Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC Backchannel Logout Handler Endpoint 404 #14181

Closed
seanhinkley opened this issue Nov 21, 2023 · 2 comments
Closed

OIDC Backchannel Logout Handler Endpoint 404 #14181

seanhinkley opened this issue Nov 21, 2023 · 2 comments
Assignees
@jzheaux
Labels
for: stackoverflow A question that's better suited to stackoverflow.com in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)

Comments

@seanhinkley
Copy link

seanhinkley commented Nov 21, 2023
edited
Loading

I have configured OIDC backchannel logout in an application with a context-path. Issuing the logout from the provider does not destroy the client session.

Stepping through code lead me to the below snippet OidcBackChannelLogoutHandler.eachLogout.

        String url = request.getRequestURL().toString();
        String logout = UriComponentsBuilder.fromHttpUrl(url).replacePath(this.logoutEndpointName).build().toUriString();

In the above, logout does not include the context-path and the resulting post returns 404.

OidcBackChannelLogoutHandler.logoutEndpointName is assigned "/logout" by default. There does not appear a way to override this property through DSL or through an ObjectPostProcessor.

I have reviewed #13767 and understand the delay for supporting DSL. In light of this is there another way to configure logoutEndpointName?

EDIT
The version of Spring Security this was identified in is 6.2.0-RC2.
@seanhinkley seanhinkley added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 21, 2023
@seanhinkley
Copy link
Author

in the event someone comes across this issue, I used reflection to modify the value. After http.build(), I iterate over the list of filters to find the back channel filter and then modify the handler's endpoint

It's important to note that due to the private scope of both classes (OidcBackChannelLogoutFilter and OidcBackChannelLogoutHandler), I could not use instanceof and tested the name of the class.

@jzheaux
Copy link
Contributor

jzheaux commented Nov 27, 2023

Hi, @seanhinkley. Unfortunately for now, the logout endpoint must remain hardcoded, though I hope that we can take another look at #13767 in 6.3.

@jzheaux jzheaux closed this as completed Nov 27, 2023
@jzheaux jzheaux added for: stackoverflow A question that's better suited to stackoverflow.com in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 27, 2023
@lmorocz lmorocz mentioned this issue Feb 27, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
for: stackoverflow A question that's better suited to stackoverflow.com in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jzheaux @seanhinkley