diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java index 6ef44031c5..d963cd6f7e 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java @@ -98,6 +98,7 @@ import org.springframework.util.Assert; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.filter.CorsFilter; + /** * A {@link HttpSecurity} is similar to Spring Security's XML <http> element in the * namespace configuration. It allows configuring web based security for specific http @@ -1430,6 +1431,32 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilderThis method enables the configuration of OIDC Back-Channel Logout by applying + * the provided {@link Customizer} to an instance of {@link OidcLogoutConfigurer}. It + * initializes the back-channel logout support with default settings, making it easier + * to integrate with other logout configurations. + * + *

For example, to enable OIDC Back-Channel Logout with default settings: + * 

+	 *     http.oidcBackChannelLogout(Customizer.withDefaults());
+	 *
+ * + * @param oidcBackChannelLogoutCustomizer the customizer to configure OIDC Back-Channel Logout options + * @return the {@code HttpSecurity} instance for further customizations + * @throws Exception if an error occurs during configuration + * @since 6.5 + */ + public HttpSecurity oidcBackChannelLogout(Customizer> oidcBackChannelLogoutCustomizer) + throws Exception { + oidcBackChannelLogoutCustomizer.customize( + getOrApply(new OidcLogoutConfigurer<>()).backChannel(Customizer.withDefaults()) + ); + return this; + } + /** * Configures OAuth 2.0 Client support. * diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java index 4947669a2e..788ca3704a 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java @@ -16,12 +16,8 @@ package org.springframework.security.config.annotation.web.configurers.oauth2.client; -import java.util.function.Consumer; -import java.util.function.Function; - import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; - import org.springframework.context.ApplicationContext; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.ProviderManager; @@ -40,6 +36,9 @@ import org.springframework.security.web.authentication.logout.SecurityContextLog import org.springframework.security.web.csrf.CsrfFilter; import org.springframework.util.Assert; +import java.util.function.Consumer; +import java.util.function.Function; + /** * An {@link AbstractHttpConfigurer} for OIDC Logout flows * @@ -102,7 +101,10 @@ public final class OidcLogoutConfigurer> /** * Configure OIDC Back-Channel Logout using the provided {@link Consumer} * @return the {@link OidcLogoutConfigurer} for further configuration + * @deprecated For removal in a future release. Use + * {@link HttpSecurity#oidcBackChannelLogout(Customizer)} instead. */ + @Deprecated(since = "6.5", forRemoval = true) public OidcLogoutConfigurer backChannel(Customizer backChannelLogoutConfigurer) { if (this.backChannel == null) { this.backChannel = new BackChannelLogoutConfigurer(); diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurerTests.java index 4d1c54743f..1b7203bdfe 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurerTests.java @@ -312,6 +312,24 @@ public class OidcLogoutConfigurerTests { .param("logout_token", logoutToken))); } + @Test + void oidcBackChannelLogoutWhenDefaultsThenRemotelyInvalidatesSessions() throws Exception { + this.spring.register(WebServerConfig.class, OidcProviderConfig.class, WithOidcBackChannelDslConfig.class) + .autowire(); + String registrationId = this.clientRegistration.getRegistrationId(); + MockHttpSession session = login(); + String logoutToken = this.mvc.perform(get("/token/logout").session(session)) + .andExpect(status().isOk()) + .andReturn() + .getResponse() + .getContentAsString(); + this.mvc.perform(post(this.web.url("/logout/connect/back-channel/" + registrationId).toString()) + .param("logout_token", logoutToken)) + .andExpect(status().isOk()); + this.mvc.perform(get("/token/logout").session(session)) + .andExpect(status().isUnauthorized()); + } + private MockHttpSession login() throws Exception { MockMvcDispatcher dispatcher = (MockMvcDispatcher) this.web.getDispatcher(); this.mvc.perform(get("/token/logout")).andExpect(status().isUnauthorized()); @@ -739,6 +757,23 @@ public class OidcLogoutConfigurerTests { } + @Configuration + @EnableWebSecurity + @Import(RegistrationConfig.class) + static class WithOidcBackChannelDslConfig { + + @Bean + @Order(1) + SecurityFilterChain filters(HttpSecurity http) throws Exception { + http + .authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated()) + .oauth2Login(Customizer.withDefaults()) + .oidcBackChannelLogout(Customizer.withDefaults()); + return http.build(); + } + + } + private static class MockMvcDispatcher extends Dispatcher { private final Map session = new ConcurrentHashMap<>();