Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support RP (Client) initiated logout #5350

Closed
jzheaux opened this issue May 15, 2018 · 9 comments

Comments

@jzheaux
Copy link
Contributor

commented May 15, 2018

Summary

end_session_endpoint is part of the OIDC spec:

http://openid.net/specs/openid-connect-session-1_0.html#RPLogout

Additional Info

This is born out of some observations from @thomasdarimont in a OAuth github sample.

@rwinch rwinch added this to the 5.1.0.M2 milestone May 15, 2018

@jzheaux jzheaux self-assigned this May 16, 2018

jzheaux added a commit to jzheaux/spring-security that referenced this issue May 16, 2018

Support for OIDC Logout
This commit introduces two new classes for coordinating logout with
an OP. The first is for the user-agent (redirect) use case and the
second is for the server-side use case.

For now they are separate due to settings that don't make sense in
one use case vs the other, however, there is some duplicative logic
that we could either clean up with an abstract class or some
additional configuration logic.

This commit doesn't propose any changes to the OAuth2LoginConfigurer
as I'd first like to get feedback on the classes themselves.

Issue: spring-projectsgh-5350
@jzheaux

This comment has been minimized.

Copy link
Contributor Author

commented May 16, 2018

@thomasdarimont, quick question about the way Keycloak supports RP-initiated logout.

The way I read the spec for RP-logout:

"In this case, the RP, after having logged the End-User out of the RP, redirects the End-User's User Agent to the OP's logout endpoint URL."

is that the RP would do a redirect as opposed to a server-side call.

Is a server-side call the preferred way in Keycloak, or is that just isolated to your sample?

Also, I'm wondering if you see something different in the spec than I. We want to remain spec compliant in the implementations that Spring Security provides and hopefully make it easy to extend for folks who need to depart from the spec. Do you see a server-side call as within the bounds of the OpenID spec?

I found the following article to be informative, relative to what kinds of flows are possible within the spec.

@thomasdarimont

This comment has been minimized.

Copy link
Contributor

commented May 17, 2018

In my example I do the logout behind the scenes since I want to stay in the application.
But I could also just send an redirect, which might be more appropriate.

Keycloak currently supports multiple ways to access the end_session endpoint:

The current version of Keycloak seems to lack support for the Front Channel logout though.

I didn't have time to read the full article yet - will do and get back to this later.

@jzheaux

This comment has been minimized.

Copy link
Contributor Author

commented May 17, 2018

Cool, thanks for the links.

Reading the Backchannel logout spec, it appears that is a way for RPs to register an endpoint and that the OP initiates the logout. Note that section 3, "RP-intiiated Logout Functionality" just refers back to the session management spec.

@jgrandja jgrandja changed the title Support end_session_endpoint Support RP (Client) initiated logout Jun 11, 2018

@jgrandja jgrandja modified the milestones: 5.1.0.M2, 5.1.0.RC1 Jul 24, 2018

@wtatum

This comment has been minimized.

Copy link

commented Dec 19, 2018

@jzheaux , any thoughts no whether this will get a new milestone attached? Is it a good candidate for contribution? Supporting RP-initiated logout is in my backlog right now. If it's over the horizon for framework support I'm happy to wait a little bit. If you think it's "stuck", if something I or my team would be working on in the next few months either way.

@jzheaux

This comment has been minimized.

Copy link
Contributor Author

commented Dec 20, 2018

@wtatum, yes, this task is a good candidate for contribution, thanks for asking.

Would you be able to put together a PR by March (you mentioned that it may be on your backlog for a few months)? If so, the task is yours! Otherwise, I think there is a good chance I'll be able to tackle it myself before then.

Essentially, it's a matter of creating a logout success handler that looks up the ClientRegistration associated with that Authentication and redirects according to the spec.

@wtatum

This comment has been minimized.

Copy link

commented Dec 20, 2018

Would you be able to put together a PR by March

Yes, I think that's pretty likely. I'll keep you posted after the holidays.

@jzheaux

This comment has been minimized.

Copy link
Contributor Author

commented Jan 15, 2019

Hey, @wtatum, hope you had a nice holiday!

Are you thinking you'd still like to contribute a PR for this task? If not, I believe I'll soon have time to take it up myself, so it's fine either way.

@jzheaux

This comment has been minimized.

Copy link
Contributor Author

commented Jan 30, 2019

@wtatum It looks like I'll go ahead and submit a PR for this. I'll reach out to you for feedback to see if it meets your needs.

jzheaux added a commit to jzheaux/spring-security that referenced this issue Jan 30, 2019

jzheaux added a commit to jzheaux/spring-security that referenced this issue Jan 30, 2019

@wtatum

This comment has been minimized.

Copy link

commented Jan 30, 2019

@jgrandja jgrandja added this to the 5.2.0.M2 milestone Mar 4, 2019

jzheaux added a commit to jzheaux/spring-security that referenced this issue Mar 5, 2019

jzheaux added a commit to jzheaux/spring-security that referenced this issue Mar 18, 2019

jzheaux added a commit to jzheaux/spring-security that referenced this issue Mar 18, 2019

jzheaux added a commit to jzheaux/spring-security that referenced this issue Mar 19, 2019

jzheaux added a commit to jzheaux/spring-security that referenced this issue Mar 19, 2019

jzheaux added a commit to jzheaux/spring-security that referenced this issue Mar 19, 2019

jzheaux added a commit to jzheaux/spring-security that referenced this issue Mar 19, 2019

@jzheaux jzheaux closed this in 248a8c0 Mar 19, 2019

jzheaux added a commit that referenced this issue Mar 19, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.