GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Fix Documentation Errors 

Issue gh-12570
pull/13880/head
Josh Cummings 2 years ago
parent
7104436a01
commit
6b0d82236d
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
3 changed files with 2 additions and 111 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      docs/modules/ROOT/pages/reactive/oauth2/login/logout.adoc
  2. 109
      docs/modules/ROOT/pages/servlet/oauth2/login/advanced.adoc
  3. 2
      docs/modules/ROOT/pages/servlet/oauth2/login/logout.adoc

2
docs/modules/ROOT/pages/reactive/oauth2/login/logout.adoc
Unescape View File

@ -173,7 +173,7 @@ open fun filterChain(http: ServerHttpSecurity): SecurityWebFilterChain { @@ -173,7 +173,7 @@ open fun filterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
And that's it!
This will stand up the endpoint `/logout/connect/back-channel/+{registrationId}` which the OIDC Provider can request to invalidate a given session of an end user in your application.
This will stand up the endpoint `+/logout/connect/back-channel/{registrationId}+` which the OIDC Provider can request to invalidate a given session of an end user in your application.
[NOTE]
`oidcLogout` requires that `oauth2Login` also be configured.

109
docs/modules/ROOT/pages/servlet/oauth2/login/advanced.adoc
Unescape View File

@ -929,114 +929,5 @@ For MAC-based algorithms (such as `HS256`, `HS384`, or `HS512`), the `client-sec @@ -929,114 +929,5 @@ For MAC-based algorithms (such as `HS256`, `HS384`, or `HS512`), the `client-sec
If more than one `ClientRegistration` is configured for OpenID Connect 1.0 Authentication, the JWS algorithm resolver may evaluate the provided `ClientRegistration` to determine which algorithm to return.
====
[[oauth2login-advanced-oidc-logout]]
== OpenID Connect 1.0 Logout
OpenID Connect Session Management 1.0 allows the ability to log out the end user at the Provider by using the Client.
One of the strategies available is https://openid.net/specs/openid-connect-rpinitiated-1_0.html[RP-Initiated Logout].
If the OpenID Provider supports both Session Management and https://openid.net/specs/openid-connect-discovery-1_0.html[Discovery], the client can obtain the `end_session_endpoint` `URL` from the OpenID Provider's https://openid.net/specs/openid-connect-session-1_0.html#OPMetadata[Discovery Metadata].
You can do so by configuring the `ClientRegistration` with the `issuer-uri`, as follows:
[source,yaml]
----
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
...
provider:
okta:
issuer-uri: https://dev-1234.oktapreview.com
----
Also, you can configure `OidcClientInitiatedLogoutSuccessHandler`, which implements RP-Initiated Logout, as follows:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {
@Autowired
private ClientRegistrationRepository clientRegistrationRepository;
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.oauth2Login(withDefaults())
.logout(logout -> logout
.logoutSuccessHandler(oidcLogoutSuccessHandler())
);
return http.build();
}
private LogoutSuccessHandler oidcLogoutSuccessHandler() {
OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler =
new OidcClientInitiatedLogoutSuccessHandler(this.clientRegistrationRepository);
// Sets the location that the End-User's User Agent will be redirected to
// after the logout has been performed at the Provider
oidcLogoutSuccessHandler.setPostLogoutRedirectUri("{baseUrl}");
return oidcLogoutSuccessHandler;
}
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {
@Autowired
private lateinit var clientRegistrationRepository: ClientRegistrationRepository
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorize(anyRequest, authenticated)
}
oauth2Login { }
logout {
logoutSuccessHandler = oidcLogoutSuccessHandler()
}
}
return http.build()
}
private fun oidcLogoutSuccessHandler(): LogoutSuccessHandler {
val oidcLogoutSuccessHandler = OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository)
// Sets the location that the End-User's User Agent will be redirected to
// after the logout has been performed at the Provider
oidcLogoutSuccessHandler.setPostLogoutRedirectUri("{baseUrl}")
return oidcLogoutSuccessHandler
}
}
----
======
[NOTE]
====
`OidcClientInitiatedLogoutSuccessHandler` supports the `+{baseUrl}+` placeholder.
If used, the application's base URL, such as `https://app.example.org`, replaces it at request time.
====
[[oauth2login-advanced-oidc-logout]]
Then, you can proceed to configure xref:reactive/oauth2/login/logout.adoc[logout]

2
docs/modules/ROOT/pages/servlet/oauth2/login/logout.adoc
Unescape View File

@ -172,7 +172,7 @@ open fun filterChain(http: HttpSecurity): SecurityFilterChain { @@ -172,7 +172,7 @@ open fun filterChain(http: HttpSecurity): SecurityFilterChain {
And that's it!
This will stand up the endpoint `/logout/connect/back-channel/+{registrationId}` which the OIDC Provider can request to invalidate a given session of an end user in your application.
This will stand up the endpoint `+/logout/connect/back-channel/{registrationId}+` which the OIDC Provider can request to invalidate a given session of an end user in your application.
[NOTE]
`oidcLogout` requires that `oauth2Login` also be configured.

Write Preview
Loading…
Cancel
Save