-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Supporting logout+jwt for back-channel logout with spring-webflux #15702
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
type: enhancement
A general enhancement
Milestone
Comments
c1rd3cm
added
status: waiting-for-triage
An issue we've not yet triaged
type: enhancement
A general enhancement
labels
Aug 27, 2024
Hi, @c1rd3csf, thanks for pointing this out. This was recently added on the Servlet side. Would you be able to open a PR to do the same on the reactive side? |
jzheaux
added
status: ideal-for-contribution
An issue that we actively are looking for someone to help us with
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
and removed
status: waiting-for-triage
An issue we've not yet triaged
labels
Sep 3, 2024
Yes @jzheaux, I should be able to open a PR to do the same on the reactive side. |
jzheaux
removed
the
status: ideal-for-contribution
An issue that we actively are looking for someone to help us with
label
Sep 26, 2024
c1rd3cm
added a commit
to c1rd3cm/spring-security
that referenced
this issue
Sep 27, 2024
The OIDC back-channel spec recommends using a logout token typ `logout+jwt` (see [here](https://openid.net/specs/openid-connect-backchannel-1_0-final.html#LogoutToken). Support of this type was recently added [on the servlet side]([on the Servlet side](spring-projects@9101bf1)), so back porting the same on the reactive side to close the gap. Closes spring-projectsgh-15702
jzheaux
pushed a commit
that referenced
this issue
Sep 30, 2024
The OIDC back-channel spec recommends using a logout token typ `logout+jwt` (see [here](https://openid.net/specs/openid-connect-backchannel-1_0-final.html#LogoutToken). Support of this type was recently added [on the servlet side]([on the Servlet side](9101bf1)), so back porting the same on the reactive side to close the gap. Closes gh-15702
@jzheaux can I backport the fix for |
jzheaux
pushed a commit
that referenced
this issue
Oct 28, 2024
The OIDC back-channel spec recommends using a logout token typ `logout+jwt` (see [here](https://openid.net/specs/openid-connect-backchannel-1_0-final.html#LogoutToken). Support of this type was recently added [on the servlet side]([on the Servlet side](9101bf1)), so back porting the same on the reactive side to close the gap. Closes gh-15702
Sorry for the delay, @c1rd3cm. This is now merged into |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
type: enhancement
A general enhancement
Expected Behavior
We are using an IDP that sends back-channel logout request with a token type set as
logout+jwt
which should be accepted by spring-security when using spring-webflux.Current Behavior
The back-channel is currently rejected because the only token type supported is
jwt
.Context
We are using spring-cloud-gateway to manage authentication with spring-session. We have configured the back-channel security but the logout requests don't work because the token type is invalid.
This is blocking our user from being logged out from all the RP and user can still navigate to some application because the session is not fully terminated in all applications. There is no way to customize to token type for back-channel logout because class are package protected. I believe this is no workaround other than duplicating the OIDC back-channel logout.
The text was updated successfully, but these errors were encountered: