Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Supporting logout+jwt for back-channel logout with spring-webflux #15702

Closed
c1rd3cm opened this issue Aug 27, 2024 · 4 comments · Fixed by #15847
Closed

Supporting logout+jwt for back-channel logout with spring-webflux #15702

c1rd3cm opened this issue Aug 27, 2024 · 4 comments · Fixed by #15847
Assignees
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone

Comments

@c1rd3cm
Copy link
Contributor

c1rd3cm commented Aug 27, 2024

Expected Behavior
We are using an IDP that sends back-channel logout request with a token type set as logout+jwt which should be accepted by spring-security when using spring-webflux.

Current Behavior
The back-channel is currently rejected because the only token type supported is jwt.

Error has been observed at the following site(s):
    *__________Mono.errorat org.springframework.security.config.web.server.OidcBackChannelLogoutReactiveAuthenticationManager.lambda$decode$2(OidcBackChannelLogoutReactiveAuthenticationManager.java:92)
    *__Mono.onErrorResumeat org.springframework.security.config.web.server.OidcBackChannelLogoutReactiveAuthenticationManager.decode(OidcBackChannelLogoutReactiveAuthenticationManager.java:88)
    |_           Mono.mapat org.springframework.security.config.web.server.OidcBackChannelLogoutReactiveAuthenticationManager.authenticate(OidcBackChannelLogoutReactiveAuthenticationManager.java:80)
    |_           Mono.mapat org.springframework.security.config.web.server.OidcBackChannelLogoutReactiveAuthenticationManager.authenticate(OidcBackChannelLogoutReactiveAuthenticationManager.java:83)
    *________Mono.flatMapat org.springframework.security.config.web.server.OidcBackChannelLogoutWebFilter.filter(OidcBackChannelLogoutWebFilter.java:90)

Caused by: com.nimbusds.jose.proc.BadJOSEException: JOSE header typ (type) logout+jwt not allowed
    at com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier.verify(DefaultJOSEObjectTypeVerifier.java:148)
    at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:378)
    at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:340)
    at org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder.createClaimsSet(NimbusReactiveJwtDecoder.java:292)
    at org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder$JwkSetUriReactiveJwtDecoderBuilder.lambda$processor$13(NimbusReactiveJwtDecoder.java:449)
    at reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber.onNext(FluxMapFuseable.java:113)
    at reactor.core.publisher.FluxOnAssembly$OnAssemblySubscriber.onNext(FluxOnAssembly.java:539)

Context

We are using spring-cloud-gateway to manage authentication with spring-session. We have configured the back-channel security but the logout requests don't work because the token type is invalid.

.oidcLogout(oidcLogout -> oidcLogout
    .clientRegistrationRepository(clientRegistrationRepository)
    .backChannel(Customizer.withDefaults()))

This is blocking our user from being logged out from all the RP and user can still navigate to some application because the session is not fully terminated in all applications. There is no way to customize to token type for back-channel logout because class are package protected. I believe this is no workaround other than duplicating the OIDC back-channel logout.

@c1rd3cm c1rd3cm added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Aug 27, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Sep 3, 2024

Hi, @c1rd3csf, thanks for pointing this out. This was recently added on the Servlet side. Would you be able to open a PR to do the same on the reactive side?

@jzheaux jzheaux self-assigned this Sep 3, 2024
@jzheaux jzheaux added status: ideal-for-contribution An issue that we actively are looking for someone to help us with in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 3, 2024
@c1rd3cm
Copy link
Contributor Author

c1rd3cm commented Sep 5, 2024

Yes @jzheaux, I should be able to open a PR to do the same on the reactive side.

@jzheaux jzheaux removed the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label Sep 26, 2024
c1rd3cm added a commit to c1rd3cm/spring-security that referenced this issue Sep 27, 2024
The OIDC back-channel spec recommends using a logout token typ `logout+jwt`
(see [here](https://openid.net/specs/openid-connect-backchannel-1_0-final.html#LogoutToken).

Support of this type was recently added [on the servlet side]([on the Servlet side](spring-projects@9101bf1)), so back
porting the same on the reactive side to close the gap.

Closes spring-projectsgh-15702
jzheaux pushed a commit that referenced this issue Sep 30, 2024
The OIDC back-channel spec recommends using a logout token typ `logout+jwt`
(see [here](https://openid.net/specs/openid-connect-backchannel-1_0-final.html#LogoutToken).

Support of this type was recently added [on the servlet side]([on the Servlet side](9101bf1)), so back
porting the same on the reactive side to close the gap.

Closes gh-15702
@c1rd3cm
Copy link
Contributor Author

c1rd3cm commented Oct 2, 2024

@jzheaux can I backport the fix for 6.3.x?

jzheaux pushed a commit that referenced this issue Oct 28, 2024
The OIDC back-channel spec recommends using a logout token typ `logout+jwt`
(see [here](https://openid.net/specs/openid-connect-backchannel-1_0-final.html#LogoutToken).

Support of this type was recently added [on the servlet side]([on the Servlet side](9101bf1)), so back
porting the same on the reactive side to close the gap.

Closes gh-15702
@jzheaux
Copy link
Contributor

jzheaux commented Oct 28, 2024

Sorry for the delay, @c1rd3cm. This is now merged into 6.3.x and will go out in the next maintenance release.

@jzheaux jzheaux added this to the 6.3.5 milestone Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

2 participants