Skip to content

SSO: Login/Logout#276

Draft
louispt1 wants to merge 3 commits into
masterfrom
sso
Draft

SSO: Login/Logout#276
louispt1 wants to merge 3 commits into
masterfrom
sso

Conversation

@louispt1

@louispt1 louispt1 commented Jul 6, 2026

Copy link
Copy Markdown
Member

Context

Mint and refresh the shared etm_session JWT cookie, single-logout support

  • Adds JwtSesssionCookies: mints the three relevant session cookies: etm_session, etm_refresh and etm_session_exp from an app-less Doorkeeper access token on sign in, and refreshes them using Doorkeeper::OAuth::RefreshTokenRequest with an explicit revocation of the old token (overriding Doorkeeper's default lazy rotation-with-reuse detection)
    • This is wired into users/sessions_controller and a new browser_sessions_controller (refresh endpoint) and a session-keeper stimulus controller that keeps myetm's own sessions alive
  • Adds RevokeUserSessions - invoked on logout, for single logout everywhere
  • Fixes doorkeeper_jwt.rb: token_payload was using the application's configured scopes instead of the token's own granted scopes whenever an application was present, and now branches the audience on the "roles" scope so the session cookie (valid for every ETM app) and PATs (engine-only) get correctly scoped audiences. Also switches the JWT's kid to reuse Doorkeeper::OpenidConnect's own key id instead of independently deriving one, so it matches what /oauth/discovery/keys actually publishes.
  • Adds CORS for credentialed session-cookie requests and pre-fetches the JWKS in development to avoid the single-process deadlock on first request.

Related - Goes with the other SSO: Login/Logout PRs:

identity rails
etengine
etmodel
myetm
collections
ETLauncher

Checklist

  • I have tested these changes --> NOTE: These changes were tested on the ETLauncher bridge network. Testing the federated cookie setup on the standard dev setup will not work because cookies cannot be federated across localhost as a domain
  • I have updated documentation as needed (comments only)
  • I have tagged the relevant people for review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant