473,6 +491,13 @@ func (m *UniversalCacheManager) GetTokenTypeCache() *UniversalCache {
 	return m.tokenTypeCache
 }
 
+// GetSessionInvalidationCache returns the session invalidation cache for backchannel/front-channel logout
+func (m *UniversalCacheManager) GetSessionInvalidationCache() *UniversalCache {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+	return m.sessionInvalidationCache
+}
+
 // GetDCRCredentialsCache returns the DCR credentials cache for distributed storage
 func (m *UniversalCacheManager) GetDCRCredentialsCache() *UniversalCache {
 	m.mu.RLock()
@@ -495,7 +520,7 @@ func (m *UniversalCacheManager) Close() error {
 
 	// Close all caches first (they won't close the shared backend)
 	for _, cache := range []*UniversalCache{
-		m.tokenCache, m.blacklistCache, m.metadataCache, m.jwkCache, m.sessionCache, m.introspectionCache, m.tokenTypeCache, m.dcrCredentialsCache,
+		m.tokenCache, m.blacklistCache, m.metadataCache, m.jwkCache, m.sessionCache, m.introspectionCache, m.tokenTypeCache, m.dcrCredentialsCache, m.sessionInvalidationCache,
 	} {
 		if cache != nil {
 			_ = cache.Close() // Safe to ignore: best effort cache cleanup
@@ -516,35 +541,6 @@ func (m *UniversalCacheManager) Close() error {
 	return nil
 }
 
-// InitializeCacheManagerFromConfig initializes the cache manager with configuration
-// This should be called early in the application startup with the loaded configuration
-func InitializeCacheManagerFromConfig(config *Config) *UniversalCacheManager {
-	logger := NewLogger(config.LogLevel)
-
-	// Initialize Redis config if not present
-	if config.Redis == nil {
-		config.Redis = &RedisConfig{}
-	}
-
-	// Apply environment variable fallbacks for fields not set in config
-	// This allows env vars to be used as optional overrides only when
-	// the config field is not explicitly set through Traefik
-	config.Redis.ApplyEnvFallbacks()
-
-	// Apply defaults after env fallbacks
-	config.Redis.ApplyDefaults()
-
-	// Log cache backend selection
-	if config.Redis != nil && config.Redis.Enabled {
-		logger.Infof("Initializing cache backend with Redis: mode=%s, address=%s",
-			config.Redis.CacheMode, config.Redis.Address)
-	} else {
-		logger.Info("Initializing cache backend with memory-only mode")
-	}
-
-	return GetUniversalCacheManagerWithConfig(logger, config.Redis)
-}
-
 // ResetUniversalCacheManagerForTesting resets the singleton for testing purposes only
 // This should only be called in test code to ensure proper cleanup between tests
 func ResetUniversalCacheManagerForTesting() {