Make Internal Logout URI Configurable

Closes gh-14609

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutHandler.java

@@ -19,6 +19,7 @@
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.HashMap;
 import java.util.Map;
 
 import jakarta.servlet.http.HttpServletRequest;
@@ -37,10 +38,12 @@
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.http.converter.OAuth2ErrorHttpMessageConverter;
 import org.springframework.security.web.authentication.logout.LogoutHandler;
+import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
 import org.springframework.web.client.RestClientException;
 import org.springframework.web.client.RestOperations;
 import org.springframework.web.client.RestTemplate;
+import org.springframework.web.util.UriComponents;
 import org.springframework.web.util.UriComponentsBuilder;
 
 /**
@@ -61,7 +64,7 @@ final class OidcBackChannelLogoutHandler implements LogoutHandler {
 
 	private RestOperations restOperations = new RestTemplate();
 
-	private String logoutEndpointName = "/logout";
+	private String logoutUri = "{baseScheme}://localhost{basePort}/logout";
 
 	private String sessionCookieName = "JSESSIONID";
 
@@ -112,12 +115,32 @@ private void eachLogout(HttpServletRequest request, OidcSessionInformation sessi
 	}
 
 	String computeLogoutEndpoint(HttpServletRequest request) {
-		String url = request.getRequestURL().toString();
-		return UriComponentsBuilder.fromHttpUrl(url)
-			.host("localhost")
-			.replacePath(this.logoutEndpointName)
-			.build()
-			.toUriString();
+		// @formatter:off
+		UriComponents uriComponents = UriComponentsBuilder
+				.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
+				.replacePath(request.getContextPath())
+				.replaceQuery(null)
+				.fragment(null)
+				.build();
+
+		Map<String, String> uriVariables = new HashMap<>();
+		String scheme = uriComponents.getScheme();
+		uriVariables.put("baseScheme", (scheme != null) ? scheme : "");
+		uriVariables.put("baseUrl", uriComponents.toUriString());
+
+		String host = uriComponents.getHost();
+		uriVariables.put("baseHost", (host != null) ? host : "");
+
+		String path = uriComponents.getPath();
+		uriVariables.put("basePath", (path != null) ? path : "");
+
+		int port = uriComponents.getPort();
+		uriVariables.put("basePort", (port == -1) ? "" : ":" + port);
+
+		return UriComponentsBuilder.fromUriString(this.logoutUri)
+				.buildAndExpand(uriVariables)
+				.toUriString();
+		// @formatter:on
 	}
 
 	private OAuth2Error oauth2Error(Collection<String> errors) {
@@ -164,7 +187,7 @@ void setRestOperations(RestOperations restOperations) {
 	 */
 	void setLogoutUri(String logoutUri) {
 		Assert.hasText(logoutUri, "logoutUri cannot be empty");
-		this.logoutEndpointName = logoutUri;
+		this.logoutUri = logoutUri;
 	}
 
 	/**

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java

@@ -17,6 +17,7 @@
 package org.springframework.security.config.annotation.web.configurers.oauth2.client;
 
 import java.util.function.Consumer;
+import java.util.function.Function;
 
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.ProviderManager;
@@ -123,7 +124,7 @@ public final class BackChannelLogoutConfigurer {
 		private final AuthenticationManager authenticationManager = new ProviderManager(
 				new OidcBackChannelLogoutAuthenticationProvider());
 
-		private LogoutHandler logoutHandler;
+		private Function<B, LogoutHandler> logoutHandler = this::logoutHandler;
 
 		private AuthenticationConverter authenticationConverter(B http) {
 			if (this.authenticationConverter == null) {
@@ -139,18 +140,54 @@ private AuthenticationManager authenticationManager() {
 		}
 
 		private LogoutHandler logoutHandler(B http) {
-			if (this.logoutHandler == null) {
+			OidcBackChannelLogoutHandler logoutHandler = new OidcBackChannelLogoutHandler();
+			logoutHandler.setSessionRegistry(OAuth2ClientConfigurerUtils.getOidcSessionRegistry(http));
+			return logoutHandler;
+		}
+
+		/**
+		 * Use this endpoint when invoking a back-channel logout.
+		 *
+		 * <p>
+		 * The resulting {@link LogoutHandler} will {@code POST} the session cookie and
+		 * CSRF token to this endpoint to invalidate the corresponding end-user session.
+		 *
+		 * <p>
+		 * Supports URI templates like {@code {baseUrl}}, {@code {baseScheme}}, and
+		 * {@code {basePort}}.
+		 *
+		 * <p>
+		 * By default, the URI is set to
+		 * {@code {baseScheme}://localhost{basePort}/logout}, meaning that the scheme and
+		 * port of the original back-channel request is preserved, while the host and
+		 * endpoint are changed.
+		 *
+		 * <p>
+		 * If you are using Spring Security for the logout endpoint, the path part of this
+		 * URI should match the value configured there.
+		 *
+		 * <p>
+		 * Otherwise, this is handy in the event that your server configuration means that
+		 * the scheme, server name, or port in the {@code Host} header are different from
+		 * how you would address the same server internally.
+		 * @param logoutUri the URI to request logout on the back-channel
+		 * @return the {@link BackChannelLogoutConfigurer} for further customizations
+		 * @since 6.2.4
+		 */
+		public BackChannelLogoutConfigurer logoutUri(String logoutUri) {
+			this.logoutHandler = (http) -> {
 				OidcBackChannelLogoutHandler logoutHandler = new OidcBackChannelLogoutHandler();
 				logoutHandler.setSessionRegistry(OAuth2ClientConfigurerUtils.getOidcSessionRegistry(http));
-				this.logoutHandler = logoutHandler;
-			}
-			return this.logoutHandler;
+				logoutHandler.setLogoutUri(logoutUri);
+				return logoutHandler;
+			};
+			return this;
 		}
 
 		void configure(B http) {
 			OidcBackChannelLogoutFilter filter = new OidcBackChannelLogoutFilter(authenticationConverter(http),
 					authenticationManager());
-			filter.setLogoutHandler(logoutHandler(http));
+			filter.setLogoutHandler(this.logoutHandler.apply(http));
 			http.addFilterBefore(filter, CsrfFilter.class);
 		}
 

config/src/main/java/org/springframework/security/config/web/server/OidcBackChannelServerLogoutHandler.java

@@ -18,6 +18,7 @@
 
 import java.nio.charset.StandardCharsets;
 import java.util.Collection;
+import java.util.HashMap;
 import java.util.Map;
 import java.util.concurrent.atomic.AtomicInteger;
 
@@ -30,6 +31,7 @@
 import org.springframework.core.io.buffer.DataBuffer;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.ResponseEntity;
+import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.http.server.reactive.ServerHttpResponse;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.client.oidc.authentication.logout.OidcLogoutToken;
@@ -42,6 +44,7 @@
 import org.springframework.security.web.server.authentication.logout.ServerLogoutHandler;
 import org.springframework.util.Assert;
 import org.springframework.web.reactive.function.client.WebClient;
+import org.springframework.web.util.UriComponents;
 import org.springframework.web.util.UriComponentsBuilder;
 
 /**
@@ -62,7 +65,7 @@ final class OidcBackChannelServerLogoutHandler implements ServerLogoutHandler {
 
 	private WebClient web = WebClient.create();
 
-	private String logoutEndpointName = "/logout";
+	private String logoutUri = "{baseScheme}://localhost{basePort}/logout";
 
 	private String sessionCookieName = "SESSION";
 
@@ -108,17 +111,36 @@ private Mono<ResponseEntity<Void>> eachLogout(WebFilterExchange exchange, OidcSe
 		for (Map.Entry<String, String> credential : session.getAuthorities().entrySet()) {
 			headers.add(credential.getKey(), credential.getValue());
 		}
-		String logout = computeLogoutEndpoint(exchange);
+		String logout = computeLogoutEndpoint(exchange.getExchange().getRequest());
 		return this.web.post().uri(logout).headers((h) -> h.putAll(headers)).retrieve().toBodilessEntity();
 	}
 
-	String computeLogoutEndpoint(WebFilterExchange exchange) {
-		String url = exchange.getExchange().getRequest().getURI().toString();
-		return UriComponentsBuilder.fromHttpUrl(url)
-			.host("localhost")
-			.replacePath(this.logoutEndpointName)
-			.build()
-			.toUriString();
+	String computeLogoutEndpoint(ServerHttpRequest request) {
+		// @formatter:off
+		UriComponents uriComponents = UriComponentsBuilder.fromUri(request.getURI())
+				.replacePath(request.getPath().contextPath().value())
+				.replaceQuery(null)
+				.fragment(null)
+				.build();
+
+		Map<String, String> uriVariables = new HashMap<>();
+		String scheme = uriComponents.getScheme();
+		uriVariables.put("baseScheme", (scheme != null) ? scheme : "");
+		uriVariables.put("baseUrl", uriComponents.toUriString());
+
+		String host = uriComponents.getHost();
+		uriVariables.put("baseHost", (host != null) ? host : "");
+
+		String path = uriComponents.getPath();
+		uriVariables.put("basePath", (path != null) ? path : "");
+
+		int port = uriComponents.getPort();
+		uriVariables.put("basePort", (port == -1) ? "" : ":" + port);
+
+		return UriComponentsBuilder.fromUriString(this.logoutUri)
+				.buildAndExpand(uriVariables)
+				.toUriString();
+		// @formatter:on
 	}
 
 	private OAuth2Error oauth2Error(Collection<?> errors) {
@@ -168,7 +190,7 @@ void setWebClient(WebClient web) {
 	 */
 	void setLogoutUri(String logoutUri) {
 		Assert.hasText(logoutUri, "logoutUri cannot be empty");
-		this.logoutEndpointName = logoutUri;
+		this.logoutUri = logoutUri;
 	}
 
 	/**

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -58,6 +58,7 @@
 import org.springframework.security.authorization.ObservationReactiveAuthorizationManager;
 import org.springframework.security.authorization.ReactiveAuthorizationManager;
 import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.configurers.oauth2.client.OidcLogoutConfigurer;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
@@ -110,6 +111,7 @@
 import org.springframework.security.oauth2.server.resource.web.server.BearerTokenServerAuthenticationEntryPoint;
 import org.springframework.security.oauth2.server.resource.web.server.authentication.ServerBearerTokenAuthenticationConverter;
 import org.springframework.security.web.PortMapper;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.security.web.authentication.preauth.x509.SubjectDnX509PrincipalExtractor;
 import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
 import org.springframework.security.web.server.DefaultServerRedirectStrategy;
@@ -5074,7 +5076,7 @@ public final class BackChannelLogoutConfigurer {
 
 			private final ReactiveAuthenticationManager authenticationManager = new OidcBackChannelLogoutReactiveAuthenticationManager();
 
-			private ServerLogoutHandler logoutHandler;
+			private Supplier<ServerLogoutHandler> logoutHandler = this::logoutHandler;
 
 			private ServerAuthenticationConverter authenticationConverter() {
 				if (this.authenticationConverter == null) {
@@ -5089,18 +5091,56 @@ private ReactiveAuthenticationManager authenticationManager() {
 			}
 
 			private ServerLogoutHandler logoutHandler() {
-				if (this.logoutHandler == null) {
+				OidcBackChannelServerLogoutHandler logoutHandler = new OidcBackChannelServerLogoutHandler();
+				logoutHandler.setSessionRegistry(OidcLogoutSpec.this.getSessionRegistry());
+				return logoutHandler;
+			}
+
+			/**
+			 * Use this endpoint when invoking a back-channel logout.
+			 *
+			 * <p>
+			 * The resulting {@link LogoutHandler} will {@code POST} the session cookie
+			 * and CSRF token to this endpoint to invalidate the corresponding end-user
+			 * session.
+			 *
+			 * <p>
+			 * Supports URI templates like {@code {baseUrl}}, {@code {baseScheme}}, and
+			 * {@code {basePort}}.
+			 *
+			 * <p>
+			 * By default, the URI is set to
+			 * {@code {baseScheme}://localhost{basePort}/logout}, meaning that the scheme
+			 * and port of the original back-channel request is preserved, while the host
+			 * and endpoint are changed.
+			 *
+			 * <p>
+			 * If you are using Spring Security for the logout endpoint, the path part of
+			 * this URI should match the value configured there.
+			 *
+			 * <p>
+			 * Otherwise, this is handy in the event that your server configuration means
+			 * that the scheme, server name, or port in the {@code Host} header are
+			 * different from how you would address the same server internally.
+			 * @param logoutUri the URI to request logout on the back-channel
+			 * @return the {@link OidcLogoutConfigurer.BackChannelLogoutConfigurer} for
+			 * further customizations
+			 * @since 6.2.4
+			 */
+			public BackChannelLogoutConfigurer logoutUri(String logoutUri) {
+				this.logoutHandler = () -> {
 					OidcBackChannelServerLogoutHandler logoutHandler = new OidcBackChannelServerLogoutHandler();
 					logoutHandler.setSessionRegistry(OidcLogoutSpec.this.getSessionRegistry());
-					this.logoutHandler = logoutHandler;
-				}
-				return this.logoutHandler;
+					logoutHandler.setLogoutUri(logoutUri);
+					return logoutHandler;
+				};
+				return this;
 			}
 
 			void configure(ServerHttpSecurity http) {
 				OidcBackChannelLogoutWebFilter filter = new OidcBackChannelLogoutWebFilter(authenticationConverter(),
 						authenticationManager());
-				filter.setLogoutHandler(logoutHandler());
+				filter.setLogoutHandler(this.logoutHandler.get());
 				http.addFilterBefore(filter, SecurityWebFiltersOrder.CSRF);
 			}
 

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutHandlerTests.java

@@ -35,4 +35,28 @@ public void computeLogoutEndpointWhenDifferentHostnameThenLocalhost() {
 		assertThat(endpoint).isEqualTo("http://localhost:8090/logout");
 	}
 
+	@Test
+	public void computeLogoutEndpointWhenUsingBaseUrlTemplateThenServerName() {
+		OidcBackChannelLogoutHandler logoutHandler = new OidcBackChannelLogoutHandler();
+		logoutHandler.setLogoutUri("{baseUrl}/logout");
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/back-channel/logout");
+		request.setServerName("host.docker.internal");
+		request.setServerPort(8090);
+		String endpoint = logoutHandler.computeLogoutEndpoint(request);
+		assertThat(endpoint).isEqualTo("http://host.docker.internal:8090/logout");
+	}
+
+	// gh-14609
+	@Test
+	public void computeLogoutEndpointWhenLogoutUriThenUses() {
+		OidcBackChannelLogoutHandler logoutHandler = new OidcBackChannelLogoutHandler();
+		logoutHandler.setLogoutUri("http://localhost:8090/logout");
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/back-channel/logout");
+		request.setScheme("https");
+		request.setServerName("server-one.com");
+		request.setServerPort(80);
+		String endpoint = logoutHandler.computeLogoutEndpoint(request);
+		assertThat(endpoint).isEqualTo("http://localhost:8090/logout");
+	}
+
 }