Oidc Logout Improvements

[jzheaux]

This brings support for #13841 and #14904.

To configure OIDC Back-Channel logout to reuse the Back-Channel endpoint to invalidate each individual session (thus removing the need for the CSRF token), configure OIDC logout in the following way:

.oidcLogout((oidc) -> oidc
    .backChannel(Customizer.withDefaults())
)

NOTE that for simplicity, this changes the default internal URI. Since it changes it to point back to the OIDC back-channel URL itself, I believe this will go unnoticed by most applications. That said, in case you need your URI to stay as-is, you can specify the URI as follows:

// ...
.oidcLogout((oidc) -> oidc
    .backChannel((backChannel) -> backChannel
        .logoutUri(myCustomInternalUri)
    )
)

To configure OIDC Back-Channel Logout with a different cookie name, configure it as follows:

@Bean 
OidcSessionRegistry sessionRegistry() {
    return new InMemoryOidcSessionRegistry();
}

@Bean
OidcBackChannelLogoutHandler oidcLogoutHandler(OidcSessionRegistry sessionRegistry) {
    OidcBackChannelLogoutHandler logoutHandler = new OidcBackChannelLogoutHandler(sessionRegistry);
    // the logout URI can also be configured here
    logoutHandler.setSessionCookieName("SESSION");
    return logoutHandler;
}

Or it can also be specified in the DSL directly:

// ...
.oidcLogout((oidc) -> oidc
    .backChannel((backChannel) -> backChannel
        .logoutHandler(logoutHandler)
    )
)

[jzheaux]

@ch4mpy would you please look over this PR as see if is addresses your concerns about CSRF and Spring Session?

[ch4mpy]

@jzheaux I can confirm that, when building the branch for this PR locally, Back-Channel Logout works in this project of mine. The OP is Keycloak. The RP used to trigger the Back-Channel Logout is Keycloak's user account management. The RP receiving the Back-Channel Logout request is a spring-cloud-gateway instance (the reactive version) configured with:

• oauth2Login
• cookie-based protection against CSRF (because it is called by a SPA authorizing requests with a session cookie)
• RP-Initiated Logout (keeps working, validating the CSRF token)
• Back-Channel Logout (fails with latest release, but is successful with this PR)

I can confirm too that configuring the Back-Channel logout URI works as documented in your comment above.

But warning: I had to configure a custom URI because the port for the "internal" request was determined using the original request instead of application properties. My client is behind a reverse proxy that uses a custom hostname and a path prefix for the BFF. The port for the proxy is 80 and the port for the Spring client with oauth2Login and Back-Channel Logout is 7080. The port was resolved to 80, which required the request to go through the reverse-proxy. As you made this URI configurable, I could walk around the problem, but shouldn't OidcBackChannelLogoutHandler resolve "all or none" of scheme, authority, and basePath from the original request?

• The "all" strategy is appealing because it is easy: we need to call the same endpoint. However, it requires the entry-point of the system to be accessible from the Spring OAuth2 client with the same hostname (if the Spring app runs in a Docker container, it is possible that this hostname is not resolved or resolved to the wrong host).
• the "none" strategy (URI built around localhost from application properties instead of the original request) has the advantage of working even on dev machines with Spring app running in Docker. But maybe is it acceptable to configure the URI in that case?

[ch4mpy]

@jzheaux I like what you did with the OidcBackChannelServerLogoutHandler bean to configure Back-Channel Logout. It made my life very easy to adapt my starter to enable this feature and configure it with application properties. Thank you.