Merge b0b8a186df into 0d5f42f852

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -98,6 +98,7 @@ import org.springframework.util.Assert;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.filter.CorsFilter;
 
+
 /**
  * A {@link HttpSecurity} is similar to Spring Security's XML <http> element in the
  * namespace configuration. It allows configuring web based security for specific http
@@ -1430,6 +1431,32 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 		return HttpSecurity.this;
 	}
 
+	/**
+	 * Configures OpenID Connect (OIDC) Back-Channel Logout support.
+	 *
+	 * <p>This method enables the configuration of OIDC Back-Channel Logout by applying
+	 * the provided {@link Customizer} to an instance of {@link OidcLogoutConfigurer}. It
+	 * initializes the back-channel logout support with default settings, making it easier
+	 * to integrate with other logout configurations.
+	 *
+	 * <p>For example, to enable OIDC Back-Channel Logout with default settings:
+	 * <pre>
+	 *     http.oidcBackChannelLogout(Customizer.withDefaults());
+	 * </pre>
+	 *
+	 * @param oidcBackChannelLogoutCustomizer the customizer to configure OIDC Back-Channel Logout options
+	 * @return the {@code HttpSecurity} instance for further customizations
+	 * @throws Exception if an error occurs during configuration
+	 * @since 6.5
+	 */
+	public HttpSecurity oidcBackChannelLogout(Customizer<OidcLogoutConfigurer<HttpSecurity>> oidcBackChannelLogoutCustomizer)
+			throws Exception {
+		oidcBackChannelLogoutCustomizer.customize(
+				getOrApply(new OidcLogoutConfigurer<>()).backChannel(Customizer.withDefaults())
+		);
+		return this;
+	}
+
 	/**
 	 * Configures OAuth 2.0 Client support.
 	 *

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java

@@ -16,12 +16,8 @@
 
 package org.springframework.security.config.annotation.web.configurers.oauth2.client;
 
-import java.util.function.Consumer;
-import java.util.function.Function;
-
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
-
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.ProviderManager;
@@ -40,6 +36,9 @@ import org.springframework.security.web.authentication.logout.SecurityContextLog
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.util.Assert;
 
+import java.util.function.Consumer;
+import java.util.function.Function;
+
 /**
  * An {@link AbstractHttpConfigurer} for OIDC Logout flows
  *
@@ -102,7 +101,10 @@ public final class OidcLogoutConfigurer<B extends HttpSecurityBuilder<B>>
 	/**
 	 * Configure OIDC Back-Channel Logout using the provided {@link Consumer}
 	 * @return the {@link OidcLogoutConfigurer} for further configuration
+	 * @deprecated For removal in a future release. Use
+	 * {@link HttpSecurity#oidcBackChannelLogout(Customizer)} instead.
 	 */
+	@Deprecated(since = "6.5", forRemoval = true)
 	public OidcLogoutConfigurer<B> backChannel(Customizer<BackChannelLogoutConfigurer> backChannelLogoutConfigurer) {
 		if (this.backChannel == null) {
 			this.backChannel = new BackChannelLogoutConfigurer();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurerTests.java

@@ -312,6 +312,24 @@ public class OidcLogoutConfigurerTests {
 					.param("logout_token", logoutToken)));
 	}
 
+	@Test
+	void oidcBackChannelLogoutWhenDefaultsThenRemotelyInvalidatesSessions() throws Exception {
+		this.spring.register(WebServerConfig.class, OidcProviderConfig.class, WithOidcBackChannelDslConfig.class)
+				.autowire();
+		String registrationId = this.clientRegistration.getRegistrationId();
+		MockHttpSession session = login();
+		String logoutToken = this.mvc.perform(get("/token/logout").session(session))
+				.andExpect(status().isOk())
+				.andReturn()
+				.getResponse()
+				.getContentAsString();
+		this.mvc.perform(post(this.web.url("/logout/connect/back-channel/" + registrationId).toString())
+						.param("logout_token", logoutToken))
+				.andExpect(status().isOk());
+		this.mvc.perform(get("/token/logout").session(session))
+				.andExpect(status().isUnauthorized());
+	}
+
 	private MockHttpSession login() throws Exception {
 		MockMvcDispatcher dispatcher = (MockMvcDispatcher) this.web.getDispatcher();
 		this.mvc.perform(get("/token/logout")).andExpect(status().isUnauthorized());
@@ -739,6 +757,23 @@ public class OidcLogoutConfigurerTests {
 
 	}
 
+	@Configuration
+	@EnableWebSecurity
+	@Import(RegistrationConfig.class)
+	static class WithOidcBackChannelDslConfig {
+
+		@Bean
+		@Order(1)
+		SecurityFilterChain filters(HttpSecurity http) throws Exception {
+			http
+					.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
+					.oauth2Login(Customizer.withDefaults())
+					.oidcBackChannelLogout(Customizer.withDefaults());
+			return http.build();
+		}
+
+	}
+
 	private static class MockMvcDispatcher extends Dispatcher {
 
 		private final Map<String, MockHttpSession> session = new ConcurrentHashMap<>();