Skip to content

Option to provide custom logoutTokenDecoderFactory for OIDC logout #16545

New issue
New issue
Open
Open
Option to provide custom logoutTokenDecoderFactory for OIDC logout#16545
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: enhancementA general enhancement
@ErwinSteffens

Description

@ErwinSteffens
ErwinSteffens
opened on Feb 6, 2025

Expected Behavior

Allow to provide custom logoutTokenDecoderFactory in OidcBackChannelLogoutReactiveAuthenticationManager so we can provide a custom WebClient and can resolve a production connection issue.

We can work on creating PR for this, but we need some guidance for getting to a correct solution.

Current Behavior

We are seeing connection issues with long running HTTP connections to some of our OIDC providers. This shows as the following errors message in our logging:

i.n.c.u.Errors$NativeIoException: recv(..) failed: Connection reset by peer
Wrapped by: o.s.w.r.f.c.WebClientRequestException: recv(..) failed: Connection reset by peer
	at o.s.w.r.f.c.ExchangeFunctions$DefaultExchangeFunction.lambda$wrapException$9(ExchangeFunctions.java:137)
	Suppressed: r.c.p.FluxOnAssembly$OnAssemblyException: 
Error has been observed at the following site(s):
	*__checkpoint ⇢ Request to GET https://xxxx/.well-known/jwks.json [DefaultWebClient]

Similar issue in the login process is described here. There was a lot of discussion on how to resolve this, but there is now an option to create a custom ReactiveJwtDecoderFactory to validate ID token with a custom WebClient instance:

@Component
public class CustomReactiveOidcIdTokenDecoderFactory implements ReactiveJwtDecoderFactory<ClientRegistration> {

	private final WebClient webClient;

	public CustomReactiveOidcIdTokenDecoderFactory(WebClient webClient) {
		this.webClient = webClient;
	}

	public ReactiveJwtDecoder createDecoder(ClientRegistration registration) {
		var issuerUri = registration.getProviderDetails().getIssuerUri();
		var decoder = NimbusReactiveJwtDecoder.withIssuerLocation(issuerUri)
				.webClient(this.webClient)
				.build();
		decoder.setJwtValidator(JwtValidators.createDefaultWithValidators(new OidcIdTokenValidator(registration)));
		decoder.setClaimSetConverter(new ClaimTypeConverter(ReactiveOidcIdTokenDecoderFactory.createDefaultClaimTypeConverters()));
		return decoder;
	}
}

We would like to build similar functionality for the OIDC backchannel logout process but this cannot be accomplished because:

  • OidcBackChannelLogoutTokenValidator is internal class
  • The logoutTokenDecoderFactory in OidcBackChannelLogoutReactiveAuthenticationManager is not configurable now.

Context

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: enhancementA general enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions