Files
codit/backend/migrations/006_oidc_backchannel_logout.sql

9 lines
594 B
SQL

-- OIDC back-channel logout support.
-- The provider issuer identifies the IdP (validated against the logout token's
-- `iss` and used for OIDC discovery of the JWKS). The session sid records the
-- IdP session id (`sid`) captured from the ID token at login, so a back-channel
-- logout token scoped to a `sid` can terminate exactly the matching session(s).
ALTER TABLE auth_providers ADD COLUMN oidc_issuer TEXT NOT NULL DEFAULT '';
ALTER TABLE sessions ADD COLUMN oidc_sid TEXT NOT NULL DEFAULT '';
CREATE INDEX IF NOT EXISTS idx_sessions_oidc_sid ON sessions(oidc_sid) WHERE oidc_sid != '';