-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Port in logout URL is not customizable in OIDC back channel logout handler #14679
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Hi, @aelillie, thanks for the report. I'm not sure I understand completely just yet, though. The code you outlined does not remove any port from the resulting URI (see also) so it seems like I might be missing some details to be able to apply the appropriate fix. Can you provide a minimum reproducer that demonstrates the issue you are having? |
Hi @jzheaux , thank you for your quick respond. That is true, but the issue is that I do not have the possibility to add one. |
In order to build a backchannel logout URI that points to localhost, I'm curious by the way how I can determine the port where the application is running.
As in: public SecurityFilterChain securityFilterChain(HttpSecurity http, ServerProperties serverProperties) throws Exception {
return http
...
.oidcLogout(oidcLogout -> oidcLogout
.backChannel(backChannel -> backChannel
.logoutUri(String.format("http://localhost:%d/logout", serverProperties.getPort()))))
.build();
} In the end, I added I even tried using |
Hi @dalbani! You do not need to determinate the port in your configuration for this. You can use the prepared URI variables in the This is a complex configuration with scheme, port and context path:
Please note that the default URI template from Spring Security 6.2.4 should be just fine for your use-case:
|
Hi @lmorocz, thanks for your comment. |
Then use Another option is to, set up your IDP (Keycloak?) client BackChannel logout URI to the internal URI of your app ( |
Indeed, that's an option I didn't consider. Although it involves making the request go through the reverse proxy... to eventually reach the application itself. Not a dealbreaker in the grand scheme of things, but still a little over complicated.
This is unfortunately not a option for me, as the IdP (Keycloak indeed) cannot access the app directly. It has to go through the reverse proxy. |
Yes, it is complicated, but please note that before 6.2.2 this was the only way as 6.2.1 only replaced the path of the original request to |
I'm glad that 6.2.2 introduced an improvement indeed; kudos to the Spring Security developers 👍 |
Uh oh!
There was an error while loading. Please reload this page.
Describe the bug
In Spring Security 6.2.2 the
OidcBackChannelLogoutHandler.java
logout handler automatically replaces the logout URL endpoint hostname withlocalhost
. However, in a Tomcat context, we also need to specify the port number, typically8080
. This is not possible in the current implementation.To Reproduce
Initiate a back channel logout.
Expected behavior
Local session is invalidated through a POST request to
http://localhost:<PORT>/logout
, where in my case it should behttp://localhost:8080/logout
.Actual behavior
A logout POST request is send to
http://localhost/logout
, with no effect.Sample
This is my security config setup:
The text was updated successfully, but these errors were encountered: