Bump versoin

Dockerfile

@@ -11,6 +11,8 @@
 ARG RUBY_VERSION=3.4.6
 FROM docker.io/library/ruby:$RUBY_VERSION-slim AS base
 
+LABEL org.opencontainers.image.source=https://github.com/dkam/clinch
+
 # Rails app lives here
 WORKDIR /rails
 

Gemfile

@@ -35,11 +35,11 @@ gem "jwt", "~> 3.1"
 gem "webauthn", "~> 3.0"
 
 # Public Suffix List for domain parsing
-gem "public_suffix", "~> 6.0"
+gem "public_suffix", "~> 7.0"
 
 # Error tracking and performance monitoring (optional, configured via SENTRY_DSN)
-gem "sentry-ruby", "~> 5.18"
+gem "sentry-ruby", "~> 6.2"
-gem "sentry-rails", "~> 5.18"
+gem "sentry-rails", "~> 6.2"
 
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem "tzinfo-data", platforms: %i[ windows jruby ]

Gemfile.lock

@@ -75,8 +75,8 @@ GEM
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
       uri (>= 0.13.1)
-    addressable (2.8.7)
+    addressable (2.8.8)
-      public_suffix (>= 2.0.2, < 7.0)
+      public_suffix (>= 2.0.2, < 8.0)
     android_key_attestation (0.3.0)
     ast (2.4.3)
     base64 (0.3.0)
@@ -85,13 +85,13 @@ GEM
     bigdecimal (3.3.1)
     bindata (2.5.1)
     bindex (0.8.1)
-    bootsnap (1.18.6)
+    bootsnap (1.19.0)
       msgpack (~> 1.2)
-    brakeman (7.1.0)
+    brakeman (7.1.1)
       racc
     builder (3.3.0)
-    bundler-audit (0.9.2)
+    bundler-audit (0.9.3)
-      bundler (>= 1.2.0, < 3)
+      bundler (>= 1.2.0)
       thor (~> 1.0)
     capybara (3.40.0)
       addressable
@@ -107,7 +107,7 @@ GEM
       logger (~> 1.5)
     chunky_png (1.4.0)
     concurrent-ruby (1.3.5)
-    connection_pool (2.5.4)
+    connection_pool (2.5.5)
     cose (1.3.1)
       cbor (~> 0.5.9)
       openssl-signature_algorithm (~> 1.0)
@@ -119,7 +119,7 @@ GEM
     dotenv (3.1.8)
     drb (2.2.3)
     ed25519 (1.4.0)
-    erb (5.1.3)
+    erb (6.0.0)
     erubi (1.13.1)
     ffi (1.17.2-aarch64-linux-gnu)
     ffi (1.17.2-aarch64-linux-musl)
@@ -147,10 +147,10 @@ GEM
     jbuilder (2.14.1)
       actionview (>= 7.0.0)
       activesupport (>= 7.0.0)
-    json (2.15.2)
+    json (2.16.0)
     jwt (3.1.2)
       base64
-    kamal (2.8.1)
+    kamal (2.9.0)
       activesupport (>= 7.0)
       base64 (~> 0.2)
       bcrypt_pbkdf (~> 1.0)
@@ -184,7 +184,7 @@ GEM
     mini_magick (5.3.1)
       logger
     mini_mime (1.1.5)
-    minitest (5.26.0)
+    minitest (5.26.2)
     msgpack (1.8.0)
     net-imap (0.5.12)
       date
@@ -220,7 +220,7 @@ GEM
       openssl (> 2.0)
     ostruct (0.6.3)
     parallel (1.27.0)
-    parser (3.3.9.0)
+    parser (3.3.10.0)
       ast (~> 2.4.1)
       racc
     pp (0.6.3)
@@ -234,7 +234,7 @@ GEM
     psych (5.2.6)
       date
       stringio
-    public_suffix (6.0.2)
+    public_suffix (7.0.0)
     puma (7.1.0)
       nio4r (~> 2.0)
     racc (1.8.1)
@@ -278,20 +278,20 @@ GEM
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
     rake (13.3.1)
-    rdoc (6.15.1)
+    rdoc (6.16.1)
       erb
       psych (>= 4.0.0)
       tsort
     regexp_parser (2.11.3)
-    reline (0.6.2)
+    reline (0.6.3)
       io-console (~> 0.5)
     rexml (3.4.4)
     rotp (6.3.0)
-    rqrcode (3.1.0)
+    rqrcode (3.1.1)
       chunky_png (~> 1.0)
       rqrcode_core (~> 2.0)
-    rqrcode_core (2.0.0)
+    rqrcode_core (2.0.1)
-    rubocop (1.81.6)
+    rubocop (1.81.7)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -302,14 +302,14 @@ GEM
       rubocop-ast (>= 1.47.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.47.1)
+    rubocop-ast (1.48.0)
       parser (>= 3.3.7.2)
       prism (~> 1.4)
     rubocop-performance (1.26.1)
       lint_roller (~> 1.1)
       rubocop (>= 1.75.0, < 2.0)
       rubocop-ast (>= 1.47.1, < 2.0)
-    rubocop-rails (2.33.4)
+    rubocop-rails (2.34.2)
       activesupport (>= 4.2.0)
       lint_roller (~> 1.1)
       rack (>= 1.1)
@@ -323,7 +323,7 @@ GEM
     ruby-vips (2.2.5)
       ffi (~> 1.12)
       logger
-    rubyzip (3.2.1)
+    rubyzip (3.2.2)
     safety_net_attestation (0.5.0)
       jwt (>= 2.0, < 4.0)
     securerandom (0.4.1)
@@ -333,10 +333,10 @@ GEM
       rexml (~> 3.2, >= 3.2.5)
       rubyzip (>= 1.2.2, < 4.0)
       websocket (~> 1.0)
-    sentry-rails (5.28.0)
+    sentry-rails (6.2.0)
-      railties (>= 5.0)
+      railties (>= 5.2.0)
-      sentry-ruby (~> 5.28.0)
+      sentry-ruby (~> 6.2.0)
-    sentry-ruby (5.28.0)
+    sentry-ruby (6.2.0)
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
     solid_cable (3.0.12)
@@ -344,17 +344,17 @@ GEM
       activejob (>= 7.2)
       activerecord (>= 7.2)
       railties (>= 7.2)
-    solid_cache (1.0.8)
+    solid_cache (1.0.10)
       activejob (>= 7.2)
       activerecord (>= 7.2)
       railties (>= 7.2)
-    sqlite3 (2.7.4-aarch64-linux-gnu)
+    sqlite3 (2.8.1-aarch64-linux-gnu)
-    sqlite3 (2.7.4-aarch64-linux-musl)
+    sqlite3 (2.8.1-aarch64-linux-musl)
-    sqlite3 (2.7.4-arm-linux-gnu)
+    sqlite3 (2.8.1-arm-linux-gnu)
-    sqlite3 (2.7.4-arm-linux-musl)
+    sqlite3 (2.8.1-arm-linux-musl)
-    sqlite3 (2.7.4-arm64-darwin)
+    sqlite3 (2.8.1-arm64-darwin)
-    sqlite3 (2.7.4-x86_64-linux-gnu)
+    sqlite3 (2.8.1-x86_64-linux-gnu)
-    sqlite3 (2.7.4-x86_64-linux-musl)
+    sqlite3 (2.8.1-x86_64-linux-musl)
     sshkit (1.24.0)
       base64
       logger
@@ -364,16 +364,16 @@ GEM
       ostruct
     stimulus-rails (1.3.4)
       railties (>= 6.0.0)
-    stringio (3.1.7)
+    stringio (3.1.8)
-    tailwindcss-rails (4.3.0)
+    tailwindcss-rails (4.4.0)
       railties (>= 7.0.0)
       tailwindcss-ruby (~> 4.0)
-    tailwindcss-ruby (4.1.13)
+    tailwindcss-ruby (4.1.16)
-    tailwindcss-ruby (4.1.13-aarch64-linux-gnu)
+    tailwindcss-ruby (4.1.16-aarch64-linux-gnu)
-    tailwindcss-ruby (4.1.13-aarch64-linux-musl)
+    tailwindcss-ruby (4.1.16-aarch64-linux-musl)
-    tailwindcss-ruby (4.1.13-arm64-darwin)
+    tailwindcss-ruby (4.1.16-arm64-darwin)
-    tailwindcss-ruby (4.1.13-x86_64-linux-gnu)
+    tailwindcss-ruby (4.1.16-x86_64-linux-gnu)
-    tailwindcss-ruby (4.1.13-x86_64-linux-musl)
+    tailwindcss-ruby (4.1.16-x86_64-linux-musl)
     thor (1.4.0)
     thruster (0.1.16)
     thruster (0.1.16-aarch64-linux)
@@ -385,7 +385,7 @@ GEM
       openssl (> 2.0)
       openssl-signature_algorithm (~> 1.0)
     tsort (0.2.0)
-    turbo-rails (2.0.17)
+    turbo-rails (2.0.20)
       actionpack (>= 7.1.0)
       railties (>= 7.1.0)
     tzinfo (2.0.6)
@@ -393,7 +393,7 @@ GEM
     unicode-display_width (3.2.0)
       unicode-emoji (~> 4.1)
     unicode-emoji (4.1.0)
-    uri (1.1.0)
+    uri (1.1.1)
     useragent (0.16.11)
     web-console (4.2.1)
       actionview (>= 6.0.0)
@@ -442,15 +442,15 @@ DEPENDENCIES
   kamal
   letter_opener
   propshaft
-  public_suffix (~> 6.0)
+  public_suffix (~> 7.0)
   puma (>= 5.0)
   rails (~> 8.1.1)
   rotp (~> 6.3)
   rqrcode (~> 3.1)
   rubocop-rails-omakase
   selenium-webdriver
-  sentry-rails (~> 5.18)
+  sentry-rails (~> 6.2)
-  sentry-ruby (~> 5.18)
+  sentry-ruby (~> 6.2)
   solid_cable
   solid_cache
   sqlite3 (>= 2.1)

README.md

@@ -15,10 +15,12 @@ I've completed all planned features:
 * Forward Auth configured and working
 * OIDC provider with auto discovery, refresh tokens, and token revocation
 * Configurable token expiry per application (access, refresh, ID tokens)
+* Backchannel Logout
+* Per-application logout / revoke
 * Invite users by email, assign to groups
 * Self managed password reset by email
 * Use Groups to assign Applications ( Family group can access Kavita, Developers can access Gitea )
-* Configurable Group and User custom claims for OIDC token
+* Configurable Group, User & App+User custom claims for OIDC token
 * Display all Applications available to the user on their Dashboard
 * Display all logged in sessions and OIDC logged in sessions
 
@@ -94,6 +96,7 @@ Standard OAuth2/OIDC provider with endpoints:
 
 Features:
 - **Refresh tokens** - Long-lived tokens (30 days default) with automatic rotation and revocation
+- **Token family tracking** - Advanced security detects token replay attacks and revokes compromised token families
 - **Configurable token expiry** - Set access token (5min-24hr), refresh token (1-90 days), and ID token TTL per application
 - **Token security** - BCrypt-hashed tokens, automatic cleanup of expired tokens
 - **Pairwise subject identifiers** - Each user gets a unique, stable `sub` claim per application for enhanced privacy

VERSION

@@ -1 +0,0 @@
-2025.03

app/controllers/active_sessions_controller.rb

@@ -16,16 +16,82 @@ class ActiveSessionsController < ApplicationController
       return
     end
 
+    # Send backchannel logout notification before revoking consent
+    if application.supports_backchannel_logout?
+      BackchannelLogoutJob.perform_later(
+        user_id: @user.id,
+        application_id: application.id,
+        consent_sid: consent.sid
+      )
+      Rails.logger.info "ActiveSessionsController: Enqueued backchannel logout for #{application.name}"
+    end
+
+    # Revoke all tokens for this user-application pair
+    now = Time.current
+    revoked_access_tokens = OidcAccessToken.where(application: application, user: @user, revoked_at: nil)
+                                           .update_all(revoked_at: now)
+    revoked_refresh_tokens = OidcRefreshToken.where(application: application, user: @user, revoked_at: nil)
+                                             .update_all(revoked_at: now)
+
+    Rails.logger.info "ActiveSessionsController: Revoked #{revoked_access_tokens} access tokens and #{revoked_refresh_tokens} refresh tokens for #{application.name}"
+
     # Revoke the consent
     consent.destroy
     redirect_to active_sessions_path, notice: "Successfully revoked access to #{application.name}."
   end
 
+  def logout_from_app
+    @user = Current.session.user
+    application = Application.find(params[:application_id])
+
+    # Check if user has consent for this application
+    consent = @user.oidc_user_consents.find_by(application: application)
+    unless consent
+      redirect_to root_path, alert: "No active session found for this application."
+      return
+    end
+
+    # Send backchannel logout notification
+    if application.supports_backchannel_logout?
+      BackchannelLogoutJob.perform_later(
+        user_id: @user.id,
+        application_id: application.id,
+        consent_sid: consent.sid
+      )
+      Rails.logger.info "ActiveSessionsController: Enqueued backchannel logout for #{application.name}"
+    end
+
+    # Revoke all tokens for this user-application pair
+    now = Time.current
+    revoked_access_tokens = OidcAccessToken.where(application: application, user: @user, revoked_at: nil)
+                                           .update_all(revoked_at: now)
+    revoked_refresh_tokens = OidcRefreshToken.where(application: application, user: @user, revoked_at: nil)
+                                             .update_all(revoked_at: now)
+
+    Rails.logger.info "ActiveSessionsController: Logged out from #{application.name} - revoked #{revoked_access_tokens} access tokens and #{revoked_refresh_tokens} refresh tokens"
+
+    # Keep the consent intact - this is the key difference from revoke_consent
+    redirect_to root_path, notice: "Successfully logged out of #{application.name}."
+  end
+
   def revoke_all_consents
     @user = Current.session.user
-    count = @user.oidc_user_consents.count
+    consents = @user.oidc_user_consents.includes(:application)
+    count = consents.count
 
     if count > 0
+      # Send backchannel logout notifications before revoking consents
+      consents.each do |consent|
+        next unless consent.application.supports_backchannel_logout?
+
+        BackchannelLogoutJob.perform_later(
+          user_id: @user.id,
+          application_id: consent.application.id,
+          consent_sid: consent.sid
+        )
+      end
+      Rails.logger.info "ActiveSessionsController: Enqueued #{count} backchannel logout notifications"
+
       @user.oidc_user_consents.destroy_all
       redirect_to active_sessions_path, notice: "Successfully revoked access to #{count} applications."
     else

app/controllers/admin/applications_controller.rb

@@ -100,6 +100,7 @@ module Admin
       params.require(:application).permit(
         :name, :slug, :app_type, :active, :redirect_uris, :description, :metadata,
         :domain_pattern, :landing_url, :access_token_ttl, :refresh_token_ttl, :id_token_ttl,
+        :icon, :backchannel_logout_uri,
         headers_config: {}
       ).tap do |whitelisted|
         # Remove client_secret from params if present (shouldn't be updated via form)

app/controllers/api/forward_auth_controller.rb

@@ -3,7 +3,7 @@ module Api
     # ForwardAuth endpoints need session storage for return URL
     allow_unauthenticated_access
     skip_before_action :verify_authenticity_token
-    rate_limit to: 100, within: 1.minute, only: :verify, with: -> { head :too_many_requests }
+    # No rate limiting on forward_auth endpoint - proxy middleware hits this frequently
 
     # GET /api/verify
     # This endpoint is called by reverse proxies (Traefik, Caddy, nginx)

app/controllers/oidc_controller.rb

@@ -20,10 +20,12 @@ class OidcController < ApplicationController
       grant_types_supported: ["authorization_code", "refresh_token"],
       subject_types_supported: ["public"],
       id_token_signing_alg_values_supported: ["RS256"],
-      scopes_supported: ["openid", "profile", "email", "groups"],
+      scopes_supported: ["openid", "profile", "email", "groups", "offline_access"],
       token_endpoint_auth_methods_supported: ["client_secret_post", "client_secret_basic"],
       claims_supported: ["sub", "email", "email_verified", "name", "preferred_username", "groups", "admin"],
-      code_challenge_methods_supported: ["plain", "S256"]
+      code_challenge_methods_supported: ["plain", "S256"],
+      backchannel_logout_supported: true,
+      backchannel_logout_session_supported: true
     }
 
     render json: config
@@ -627,6 +629,11 @@ class OidcController < ApplicationController
 
     # If user is authenticated, log them out
     if authenticated?
+      user = Current.session.user
+
+      # Send backchannel logout notifications to all connected applications
+      send_backchannel_logout_notifications(user)
+
       # Invalidate the current session
       Current.session&.destroy
       reset_session
@@ -766,4 +773,26 @@ class OidcController < ApplicationController
       false
     end
   end
+
+  def send_backchannel_logout_notifications(user)
+    # Find all active OIDC consents for this user
+    consents = OidcUserConsent.where(user: user).includes(:application)
+
+    consents.each do |consent|
+      # Skip if application doesn't support backchannel logout
+      next unless consent.application.supports_backchannel_logout?
+
+      # Enqueue background job to send logout notification
+      BackchannelLogoutJob.perform_later(
+        user_id: user.id,
+        application_id: consent.application.id,
+        consent_sid: consent.sid
+      )
+    end
+
+    Rails.logger.info "OidcController: Enqueued #{consents.count} backchannel logout notifications for user #{user.id}"
+  rescue => e
+    # Log error but don't block logout
+    Rails.logger.error "OidcController: Failed to enqueue backchannel logout: #{e.class} - #{e.message}"
+  end
 end

app/controllers/sessions_controller.rb

@@ -134,6 +134,12 @@ class SessionsController < ApplicationController
   end
 
   def destroy
+    # Send backchannel logout notifications before terminating session
+    if authenticated?
+      user = Current.session.user
+      send_backchannel_logout_notifications(user)
+    end
+
     terminate_session
     redirect_to signin_path, status: :see_other, notice: "Signed out successfully."
   end
@@ -311,4 +317,26 @@ class SessionsController < ApplicationController
       nil
     end
   end
+
+  def send_backchannel_logout_notifications(user)
+    # Find all active OIDC consents for this user
+    consents = OidcUserConsent.where(user: user).includes(:application)
+
+    consents.each do |consent|
+      # Skip if application doesn't support backchannel logout
+      next unless consent.application.supports_backchannel_logout?
+
+      # Enqueue background job to send logout notification
+      BackchannelLogoutJob.perform_later(
+        user_id: user.id,
+        application_id: consent.application.id,
+        consent_sid: consent.sid
+      )
+    end
+
+    Rails.logger.info "SessionsController: Enqueued #{consents.count} backchannel logout notifications for user #{user.id}"
+  rescue => e
+    # Log error but don't block logout
+    Rails.logger.error "SessionsController: Failed to enqueue backchannel logout: #{e.class} - #{e.message}"
+  end
 end

app/jobs/backchannel_logout_job.rb

@@ -0,0 +1,52 @@
+class BackchannelLogoutJob < ApplicationJob
+  queue_as :default
+
+  # Retry with exponential backoff: 1s, 5s, 25s
+  retry_on StandardError, wait: :exponentially_longer, attempts: 3
+
+  def perform(user_id:, application_id:, consent_sid:)
+    # Find the records
+    user = User.find_by(id: user_id)
+    application = Application.find_by(id: application_id)
+    consent = OidcUserConsent.find_by(sid: consent_sid)
+
+    # Validate we have all required data
+    unless user && application && consent
+      Rails.logger.warn "BackchannelLogout: Missing data - user: #{user.present?}, app: #{application.present?}, consent: #{consent.present?}"
+      return
+    end
+
+    # Skip if application doesn't support backchannel logout
+    unless application.supports_backchannel_logout?
+      Rails.logger.debug "BackchannelLogout: Application #{application.name} doesn't support backchannel logout"
+      return
+    end
+
+    # Generate the logout token
+    logout_token = OidcJwtService.generate_logout_token(user, application, consent)
+
+    # Send HTTP POST to the application's backchannel logout URI
+    uri = URI.parse(application.backchannel_logout_uri)
+
+    begin
+      response = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https', open_timeout: 5, read_timeout: 5) do |http|
+        request = Net::HTTP::Post.new(uri.path.presence || '/')
+        request['Content-Type'] = 'application/x-www-form-urlencoded'
+        request.set_form_data({ logout_token: logout_token })
+        http.request(request)
+      end
+
+      if response.code.to_i == 200
+        Rails.logger.info "BackchannelLogout: Successfully sent logout notification to #{application.name} (#{application.backchannel_logout_uri})"
+      else
+        Rails.logger.warn "BackchannelLogout: Application #{application.name} returned HTTP #{response.code} from #{application.backchannel_logout_uri}"
+      end
+    rescue Net::OpenTimeout, Net::ReadTimeout => e
+      Rails.logger.warn "BackchannelLogout: Timeout sending logout to #{application.name} (#{application.backchannel_logout_uri}): #{e.message}"
+      raise # Retry on timeout
+    rescue StandardError => e
+      Rails.logger.error "BackchannelLogout: Failed to send logout to #{application.name} (#{application.backchannel_logout_uri}): #{e.class} - #{e.message}"
+      raise # Retry on error
+    end
+  end
+end

app/models/application.rb

@@ -1,6 +1,11 @@
 class Application < ApplicationRecord
   has_secure_password :client_secret, validations: false
 
+  has_one_attached :icon
+
+  # Fix SVG content type after attachment
+  after_save :fix_icon_content_type, if: -> { icon.attached? && saved_change_to_attribute?(:id) == false }
+
   has_many :application_groups, dependent: :destroy
   has_many :allowed_groups, through: :application_groups, source: :group
   has_many :application_user_claims, dependent: :destroy
@@ -18,6 +23,15 @@ class Application < ApplicationRecord
   validates :client_secret, presence: true, on: :create, if: -> { oidc? }
   validates :domain_pattern, presence: true, uniqueness: { case_sensitive: false }, if: :forward_auth?
   validates :landing_url, format: { with: URI::regexp(%w[http https]), allow_nil: true, message: "must be a valid URL" }
+  validates :backchannel_logout_uri, format: {
+    with: URI::regexp(%w[http https]),
+    allow_nil: true,
+    message: "must be a valid HTTP or HTTPS URL"
+  }
+  validate :backchannel_logout_uri_must_be_https_in_production, if: -> { backchannel_logout_uri.present? }
+
+  # Icon validation using ActiveStorage validators
+  validate :icon_validation, if: -> { icon.attached? }
 
   # Token TTL validations (for OIDC apps)
   validates :access_token_ttl, numericality: { greater_than_or_equal_to: 300, less_than_or_equal_to: 86400 }, if: :oidc?  # 5 min - 24 hours
@@ -29,6 +43,10 @@ class Application < ApplicationRecord
     normalized = pattern&.strip&.downcase
     normalized.blank? ? nil : normalized
   }
+  normalizes :backchannel_logout_uri, with: ->(uri) {
+    normalized = uri&.strip
+    normalized.blank? ? nil : normalized
+  }
 
   before_validation :generate_client_credentials, on: :create, if: :oidc?
 
@@ -193,8 +211,44 @@ class Application < ApplicationRecord
     app_claim&.parsed_custom_claims || {}
   end
 
+  # Check if this application supports backchannel logout
+  def supports_backchannel_logout?
+    backchannel_logout_uri.present?
+  end
+
+  # Check if a user has an active session with this application
+  # (i.e., has valid, non-revoked tokens)
+  def user_has_active_session?(user)
+    oidc_access_tokens.where(user: user).valid.exists? ||
+    oidc_refresh_tokens.where(user: user).valid.exists?
+  end
+
   private
 
+  def fix_icon_content_type
+    return unless icon.attached?
+
+    # Fix SVG content type if it was detected incorrectly
+    if icon.filename.extension == "svg" && icon.content_type == "application/octet-stream"
+      icon.blob.update(content_type: "image/svg+xml")
+    end
+  end
+
+  def icon_validation
+    return unless icon.attached?
+
+    # Check content type
+    allowed_types = ['image/png', 'image/jpg', 'image/jpeg', 'image/gif', 'image/svg+xml']
+    unless allowed_types.include?(icon.content_type)
+      errors.add(:icon, 'must be a PNG, JPG, GIF, or SVG image')
+    end
+
+    # Check file size (2MB limit)
+    if icon.blob.byte_size > 2.megabytes
+      errors.add(:icon, 'must be less than 2MB')
+    end
+  end
+
   def duration_to_human(seconds)
     if seconds < 3600
       "#{seconds / 60} minutes"
@@ -213,4 +267,18 @@ class Application < ApplicationRecord
       self.client_secret = secret
     end
   end
+
+  def backchannel_logout_uri_must_be_https_in_production
+    return unless Rails.env.production?
+    return unless backchannel_logout_uri.present?
+
+    begin
+      uri = URI.parse(backchannel_logout_uri)
+      unless uri.scheme == 'https'
+        errors.add(:backchannel_logout_uri, 'must use HTTPS in production')
+      end
+    rescue URI::InvalidURIError
+      # Let the format validator handle invalid URIs
+    end
+  end
 end

app/services/oidc_jwt_service.rb

@@ -45,6 +45,30 @@ class OidcJwtService
       JWT.encode(payload, private_key, "RS256", { kid: key_id, typ: "JWT" })
     end
 
+    # Generate a backchannel logout token (JWT)
+    # Per OIDC Back-Channel Logout spec, this token:
+    # - MUST include iss, aud, iat, jti, events claims
+    # - MUST include sub or sid (or both) - we always include both
+    # - MUST NOT include nonce claim
+    def generate_logout_token(user, application, consent)
+      now = Time.current.to_i
+
+      payload = {
+        iss: issuer_url,
+        sub: consent.sid,  # Pairwise subject identifier
+        aud: application.client_id,
+        iat: now,
+        jti: SecureRandom.uuid,  # Unique identifier for this logout token
+        sid: consent.sid,  # Session ID - always included for granular logout
+        events: {
+          "http://schemas.openid.net/event/backchannel-logout" => {}
+        }
+      }
+
+      # Important: Do NOT include nonce in logout tokens (spec requirement)
+      JWT.encode(payload, private_key, "RS256", { kid: key_id, typ: "JWT" })
+    end
+
     # Decode and verify an ID token
     def decode_id_token(token)
       JWT.decode(token, public_key, true, { algorithm: "RS256" })

app/views/admin/applications/_form.html.erb

@@ -17,6 +17,87 @@
     <%= form.text_area :description, rows: 3, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: "Optional description of this application" %>
   </div>
 
+  <div>
+    <div class="flex items-center justify-between">
+      <%= form.label :icon, "Application Icon", class: "block text-sm font-medium text-gray-700" %>
+      <a href="https://dashboardicons.com" target="_blank" rel="noopener noreferrer" class="text-xs text-blue-600 hover:text-blue-800 flex items-center gap-1">
+        <svg class="w-3 h-3" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14"></path>
+        </svg>
+        Browse icons at dashboardicons.com
+      </a>
+    </div>
+    <% if application.icon.attached? && application.persisted? %>
+      <% begin %>
+        <%# Only show icon if we can successfully get its URL (blob is persisted) %>
+        <% if application.icon.blob&.persisted? && application.icon.blob.key.present? %>
+          <div class="mt-2 mb-3 flex items-center gap-4">
+            <%= image_tag application.icon, class: "h-16 w-16 rounded-lg object-cover border border-gray-200", alt: "Current icon" %>
+            <div class="text-sm text-gray-600">
+              <p class="font-medium">Current icon</p>
+              <p class="text-xs"><%= number_to_human_size(application.icon.blob.byte_size) %></p>
+            </div>
+          </div>
+        <% end %>
+      <% rescue ArgumentError => e %>
+        <%# Handle case where icon attachment exists but can't generate signed_id %>
+        <% if e.message.include?("Cannot get a signed_id for a new record") %>
+          <div class="mt-2 mb-3 text-sm text-gray-600">
+            <p class="font-medium">Icon uploaded</p>
+            <p class="text-xs">File will be processed shortly</p>
+          </div>
+        <% else %>
+          <%# Re-raise if it's a different error %>
+          <% raise e %>
+        <% end %>
+      <% end %>
+    <% end %>
+
+    <div class="mt-2" data-controller="file-drop image-paste">
+      <div class="flex justify-center px-6 pt-5 pb-6 border-2 border-gray-300 border-dashed rounded-md hover:border-blue-400 transition-colors"
+           data-file-drop-target="dropzone"
+           data-image-paste-target="dropzone"
+           data-action="dragover->file-drop#dragover dragleave->file-drop#dragleave drop->file-drop#drop paste->image-paste#handlePaste"
+           tabindex="0">
+        <div class="space-y-1 text-center">
+          <svg class="mx-auto h-12 w-12 text-gray-400" stroke="currentColor" fill="none" viewBox="0 0 48 48">
+            <path d="M28 8H12a4 4 0 00-4 4v20m32-12v8m0 0v8a4 4 0 01-4 4H12a4 4 0 01-4-4v-4m32-4l-3.172-3.172a4 4 0 00-5.656 0L28 28M8 32l9.172-9.172a4 4 0 015.656 0L28 28m0 0l4 4m4-24h8m-4-4v8m-12 4h.02" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" />
+          </svg>
+          <div class="flex text-sm text-gray-600">
+            <label for="<%= form.field_id(:icon) %>" class="relative cursor-pointer bg-white rounded-md font-medium text-blue-600 hover:text-blue-500 focus-within:outline-none focus-within:ring-2 focus-within:ring-offset-2 focus-within:ring-blue-500">
+              <span>Upload a file</span>
+              <%= form.file_field :icon,
+                  accept: "image/png,image/jpg,image/jpeg,image/gif,image/svg+xml",
+                  class: "sr-only",
+                  data: {
+                    file_drop_target: "input",
+                    image_paste_target: "input",
+                    action: "change->file-drop#handleFiles"
+                  } %>
+            </label>
+            <p class="pl-1">or drag and drop</p>
+          </div>
+          <p class="text-xs text-gray-500">PNG, JPG, GIF, or SVG up to 2MB</p>
+          <p class="text-xs text-blue-600 font-medium mt-2">💡 Tip: Click here and press Ctrl+V (or Cmd+V) to paste an image from your clipboard</p>
+        </div>
+      </div>
+      <div data-file-drop-target="preview" class="mt-3 hidden">
+        <div class="flex items-center gap-3 p-3 bg-blue-50 rounded-md border border-blue-200">
+          <img data-file-drop-target="previewImage" class="h-12 w-12 rounded object-cover" alt="Preview">
+          <div class="flex-1 min-w-0">
+            <p class="text-sm font-medium text-gray-900" data-file-drop-target="filename"></p>
+            <p class="text-xs text-gray-500" data-file-drop-target="filesize"></p>
+          </div>
+          <button type="button" data-action="click->file-drop#clear" class="text-gray-400 hover:text-gray-600">
+            <svg class="h-5 w-5" fill="currentColor" viewBox="0 0 20 20">
+              <path fill-rule="evenodd" d="M4.293 4.293a1 1 0 011.414 0L10 8.586l4.293-4.293a1 1 0 111.414 1.414L11.414 10l4.293 4.293a1 1 0 01-1.414 1.414L10 11.414l-4.293 4.293a1 1 0 01-1.414-1.414L8.586 10 4.293 5.707a1 1 0 010-1.414z" clip-rule="evenodd" />
+            </svg>
+          </button>
+        </div>
+      </div>
+    </div>
+  </div>
+
   <div>
     <%= form.label :landing_url, "Landing URL", class: "block text-sm font-medium text-gray-700" %>
     <%= form.url_field :landing_url, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm", placeholder: "https://app.example.com" %>
@@ -45,6 +126,16 @@
       <p class="mt-1 text-sm text-gray-500">One URI per line. These are the allowed callback URLs for your application.</p>
     </div>
 
+    <div>
+      <%= form.label :backchannel_logout_uri, "Backchannel Logout URI (Optional)", class: "block text-sm font-medium text-gray-700" %>
+      <%= form.url_field :backchannel_logout_uri, class: "mt-1 block w-full rounded-md border-gray-300 shadow-sm focus:border-blue-500 focus:ring-blue-500 sm:text-sm font-mono", placeholder: "https://app.example.com/oidc/backchannel-logout" %>
+      <p class="mt-1 text-sm text-gray-500">
+        If the application supports OpenID Connect Backchannel Logout, enter the logout endpoint URL.
+        When users log out, Clinch will send logout notifications to this endpoint for immediate session termination.
+        Leave blank if the application doesn't support backchannel logout.
+      </p>
+    </div>
+
     <div class="border-t border-gray-200 pt-4 mt-4">
       <h4 class="text-sm font-semibold text-gray-900 mb-3">Token Expiration Settings</h4>
       <p class="text-sm text-gray-500 mb-4">Configure how long tokens remain valid. Shorter times are more secure but require more frequent refreshes.</p>

app/views/admin/applications/index.html.erb

@@ -14,7 +14,7 @@
       <table class="min-w-full divide-y divide-gray-300">
         <thead>
           <tr>
-            <th scope="col" class="py-3.5 pl-4 pr-3 text-left text-sm font-semibold text-gray-900 sm:pl-0">Name</th>
+            <th scope="col" class="py-3.5 pl-4 pr-3 text-left text-sm font-semibold text-gray-900 sm:pl-0">Application</th>
             <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Slug</th>
             <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Type</th>
             <th scope="col" class="px-3 py-3.5 text-left text-sm font-semibold text-gray-900">Status</th>
@@ -28,7 +28,18 @@
           <% @applications.each do |application| %>
             <tr>
               <td class="whitespace-nowrap py-4 pl-4 pr-3 text-sm font-medium text-gray-900 sm:pl-0">
+                <div class="flex items-center gap-3">
+                  <% if application.icon.attached? %>
+                    <%= image_tag application.icon, class: "h-10 w-10 rounded-lg object-cover border border-gray-200 flex-shrink-0", alt: "#{application.name} icon" %>
+                  <% else %>
+                    <div class="h-10 w-10 rounded-lg bg-gray-100 border border-gray-200 flex items-center justify-center flex-shrink-0">
+                      <svg class="h-6 w-6 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16l4.586-4.586a2 2 0 012.828 0L16 16m-2-2l1.586-1.586a2 2 0 012.828 0L20 14m-6-6h.01M6 20h12a2 2 0 002-2V6a2 2 0 00-2-2H6a2 2 0 00-2 2v12a2 2 0 002 2z" />
+                      </svg>
+                    </div>
+                  <% end %>
                   <%= link_to application.name, admin_application_path(application), class: "text-blue-600 hover:text-blue-900" %>
+                </div>
               </td>
               <td class="whitespace-nowrap px-3 py-4 text-sm text-gray-500">
                 <code class="text-xs bg-gray-100 px-2 py-1 rounded"><%= application.slug %></code>

app/views/admin/applications/show.html.erb

@@ -16,11 +16,22 @@
     </div>
   <% end %>
 
-  <div class="sm:flex sm:items-center sm:justify-between">
+  <div class="sm:flex sm:items-start sm:justify-between">
+    <div class="flex items-start gap-4">
+      <% if @application.icon.attached? %>
+        <%= image_tag @application.icon, class: "h-16 w-16 rounded-lg object-cover border border-gray-200 shrink-0", alt: "#{@application.name} icon" %>
+      <% else %>
+        <div class="h-16 w-16 rounded-lg bg-gray-100 border border-gray-200 flex items-center justify-center shrink-0">
+          <svg class="h-8 w-8 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16l4.586-4.586a2 2 0 012.828 0L16 16m-2-2l1.586-1.586a2 2 0 012.828 0L20 14m-6-6h.01M6 20h12a2 2 0 002-2V6a2 2 0 00-2-2H6a2 2 0 00-2 2v12a2 2 0 002 2z" />
+          </svg>
+        </div>
+      <% end %>
       <div>
         <h1 class="text-2xl font-semibold text-gray-900"><%= @application.name %></h1>
         <p class="mt-1 text-sm text-gray-500"><%= @application.description %></p>
       </div>
+    </div>
     <div class="mt-4 sm:mt-0 flex gap-3">
       <%= link_to "Edit", edit_admin_application_path(@application), class: "rounded-md bg-white px-3 py-2 text-sm font-semibold text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 hover:bg-gray-50" %>
       <%= button_to "Delete", admin_application_path(@application), method: :delete, data: { turbo_confirm: "Are you sure?" }, class: "rounded-md bg-red-600 px-3 py-2 text-sm font-semibold text-white shadow-sm hover:bg-red-500" %>
@@ -78,10 +89,11 @@
     <div class="bg-white shadow sm:rounded-lg">
       <div class="px-4 py-5 sm:p-6">
         <div class="flex items-center justify-between mb-4">
-          <h3 class="text-base font-semibold leading-6 text-gray-900">OIDC Credentials</h3>
+          <h3 class="text-base font-semibold leading-6 text-gray-900">OIDC Configuration</h3>
           <%= button_to "Regenerate Credentials", regenerate_credentials_admin_application_path(@application), method: :post, data: { turbo_confirm: "This will invalidate the current credentials. Continue?" }, class: "text-sm text-red-600 hover:text-red-900" %>
         </div>
         <dl class="space-y-4">
+          <% unless flash[:client_id] && flash[:client_secret] %>
             <div>
               <dt class="text-sm font-medium text-gray-500">Client ID</dt>
               <dd class="mt-1 text-sm text-gray-900">
@@ -99,6 +111,7 @@
                 </p>
               </dd>
             </div>
+          <% end %>
           <div>
             <dt class="text-sm font-medium text-gray-500">Redirect URIs</dt>
             <dd class="mt-1 text-sm text-gray-900">
@@ -111,6 +124,27 @@
               <% end %>
             </dd>
           </div>
+          <div>
+            <dt class="text-sm font-medium text-gray-500">
+              Backchannel Logout URI
+              <% if @application.supports_backchannel_logout? %>
+                <span class="ml-2 inline-flex items-center rounded-full bg-green-100 px-2 py-0.5 text-xs font-medium text-green-700">Enabled</span>
+              <% end %>
+            </dt>
+            <dd class="mt-1 text-sm text-gray-900">
+              <% if @application.backchannel_logout_uri.present? %>
+                <code class="block bg-gray-100 px-3 py-2 rounded font-mono text-xs break-all"><%= @application.backchannel_logout_uri %></code>
+                <p class="mt-2 text-xs text-gray-500">
+                  When users log out, Clinch will send logout notifications to this endpoint for immediate session termination.
+                </p>
+              <% else %>
+                <span class="text-gray-400 italic">Not configured</span>
+                <p class="mt-1 text-xs text-gray-500">
+                  Backchannel logout is optional. Configure it if the application supports OpenID Connect Backchannel Logout.
+                </p>
+              <% end %>
+            </dd>
+          </div>
         </dl>
       </div>
     </div>

app/views/dashboard/index.html.erb

@@ -102,11 +102,22 @@
       <% @applications.each do |app| %>
         <div class="bg-white rounded-lg border border-gray-200 shadow-sm hover:shadow-md transition">
           <div class="p-6">
-            <div class="flex items-center justify-between mb-3">
+            <div class="flex items-start gap-3 mb-4">
+              <% if app.icon.attached? %>
+                <%= image_tag app.icon, class: "h-12 w-12 rounded-lg object-cover border border-gray-200 shrink-0", alt: "#{app.name} icon" %>
+              <% else %>
+                <div class="h-12 w-12 rounded-lg bg-gray-100 border border-gray-200 flex items-center justify-center shrink-0">
+                  <svg class="h-6 w-6 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16l4.586-4.586a2 2 0 012.828 0L16 16m-2-2l1.586-1.586a2 2 0 012.828 0L20 14m-6-6h.01M6 20h12a2 2 0 002-2V6a2 2 0 00-2-2H6a2 2 0 00-2 2v12a2 2 0 002 2z" />
+                  </svg>
+                </div>
+              <% end %>
+              <div class="flex-1 min-w-0">
+                <div class="flex items-start justify-between">
                   <h3 class="text-lg font-semibold text-gray-900 truncate">
                     <%= app.name %>
                   </h3>
-              <span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium
+                  <span class="ml-2 inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium shrink-0
                     <% if app.oidc? %>
                       bg-blue-100 text-blue-800
                     <% else %>
@@ -115,15 +126,15 @@
                     <%= app.app_type.humanize %>
                   </span>
                 </div>
-
+                <% if app.description.present? %>
-            <p class="text-sm text-gray-600 mb-4">
+                  <p class="text-sm text-gray-600 mt-1 line-clamp-2">
-              <% if app.oidc? %>
+                    <%= app.description %>
-                OIDC Application
-              <% else %>
-                ForwardAuth Protected Application
-              <% end %>
                   </p>
+                <% end %>
+              </div>
+            </div>
 
+            <div class="space-y-2">
               <% if app.landing_url.present? %>
                 <%= link_to "Open Application", app.landing_url,
                     target: "_blank",
@@ -134,6 +145,13 @@
                   No landing URL configured
                 </div>
               <% end %>
+
+              <% if app.user_has_active_session?(@user) %>
+                <%= button_to "Logout", logout_from_app_active_sessions_path(application_id: app.id), method: :delete,
+                    class: "w-full flex justify-center items-center px-4 py-2 border border-orange-300 text-sm font-medium rounded-md text-orange-700 bg-white hover:bg-orange-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-orange-500 transition",
+                    form: { data: { turbo_confirm: "This will log you out of #{app.name}. You can sign back in without re-authorizing. Continue?" } } %>
+              <% end %>
+            </div>
           </div>
         </div>
       <% end %>

app/views/oidc/consent.html.erb

@@ -1,6 +1,15 @@
 <div class="mx-auto max-w-md">
   <div class="bg-white py-8 px-6 shadow rounded-lg sm:px-10">
-    <div class="mb-8">
+    <div class="mb-8 text-center">
+      <% if @application.icon.attached? %>
+        <%= image_tag @application.icon, class: "mx-auto h-20 w-20 rounded-xl object-cover border-2 border-gray-200 shadow-sm mb-4", alt: "#{@application.name} icon" %>
+      <% else %>
+        <div class="mx-auto h-20 w-20 rounded-xl bg-gray-100 border-2 border-gray-200 flex items-center justify-center mb-4">
+          <svg class="h-10 w-10 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 16l4.586-4.586a2 2 0 012.828 0L16 16m-2-2l1.586-1.586a2 2 0 012.828 0L20 14m-6-6h.01M6 20h12a2 2 0 002-2V6a2 2 0 00-2-2H6a2 2 0 00-2 2v12a2 2 0 002 2z" />
+          </svg>
+        </div>
+      <% end %>
       <h2 class="text-2xl font-bold text-gray-900">Authorize Application</h2>
       <p class="mt-2 text-sm text-gray-600">
         <strong><%= @application.name %></strong> is requesting access to your account.

config/initializers/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Clinch
+  VERSION = "0.6.4"
+end

config/routes.rb

@@ -49,6 +49,7 @@ Rails.application.routes.draw do
   end
   resource :active_sessions, only: [:show] do
     member do
+      delete :logout_from_app
       delete :revoke_consent
       delete :revoke_all_consents
     end

config/storage.yml

@@ -4,7 +4,7 @@ test:
 
 local:
   service: Disk
-  root: <%= Rails.root.join("storage") %>
+  root: <%= Rails.root.join("storage/uploads") %>
 
 # Use bin/rails credentials:edit to set the AWS secrets (as aws:access_key_id|secret_access_key)
 # amazon:

db/migrate/20251125081147_add_backchannel_logout_uri_to_applications.rb

@@ -0,0 +1,5 @@
+class AddBackchannelLogoutUriToApplications < ActiveRecord::Migration[8.1]
+  def change
+    add_column :applications, :backchannel_logout_uri, :string
+  end
+end

db/schema.rb

@@ -10,7 +10,35 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.1].define(version: 2025_11_25_012446) do
+ActiveRecord::Schema[8.1].define(version: 2025_11_25_081147) do
+  create_table "active_storage_attachments", force: :cascade do |t|
+    t.bigint "blob_id", null: false
+    t.datetime "created_at", null: false
+    t.string "name", null: false
+    t.bigint "record_id", null: false
+    t.string "record_type", null: false
+    t.index ["blob_id"], name: "index_active_storage_attachments_on_blob_id"
+    t.index ["record_type", "record_id", "name", "blob_id"], name: "index_active_storage_attachments_uniqueness", unique: true
+  end
+
+  create_table "active_storage_blobs", force: :cascade do |t|
+    t.bigint "byte_size", null: false
+    t.string "checksum"
+    t.string "content_type"
+    t.datetime "created_at", null: false
+    t.string "filename", null: false
+    t.string "key", null: false
+    t.text "metadata"
+    t.string "service_name", null: false
+    t.index ["key"], name: "index_active_storage_blobs_on_key", unique: true
+  end
+
+  create_table "active_storage_variant_records", force: :cascade do |t|
+    t.bigint "blob_id", null: false
+    t.string "variation_digest", null: false
+    t.index ["blob_id", "variation_digest"], name: "index_active_storage_variant_records_uniqueness", unique: true
+  end
+
   create_table "application_groups", force: :cascade do |t|
     t.integer "application_id", null: false
     t.datetime "created_at", null: false
@@ -36,6 +64,7 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_25_012446) do
     t.integer "access_token_ttl", default: 3600
     t.boolean "active", default: true, null: false
     t.string "app_type", null: false
+    t.string "backchannel_logout_uri"
     t.string "client_id"
     t.string "client_secret_digest"
     t.datetime "created_at", null: false
@@ -211,6 +240,8 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_25_012446) do
     t.index ["user_id"], name: "index_webauthn_credentials_on_user_id"
   end
 
+  add_foreign_key "active_storage_attachments", "active_storage_blobs", column: "blob_id"
+  add_foreign_key "active_storage_variant_records", "active_storage_blobs", column: "blob_id"
   add_foreign_key "application_groups", "applications"
   add_foreign_key "application_groups", "groups"
   add_foreign_key "application_user_claims", "applications", on_delete: :cascade