Support OpenID Connect Back-Channel Logout #7845
Comments
codependent
changed the title
spring-projects-issues
added
the
status: waiting-for-triage
jgrandja
changed the title
jgrandja
added
in: oauth2
|
@jgrandja is there any plan for this task? From January, I'll be available to help with it, if needed. |
|
@ThomasVitale I haven't planned this for 5.5 and since RC1 is Feb 3 it might be tight. Either way, if you're still interested on working on this we can see how the timing goes and always fallback to 5.6. Thoughts? |
|
@jgrandja I also think that hitting RC1 for 5.5 might be tight. But I'm still interested and I can start working on it right away. Do you have any pointers or should I start drafting some design ideas first? |
|
@ThomasVitale Apologies for the delayed response. Let's plan on getting this in for the release after 5.5, so there is no pressure on rushing for this.
I haven't really given it much thought so I think starting to draft some design ideas makes a lot of sense. Thanks! |
|
@ThomasVitale Here are the specs for managing OIDC sessions.
I would encourage you to read all 3 in order to gain a holistic view on OIDC session management. |
|
@jgrandja perfect, thanks, I'll do that. |
|
Update: I've studied the documentation and started drafting some design ideas. I'll share them asap. |
|
@jgrandja I identified the following three main tasks. I checked the points for which I have uploaded a draft solution so far, and added some questions to clarify the solution. What do you think? 1. Domain model, validation, decoding, serializationId Token
Logout Token
Client Registration
Questions
2. Terminate current authenticated sessionsI've been thinking a lot about how to retrieve the OidcIdToken given a "sid" value and how to invalidate current sessions either by "sid" (when a sid is specified) or all of them (when no sid is specified), also considering the integration with Spring Session. I don't have a valid proposal yet. Do you have any suggestion? 3. Define a filter to intercept backchannel logout requests
I'm currently drafting this part. Any comment? |
|
Thanks for the detailed comments @ThomasVitale ! I would really appreciate if you can wait on my feedback. I'm currently backlogged as we're targeting Spring Security |
|
@jgrandja absolutely no problem, I'll wait. |
|
Good to read that this feature is on the agenda. Is there already a rough estimate of when it will be included in a release? |
|
@ThomasVitale Thank you for your patience!
Yes. The attribute name for
I don't think we need this at the moment. The
Yes. And this
Instead of adding
For the initial draft PR, let's avoid touching existing code and see where there is duplication. Then we can consider re-factoring for reuse if necessary.
Let's keep this out for now as it will add more complexity in storing the
If you can't reuse
I haven't thought about this yet but I think what might need to happen is that the session is invalidated when the next request comes into the client application. We would need to determine if the session has a "pending" back-channel logout event and if yes then invalidate at that point.
I proposed
I'm not sure if this is needed. All logic could be encapsulated in the |
|
@jgrandja thanks for your feedback. I'll keep working on the task accordingly. |
|
Sorry for the long waiting time. I plan to submit the new draft solution later this month. |
|
No worries @ThomasVitale. Whenever you have time. |
|
Hello! Just found this as I'm looking on how to get OIDC back-channel to work for my Spring app. Any update? |
|
@heruan There are no updates at this time. But we will try our best to get this feature in after |
|
Exciting to see it be moved from Planning to Prioritized 👍 |
|
@ThomasVitale, I've just started working on this. If you have a branch that you'd like to share, I'd be happy to see what I can incorporate. If not, that's no problem. |
|
@jzheaux thanks a lot for picking this up, I'm sorry I didn't manage to complete it. This is the initial draft I worked on: https://github.com/ThomasVitale/spring-security/commit/b58a6fa092df5ddbf53983da82ba160136bbfa6b |
|
@jzheaux is there an estimation of when this Back-Chanel Logout feature will be available for OAuth2 clients? Quite a few users of the deprecated Keycloak adapters for spring-security 5 are using this feature, labeled as Single Sign On (which implied Single Sign Out), and are blocked in their clients migration to spring-security 6. As I am trying to replace rich browser application security, currently implemented as OAuth2 public clients, with session cookies and |
|
I have implementations for both servlet and reactive applications. Both are based on the same mechanisms: override the authorized client repository to keep an index of authorized clients keys (OP issuer and user subject on that OP) for all sessions, so that, when the direct request from the OP is processed (without any user session), it is still possible to retrieve the authorized client to remove and the session to (potentially) invalidate: it should be invalidated only if the removed authorized client was the last one for the processed user: when a client is logged in with let's say Google and Github at the same time, the user session should not be invalidated if he logs out from only one of the two. Removing the right authorized client is enough. The tough parts were:
Here is how I achieved the second point: @Bean
WebSessionManager webSessionManager(WebSessionStore webSessionStore) {
DefaultWebSessionManager webSessionManager = new DefaultWebSessionManager();
webSessionManager.setSessionStore(webSessionStore);
return webSessionManager;
}
@Bean
WebSessionStore webSessionStore(ServerProperties serverProperties) {
return new SpringAddonsWebSessionStore(serverProperties.getReactive().getSession().getTimeout());
}
public static interface WebSessionListener {
default void sessionCreated(WebSession session) {
}
default void sessionRemoved(String sessionId) {
}
}
static class SpringAddonsWebSessionStore implements WebSessionStore {
private final InMemoryWebSessionStore delegate = new InMemoryWebSessionStore();
private final ConcurrentLinkedQueue<WebSessionListener> webSessionListeners = new ConcurrentLinkedQueue<WebSessionListener>();
private final Duration timeout;
public SpringAddonsWebSessionStore(Duration timeout) {
this.timeout = timeout;
}
public void addWebSessionListener(WebSessionListener listener) {
webSessionListeners.add(listener);
}
@Override
public Mono<WebSession> createWebSession() {
return delegate.createWebSession().doOnSuccess(this::setMaxIdleTime)
.doOnSuccess(session -> webSessionListeners.forEach(l -> l.sessionCreated(session)));
}
@Override
public Mono<WebSession> retrieveSession(String sessionId) {
return delegate.retrieveSession(sessionId);
}
@Override
public Mono<Void> removeSession(String sessionId) {
webSessionListeners.forEach(l -> l.sessionRemoved(sessionId));
return delegate.removeSession(sessionId);
}
@Override
public Mono<WebSession> updateLastAccessTime(WebSession webSession) {
return delegate.updateLastAccessTime(webSession);
}
private void setMaxIdleTime(WebSession session) {
session.setMaxIdleTime(this.timeout);
}
}For the rest (Back-Channel Logout controller and security filter-chain), I wrote spring-boot starters available from here for servlets and there for reactive applications. That works with custom authorized client repositories for servlets and Webflux which have the double responsibility of bringing multi-tenancy support and keeping the indexes for authorized clients across sessions. |
|
Hello, any update on when this can be released? |
|
@maradanasai We're targeting |
|
Closed in b75b3df |
Summary
I'm using an OIDC Provider that supports OIDC Back-channel Logout Spec. However the current version of Spring Security doesn't implement this functionality.
Actual Behavior
There's no way to have single sign out.
Expected Behavior
Single sign out from all RPs in which the user has authenticated with SSO.
Configuration
Version
5.2
The text was updated successfully, but these errors were encountered: