Skip to content

Commit

Permalink
Do Not Wire Default OidcSessionStrategy without OidcLogoutConfigurer
Browse files Browse the repository at this point in the history
Closes gh-14558
  • Loading branch information
jzheaux committed Feb 12, 2024
1 parent eea4279 commit 3ab3236
Show file tree
Hide file tree
Showing 6 changed files with 172 additions and 13 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -582,6 +582,10 @@ private RequestMatcher getFormLoginNotEnabledRequestMatcher(B http) {
}

private void configureOidcSessionRegistry(B http) {
if (http.getConfigurer(OidcLogoutConfigurer.class) == null
&& http.getSharedObject(OidcSessionRegistry.class) == null) {
return;
}
OidcSessionRegistry sessionRegistry = OAuth2ClientConfigurerUtils.getOidcSessionRegistry(http);
SessionManagementConfigurer<B> sessionConfigurer = http.getConfigurer(SessionManagementConfigurer.class);
if (sessionConfigurer != null) {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -3974,8 +3974,10 @@ protected void configure(ServerHttpSecurity http) {

ReactiveAuthenticationManager manager = getAuthenticationManager();
ReactiveOidcSessionRegistry sessionRegistry = getOidcSessionRegistry();
AuthenticationWebFilter authenticationFilter = new OidcSessionRegistryAuthenticationWebFilter(manager,
authorizedClientRepository, sessionRegistry);
AuthenticationWebFilter authenticationFilter = (sessionRegistry != null)
? new OidcSessionRegistryAuthenticationWebFilter(manager, authorizedClientRepository,
sessionRegistry)
: new OAuth2LoginAuthenticationWebFilter(manager, authorizedClientRepository);
authenticationFilter.setRequiresAuthenticationMatcher(getAuthenticationMatcher());
authenticationFilter
.setServerAuthenticationConverter(getAuthenticationConverter(clientRegistrationRepository));
Expand All @@ -3984,8 +3986,10 @@ protected void configure(ServerHttpSecurity http) {
authenticationFilter.setSecurityContextRepository(this.securityContextRepository);

setDefaultEntryPoints(http);
http.addFilterAfter(new OidcSessionRegistryWebFilter(sessionRegistry),
SecurityWebFiltersOrder.HTTP_HEADERS_WRITER);
if (sessionRegistry != null) {
http.addFilterAfter(new OidcSessionRegistryWebFilter(sessionRegistry),
SecurityWebFiltersOrder.HTTP_HEADERS_WRITER);
}
http.addFilterAt(oauthRedirectFilter, SecurityWebFiltersOrder.HTTP_BASIC);
http.addFilterAt(authenticationFilter, SecurityWebFiltersOrder.AUTHENTICATION);
}
Expand Down Expand Up @@ -4031,6 +4035,9 @@ MediaType.APPLICATION_XHTML_XML, new MediaType("image", "*"), MediaType.TEXT_HTM
}

private ReactiveOidcSessionRegistry getOidcSessionRegistry() {
if (ServerHttpSecurity.this.oidcLogout == null && this.oidcSessionRegistry == null) {
return null;
}
if (this.oidcSessionRegistry == null) {
this.oidcSessionRegistry = getBeanOrNull(ReactiveOidcSessionRegistry.class);
}
Expand Down Expand Up @@ -4269,8 +4276,7 @@ public Duration getMaxIdleTime() {

}

private static final class OidcSessionRegistryAuthenticationWebFilter
extends OAuth2LoginAuthenticationWebFilter {
static final class OidcSessionRegistryAuthenticationWebFilter extends OAuth2LoginAuthenticationWebFilter {

private final Log logger = LogFactory.getLog(getClass());

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -22,6 +22,7 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;

import org.apache.http.HttpHeaders;
import org.junit.jupiter.api.AfterEach;
Expand All @@ -36,6 +37,7 @@
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.event.SmartApplicationListener;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.mock.web.MockFilterChain;
Expand All @@ -48,16 +50,19 @@
import org.springframework.security.config.oauth2.client.CommonOAuth2Provider;
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.context.DelegatingApplicationListener;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.context.SecurityContextChangedListener;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.core.session.SessionDestroyedEvent;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
import org.springframework.security.oauth2.client.oidc.session.OidcSessionRegistry;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
Expand Down Expand Up @@ -95,7 +100,9 @@
import org.springframework.security.web.context.HttpRequestResponseHolder;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.session.HttpSessionDestroyedEvent;
import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
import org.springframework.test.util.ReflectionTestUtils;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;

Expand Down Expand Up @@ -150,10 +157,10 @@ public class OAuth2LoginConfigurerTests {
@Autowired
private FilterChainProxy springSecurityFilterChain;

@Autowired
@Autowired(required = false)
private AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository;

@Autowired
@Autowired(required = false)
SecurityContextRepository securityContextRepository;

public final SpringTestContext spring = new SpringTestContext(this);
Expand Down Expand Up @@ -642,6 +649,26 @@ public void logoutWhenUsingOidcLogoutHandlerThenRedirects() throws Exception {
.andExpect(redirectedUrl("https://logout?id_token_hint=id-token"));
}

@Test
public void configureWhenOidcSessionStrategyThenUses() {
this.spring.register(OAuth2LoginWithOidcSessionRegistry.class).autowire();
OidcSessionRegistry registry = this.spring.getContext().getBean(OidcSessionRegistry.class);
this.spring.getContext().publishEvent(new HttpSessionDestroyedEvent(this.request.getSession()));
verify(registry).removeSessionInformation(this.request.getSession().getId());
}

// gh-14558
@Test
public void oauth2LoginWhenDefaultsThenNoOidcSessionRegistry() {
this.spring.register(OAuth2LoginConfig.class).autowire();
DelegatingApplicationListener listener = this.spring.getContext().getBean(DelegatingApplicationListener.class);
List<SmartApplicationListener> listeners = (List<SmartApplicationListener>) ReflectionTestUtils
.getField(listener, "listeners");
assertThat(listeners.stream()
.filter((l) -> l.supportsEventType(SessionDestroyedEvent.class))
.collect(Collectors.toList())).isEmpty();
}

private void loadConfig(Class<?>... configs) {
AnnotationConfigWebApplicationContext applicationContext = new AnnotationConfigWebApplicationContext();
applicationContext.register(configs);
Expand Down Expand Up @@ -1117,6 +1144,32 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

}

@Configuration
@EnableWebSecurity
static class OAuth2LoginWithOidcSessionRegistry {

private final OidcSessionRegistry registry = mock(OidcSessionRegistry.class);

@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.oauth2Login((oauth2) -> oauth2
.clientRegistrationRepository(
new InMemoryClientRegistrationRepository(GOOGLE_CLIENT_REGISTRATION))
.oidcSessionRegistry(this.registry)
);
// @formatter:on
return http.build();
}

@Bean
OidcSessionRegistry oidcSessionRegistry() {
return this.registry;
}

}

@Configuration
@EnableWebSecurity
static class OAuth2LoginWithXHREntryPointConfig extends CommonSecurityFilterChainConfig {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -34,11 +34,13 @@
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authentication.UserDetailsRepositoryReactiveAuthenticationManager;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.oauth2.client.CommonOAuth2Provider;
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.config.users.ReactiveAuthenticationTestConfiguration;
import org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2LoginSpec.OidcSessionRegistryAuthenticationWebFilter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.AuthorityUtils;
Expand All @@ -54,10 +56,12 @@
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeReactiveAuthenticationManager;
import org.springframework.security.oauth2.client.oidc.server.session.ReactiveOidcSessionRegistry;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.web.server.logout.OidcClientInitiatedServerLogoutSuccessHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
import org.springframework.security.oauth2.client.userinfo.ReactiveOAuth2UserService;
import org.springframework.security.oauth2.client.web.server.ServerAuthorizationRequestRepository;
Expand Down Expand Up @@ -576,6 +580,27 @@ public void oauth2LoginWhenAuthenticationConverterFailsThenDefaultRedirectToLogi
// @formatter:on
}

@Test
public void oauth2LoginWhenOidcSessionRegistryThenUses() {
this.spring.register(OAuth2LoginWithOidcSessionRegistry.class).autowire();
SecurityWebFilterChain chain = this.spring.getContext().getBean(SecurityWebFilterChain.class);
assertThat(chain.getWebFilters()
.filter((filter) -> filter instanceof OidcSessionRegistryAuthenticationWebFilter)
.collectList()
.block()).isNotEmpty();
}

// gh-14558
@Test
public void oauth2LoginWhenDefaultsThenNoOidcSessionRegistry() {
this.spring.register(OAuth2LoginWithSingleClientRegistrations.class, OAuth2LoginConfig.class).autowire();
SecurityWebFilterChain chain = this.spring.getContext().getBean(SecurityWebFilterChain.class);
assertThat(chain.getWebFilters()
.filter((filter) -> filter instanceof OidcSessionRegistryAuthenticationWebFilter)
.collectList()
.block()).isEmpty();
}

Mono<SecurityContext> authentication(Authentication authentication) {
SecurityContext context = new SecurityContextImpl();
context.setAuthentication(authentication);
Expand Down Expand Up @@ -624,6 +649,21 @@ InMemoryReactiveClientRegistrationRepository clientRegistrationRepository() {

}

@EnableWebFlux
static class OAuth2LoginConfig {

@Bean
SecurityWebFilterChain springSecurity(ServerHttpSecurity http) {
// @formatter:off
http
.authorizeExchange((authorize) -> authorize.anyExchange().authenticated())
.oauth2Login(Customizer.withDefaults());
// @formatter:on
return http.build();
}

}

@EnableWebFlux
static class OAuth2AuthorizeWithMockObjectsConfig {

Expand Down Expand Up @@ -892,6 +932,35 @@ ClientRegistration clientRegistration() {

}

@Configuration
@EnableWebFluxSecurity
static class OAuth2LoginWithOidcSessionRegistry {

private final ReactiveOidcSessionRegistry registry = mock(ReactiveOidcSessionRegistry.class);

private final ReactiveClientRegistrationRepository clients = new InMemoryReactiveClientRegistrationRepository(
TestClientRegistrations.clientRegistration().build());

@Bean
SecurityWebFilterChain filterChain(ServerHttpSecurity http) {
// @formatter:off
http
.authorizeExchange((authorize) -> authorize.anyExchange().authenticated())
.oauth2Login((oauth2) -> oauth2
.clientRegistrationRepository(this.clients)
.oidcSessionRegistry(this.registry)
);
// @formatter:on
return http.build();
}

@Bean
ReactiveOidcSessionRegistry oidcSessionRegistry() {
return this.registry;
}

}

static class GitHubWebFilter implements WebFilter {

@Override
Expand Down
27 changes: 27 additions & 0 deletions docs/modules/ROOT/pages/servlet/oauth2/login/logout.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,33 @@ open fun filterChain(http: HttpSecurity): SecurityFilterChain {
----
======

Then, you need a way listen to events published by Spring Security to remove old `OidcSessionInformation` entries, like so:

[tabs]
======
Java::
+
[source=java,role="primary"]
----
@Bean
public HttpSessionEventListener sessionEventListener() {
return new HttpSessionEventListener();
}
----
Kotlin::
+
[source=kotlin,role="secondary"]
----
@Bean
open fun sessionEventListener(): HttpSessionEventListener {
return HttpSessionEventListener()
}
----
======

This will make so that if `HttpSession#invalidate` is called, then the session is also removed from memory.

And that's it!

This will stand up the endpoint `+/logout/connect/back-channel/{registrationId}+` which the OIDC Provider can request to invalidate a given session of an end user in your application.
Expand Down

0 comments on commit 3ab3236

Please sign in to comment.