Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider OIDC Back-Channel favoring logout_token over CSRF #13841

Closed
jzheaux opened this issue Sep 16, 2023 · 2 comments
Closed

Consider OIDC Back-Channel favoring logout_token over CSRF #13841

jzheaux opened this issue Sep 16, 2023 · 2 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
6.4.x

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Sep 16, 2023

The current OIDC back-channel logout support saves the end-user's CSRF token to use in a self-logout call when the back-channel request comes from the authorization server.

This adds more information to OidcSessionInformation than may be necessary. Instead, I think it would also work to send the logout_token in place of the CSRF token.

The upside is a simpler contract and simpler configuration. The possible downside is the logout token is validated multiple times, once for each session being invalidated.
@jzheaux jzheaux added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Sep 16, 2023
@jzheaux jzheaux self-assigned this Sep 16, 2023
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 16, 2023
@jzheaux jzheaux added the status: blocked An issue that's blocked on an external project change label Jan 31, 2024
@jzheaux
Copy link
Contributor Author

jzheaux commented Jan 31, 2024

Waiting on #14510

@jzheaux jzheaux mentioned this issue Jun 17, 2024
Closed
@jzheaux
Copy link
Contributor Author

jzheaux commented Jul 22, 2024

Given the feedback in #15227, I think that's enough to consider adding this without waiting for #14510.

@jzheaux jzheaux removed the status: blocked An issue that's blocked on an external project change label Jul 22, 2024
@jzheaux jzheaux added this to the 6.4.x milestone Jul 22, 2024
jzheaux added a commit to jzheaux/spring-security that referenced this issue Aug 8, 2024
@jzheaux
Add Support for Internal Call to Back-Channel Endpoint
9d8a492 
Closes spring-projectsgh-13841
jzheaux added a commit to jzheaux/spring-security that referenced this issue Aug 8, 2024
@jzheaux
Add Reactive Support for Internal Call to Back-Channel Endpoint
4673731 
Issue spring-projectsgh-13841
jzheaux added a commit to jzheaux/spring-security that referenced this issue Aug 8, 2024
@jzheaux
Add Support for Internal Call to Back-Channel Endpoint
592c6bb 
Closes spring-projectsgh-13841
jzheaux added a commit to jzheaux/spring-security that referenced this issue Aug 8, 2024
@jzheaux
Add Reactive Support for Internal Call to Back-Channel Endpoint
2ecfc41 
Issue spring-projectsgh-13841
@jzheaux jzheaux mentioned this issue Aug 8, 2024
Merged
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 4, 2024
@jzheaux
Polish Session Logout Support
ee1c812 
Issue spring-projectsgh-13841
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 4, 2024
@jzheaux
Document Session Logout Support
a2ebb84 
Issue spring-projectsgh-14904
Issue spring-projectsgh-13841
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 4, 2024
@jzheaux
Document Session Logout Support
8cf517c 
Issue spring-projectsgh-14904
Issue spring-projectsgh-13841
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 4, 2024
@jzheaux
Add Kotlin Oidc SessionLogout Support
33c34b3 
Issue spring-projectsgh-14904
Issue spring-projectsgh-13841
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 4, 2024
@jzheaux
Document Session Logout Support
ce4ee60 
Issue spring-projectsgh-14904
Issue spring-projectsgh-13841
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 4, 2024
@jzheaux
Add Support for Internal Call to Back-Channel Endpoint
e423024 
Closes spring-projectsgh-13841
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 4, 2024
@jzheaux
Add Reactive Support for Internal Call to Back-Channel Endpoint
b129a74 
Issue spring-projectsgh-13841
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 4, 2024
@jzheaux
Polish Session Logout Support
4c245d9 
Issue spring-projectsgh-13841
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 4, 2024
@jzheaux
Add Kotlin Oidc SessionLogout Support
8545b53 
Issue spring-projectsgh-14904
Issue spring-projectsgh-13841
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 4, 2024
@jzheaux
Document Session Logout Support
e59dba7 
Issue spring-projectsgh-14904
Issue spring-projectsgh-13841
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 4, 2024
@jzheaux
Document Session Logout Support
faf4ce7 
Issue spring-projectsgh-14904
Issue spring-projectsgh-13841
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 16, 2024
@jzheaux
Expose OidcBackChannelLogoutHandler
78cd3a0 
This component already uses by default a URI that doesn't require
a CSRF token and aalready allows for configuring a cookie name.

So, by making it public and configurable in the DSL, both
of these tickets quite naturally close.

Closes spring-projectsgh-13841
Closes spring-projectsgh-14904
jzheaux added a commit to jzheaux/spring-security that referenced this issue Sep 16, 2024
@jzheaux
Expose OidcBackChannelLogoutHandler
080d8bb 
This component already uses by default a URI that doesn't require
a CSRF token and aalready allows for configuring a cookie name.

So, by making it public and configurable in the DSL, both
of these tickets quite naturally close.

Closes spring-projectsgh-13841
Closes spring-projectsgh-14904
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
Spring Security Team
Archived in project
Milestone
6.4.x
Development

No branches or pull requests
1 participant
@jzheaux