Support for OIDC Logout #5356
Support for OIDC Logout #5356
Conversation
...n/java/org/springframework/security/oauth2/client/oidc/logout/OidcEndpointLogoutHandler.java
Outdated
Show resolved
Hide resolved
...n/java/org/springframework/security/oauth2/client/oidc/logout/OidcEndpointLogoutHandler.java
Outdated
Show resolved
Hide resolved
.../springframework/security/oauth2/client/oidc/logout/OidcRedirectingLogoutSuccessHandler.java
Outdated
Show resolved
Hide resolved
...ork/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java
Outdated
Show resolved
Hide resolved
...n/java/org/springframework/security/oauth2/client/oidc/logout/OidcEndpointLogoutHandler.java
Outdated
Show resolved
Hide resolved
jzheaux
added
status: duplicate
...in/java/org/springframework/security/oauth2/client/oidc/logout/OidcLogoutSuccessHandler.java
Outdated
Show resolved
Hide resolved
...in/java/org/springframework/security/oauth2/client/oidc/logout/OidcLogoutSuccessHandler.java
Outdated
Show resolved
Hide resolved
...in/java/org/springframework/security/oauth2/client/oidc/logout/OidcLogoutSuccessHandler.java
Outdated
Show resolved
Hide resolved
...in/java/org/springframework/security/oauth2/client/oidc/logout/OidcLogoutSuccessHandler.java
Outdated
Show resolved
Hide resolved
...in/java/org/springframework/security/oauth2/client/oidc/logout/OidcLogoutSuccessHandler.java
Outdated
Show resolved
Hide resolved
|
@jgrandja, thanks for all the great feedback. I've applied it and also added its reactive counterpart. I added the reactive at this point since it seems like we are close enough on the servlet code. Also, note that I stuck with your first suggestion of Lastly, @rwinch when you get a moment I'd love to get your take on the reactive code. Of particular note is that I duplicate some functionality already found in |
| * limitations under the License. | ||
| */ | ||
|
|
||
| package org.springframework.security.oauth2.client.oidc.logout; |
There was a problem hiding this comment.
I'd expect this to be in the oauth2.client.web.oidc.logout package
There was a problem hiding this comment.
@rwinch Please see my latest comment on package name as I believe the one I suggested is correct?
| * limitations under the License. | ||
| */ | ||
|
|
||
| package org.springframework.security.oauth2.client.oidc.logout; |
There was a problem hiding this comment.
I'd expect this to be in the oauth2.client.web.server.oidc.logout package
There was a problem hiding this comment.
@rwinch Please see my latest comment on package name as I believe the one I suggested is correct?
| .map(OAuth2AuthenticationToken.class::cast) | ||
| .flatMap(this::endSessionEndpoint) | ||
| .map(endSessionEndpoint -> endpointUri(endSessionEndpoint, authentication)) | ||
| .defaultIfEmpty(this.logoutSuccessUrl) |
There was a problem hiding this comment.
I think we could create a member (please consider renaming but illustrates point):
private ServerLogoutSuccessHandler delegate = new RedirectServerLogoutSuccessHandler();
// add setterYou can then remove this.logoutSuccessUrl and change .defaultIfEmpty(this.logoutSuccessUrl) to
.switchIfEmpty(delegate.onLogoutSuccess(exchange, authentication).then(Mono.empty()))
| * limitations under the License. | ||
| */ | ||
|
|
||
| package org.springframework.security.oauth2.client.web.server.oidc.logout; |
There was a problem hiding this comment.
This is the Servlet version so it should not be under server sub-package.
Please move to -> org.springframework.security.oauth2.client.oidc.web.logout
| * @author Josh Cummings | ||
| * @since 5.2 | ||
| * @see <a href="http://openid.net/specs/openid-connect-session-1_0.html#RPLogout">RP-Initiated Logout</a> | ||
| * @see {@link org.springframework.security.web.authentication.logout.LogoutSuccessHandler} |
| * limitations under the License. | ||
| */ | ||
|
|
||
| package org.springframework.security.oauth2.client.web.oidc.logout; |
There was a problem hiding this comment.
This is the Reactive version so it should be under server sub-package.
Please move to -> org.springframework.security.oauth2.client.oidc.web.server.logout
| * @author Josh Cummings | ||
| * @since 5.2 | ||
| * @see <a href="http://openid.net/specs/openid-connect-session-1_0.html#RPLogout">RP-Initiated Logout</a> | ||
| * @see {@link org.springframework.security.web.authentication.logout.LogoutSuccessHandler} |
There was a problem hiding this comment.
@link is invalid in @see AND class reference is Servlet version
This commit introduces two new classes for coordinating logout with
an OP. The first is for the user-agent (redirect) use case and the
second is for the server-side use case.
For now they are separate due to settings that don't make sense in
one use case vs the other, however, there is some duplicative logic
that we could either clean up with an abstract class or some
additional configuration logic.
This commit doesn't propose any changes to the OAuth2LoginConfigurer
as I'd first like to get feedback on the classes themselves.
Issue: gh-5350