Skip to content

Port in logout URL is not customizable in OIDC back channel logout handler #14679

Closed
@aelillie

Description

@aelillie

Describe the bug
In Spring Security 6.2.2 the OidcBackChannelLogoutHandler.java logout handler automatically replaces the logout URL endpoint hostname with localhost. However, in a Tomcat context, we also need to specify the port number, typically 8080. This is not possible in the current implementation.

To Reproduce
Initiate a back channel logout.

Expected behavior
Local session is invalidated through a POST request to http://localhost:<PORT>/logout, where in my case it should be http://localhost:8080/logout.

Actual behavior
A logout POST request is send to http://localhost/logout, with no effect.

	String computeLogoutEndpoint(HttpServletRequest request) {
		String url = request.getRequestURL().toString();
		return UriComponentsBuilder.fromHttpUrl(url)
			.host("localhost")
			.replacePath(this.logoutEndpointName)
			.build()
			.toUriString();
	}

Sample
This is my security config setup:

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http, AccessDeniedHandler accessDeniedHandler,
                                                   AuthenticationEntryPoint authenticationEntryPoint,
                                                   GrantedAuthoritiesMapper grantedAuthoritiesMapper,
                                                   AuthenticationSuccessHandler authenticationSuccessHandler,
                                                   LogoutSuccessHandler logoutSuccessHandler,
                                                   ClientRegistrationRepository clientRegistrationRepository,
                                                   MvcRequestMatcher.Builder mvc,
                                                   OidcSessionRegistry oidcSessionRegistry) throws Exception {
        return http
                .csrf(csrf -> csrf.disable()
                        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                        .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler())
                )
                .addFilterAfter(new CsrfCookieFilter(), BasicAuthenticationFilter.class)
                .authorizeHttpRequests(authorize -> authorize
                        ...
                        .anyRequest().authenticated()
                )
                .oauth2Login(oauth2 -> oauth2
                        .authorizationEndpoint(authorizationEndpointConfig -> {
                            var resolver = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, OAUTH2_REQUEST_BASE_URI);
                            resolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce());
                            authorizationEndpointConfig.authorizationRequestResolver(resolver);
                        })
                        .userInfoEndpoint(userInfo -> userInfo
                                .userAuthoritiesMapper(grantedAuthoritiesMapper))
                        .successHandler(authenticationSuccessHandler)
                        .oidcSessionRegistry(oidcSessionRegistry)
                )
                .logout(logout -> logout
                        .logoutSuccessHandler(logoutSuccessHandler)
                )
                .oidcLogout(oidcLogout -> oidcLogout
                        .backChannel(withDefaults())
                        .clientRegistrationRepository(clientRegistrationRepository)
                        .oidcSessionRegistry(oidcSessionRegistry)
                )
               ...
                .build();
    }

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: duplicateA duplicate of another issuetype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions