|
|
@@ -929,114 +929,5 @@ For MAC-based algorithms (such as `HS256`, `HS384`, or `HS512`), the `client-sec
|
|
|
If more than one `ClientRegistration` is configured for OpenID Connect 1.0 Authentication, the JWS algorithm resolver may evaluate the provided `ClientRegistration` to determine which algorithm to return.
|
|
|
====
|
|
|
|
|
|
-
|
|
|
-[[oauth2login-advanced-oidc-logout]]
|
|
|
-== OpenID Connect 1.0 Logout
|
|
|
-
|
|
|
-OpenID Connect Session Management 1.0 allows the ability to log out the end user at the Provider by using the Client.
|
|
|
-One of the strategies available is https://openid.net/specs/openid-connect-rpinitiated-1_0.html[RP-Initiated Logout].
|
|
|
-
|
|
|
-If the OpenID Provider supports both Session Management and https://openid.net/specs/openid-connect-discovery-1_0.html[Discovery], the client can obtain the `end_session_endpoint` `URL` from the OpenID Provider's https://openid.net/specs/openid-connect-session-1_0.html#OPMetadata[Discovery Metadata].
|
|
|
-You can do so by configuring the `ClientRegistration` with the `issuer-uri`, as follows:
|
|
|
-
|
|
|
-[source,yaml]
|
|
|
-----
|
|
|
-spring:
|
|
|
- security:
|
|
|
- oauth2:
|
|
|
- client:
|
|
|
- registration:
|
|
|
- okta:
|
|
|
- client-id: okta-client-id
|
|
|
- client-secret: okta-client-secret
|
|
|
- ...
|
|
|
- provider:
|
|
|
- okta:
|
|
|
- issuer-uri: https://dev-1234.oktapreview.com
|
|
|
-----
|
|
|
-
|
|
|
-Also, you can configure `OidcClientInitiatedLogoutSuccessHandler`, which implements RP-Initiated Logout, as follows:
|
|
|
-
|
|
|
-[tabs]
|
|
|
-======
|
|
|
-Java::
|
|
|
-+
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-@Configuration
|
|
|
-@EnableWebSecurity
|
|
|
-public class OAuth2LoginSecurityConfig {
|
|
|
-
|
|
|
- @Autowired
|
|
|
- private ClientRegistrationRepository clientRegistrationRepository;
|
|
|
-
|
|
|
- @Bean
|
|
|
- public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|
|
- http
|
|
|
- .authorizeHttpRequests(authorize -> authorize
|
|
|
- .anyRequest().authenticated()
|
|
|
- )
|
|
|
- .oauth2Login(withDefaults())
|
|
|
- .logout(logout -> logout
|
|
|
- .logoutSuccessHandler(oidcLogoutSuccessHandler())
|
|
|
- );
|
|
|
- return http.build();
|
|
|
- }
|
|
|
-
|
|
|
- private LogoutSuccessHandler oidcLogoutSuccessHandler() {
|
|
|
- OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler =
|
|
|
- new OidcClientInitiatedLogoutSuccessHandler(this.clientRegistrationRepository);
|
|
|
-
|
|
|
- // Sets the location that the End-User's User Agent will be redirected to
|
|
|
- // after the logout has been performed at the Provider
|
|
|
- oidcLogoutSuccessHandler.setPostLogoutRedirectUri("{baseUrl}");
|
|
|
-
|
|
|
- return oidcLogoutSuccessHandler;
|
|
|
- }
|
|
|
-}
|
|
|
-----
|
|
|
-
|
|
|
-Kotlin::
|
|
|
-+
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-@Configuration
|
|
|
-@EnableWebSecurity
|
|
|
-class OAuth2LoginSecurityConfig {
|
|
|
- @Autowired
|
|
|
- private lateinit var clientRegistrationRepository: ClientRegistrationRepository
|
|
|
-
|
|
|
- @Bean
|
|
|
- open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
|
|
- http {
|
|
|
- authorizeRequests {
|
|
|
- authorize(anyRequest, authenticated)
|
|
|
- }
|
|
|
- oauth2Login { }
|
|
|
- logout {
|
|
|
- logoutSuccessHandler = oidcLogoutSuccessHandler()
|
|
|
- }
|
|
|
- }
|
|
|
- return http.build()
|
|
|
- }
|
|
|
-
|
|
|
- private fun oidcLogoutSuccessHandler(): LogoutSuccessHandler {
|
|
|
- val oidcLogoutSuccessHandler = OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository)
|
|
|
-
|
|
|
- // Sets the location that the End-User's User Agent will be redirected to
|
|
|
- // after the logout has been performed at the Provider
|
|
|
- oidcLogoutSuccessHandler.setPostLogoutRedirectUri("{baseUrl}")
|
|
|
- return oidcLogoutSuccessHandler
|
|
|
- }
|
|
|
-}
|
|
|
-----
|
|
|
-======
|
|
|
-
|
|
|
-[NOTE]
|
|
|
-====
|
|
|
-`OidcClientInitiatedLogoutSuccessHandler` supports the `+{baseUrl}+` placeholder.
|
|
|
-If used, the application's base URL, such as `https://app.example.org`, replaces it at request time.
|
|
|
-====
|
|
|
-
|
|
|
[[oauth2login-advanced-oidc-logout]]
|
|
|
Then, you can proceed to configure xref:reactive/oauth2/login/logout.adoc[logout]
|
Josh Cummings