Make Oidc Session Logout Cookie Name Configurable

This is specifically helpful for Spring Session support

Closes gh-14904

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java

@@ -310,6 +310,8 @@ public final class SessionLogoutConfigurer {
 
 			private String logoutUri = "{baseScheme}://localhost{basePort}/logout/connect/back-channel/{registrationId}";
 
+			private String cookieName = "JSESSIONID";
+
 			private SessionLogoutConfigurer() {
 
 			}
@@ -339,6 +341,23 @@ public SessionLogoutConfigurer uri(String uri) {
 				return this;
 			}
 
+			/**
+			 * Use this cookie name to propagate the internal session identifier in the
+			 * internal logout invocation.
+			 *
+			 * <p>
+			 * This defaults to {@code JSESSIONID}.
+			 *
+			 * <p>
+			 * When using Spring Session, you may need to set this to {@code SESSION}
+			 * @param cookieName the cookie name to use
+			 * @return the {@link SessionLogoutConfigurer} for further customizations
+			 */
+			public SessionLogoutConfigurer cookieName(String cookieName) {
+				this.cookieName = cookieName;
+				return this;
+			}
+
 			private LogoutHandler configure(B http) {
 				OidcBackChannelLogoutHandler logoutHandler = new OidcBackChannelLogoutHandler();
 				logoutHandler.setSessionRegistry(OAuth2ClientConfigurerUtils.getOidcSessionRegistry(http));

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurerTests.java

@@ -24,6 +24,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
+import java.util.function.Consumer;
 
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.RSAKey;
@@ -91,6 +92,7 @@
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.hamcrest.Matchers.containsString;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.willThrow;
@@ -235,6 +237,23 @@ void logoutWhenSelfRemoteLogoutUriThenUses() throws Exception {
 		this.mvc.perform(get("/token/logout").session(session)).andExpect(status().isUnauthorized());
 	}
 
+	@Test
+	void logoutWhenDifferentCookieNameThenUses() throws Exception {
+		this.spring.register(OidcProviderConfig.class, CookieConfig.class).autowire();
+		String registrationId = this.clientRegistration.getRegistrationId();
+		MockHttpSession session = login();
+		String logoutToken = this.mvc.perform(get("/token/logout").session(session))
+			.andExpect(status().isOk())
+			.andReturn()
+			.getResponse()
+			.getContentAsString();
+		this.mvc
+			.perform(post(this.web.url("/logout/connect/back-channel/" + registrationId).toString())
+				.param("logout_token", logoutToken))
+			.andExpect(status().isOk());
+		this.mvc.perform(get("/token/logout").session(session)).andExpect(status().isUnauthorized());
+	}
+
 	@Test
 	void logoutWhenRemoteLogoutFailsThenReportsPartialLogout() throws Exception {
 		this.spring.register(WebServerConfig.class, OidcProviderConfig.class, WithBrokenLogoutConfig.class).autowire();
@@ -396,6 +415,51 @@ SecurityFilterChain filters(HttpSecurity http) throws Exception {
 
 	}
 
+	@Configuration
+	@EnableWebSecurity
+	@Import(RegistrationConfig.class)
+	static class CookieConfig {
+
+		private final MockWebServer server = new MockWebServer();
+
+		@Bean
+		@Order(1)
+		SecurityFilterChain filters(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
+				.oauth2Login(Customizer.withDefaults())
+				.oidcLogout((oidc) -> oidc
+					.backChannel((backchannel) -> backchannel
+						.sessionLogout((logout) -> logout.cookieName("SESSION"))
+					)
+				);
+			// @formatter:on
+
+			return http.build();
+		}
+
+		@Bean
+		MockWebServer web(ObjectProvider<MockMvc> mvc) {
+			MockMvcDispatcher dispatcher = new MockMvcDispatcher(mvc);
+			dispatcher.setAssertion((rr) -> {
+				String cookie = rr.getHeaders().get("Cookie");
+				if (cookie == null) {
+					return;
+				}
+				assertThat(cookie).contains("SESSION").doesNotContain("JSESSIONID");
+			});
+			this.server.setDispatcher(dispatcher);
+			return this.server;
+		}
+
+		@PreDestroy
+		void shutdown() throws IOException {
+			this.server.shutdown();
+		}
+
+	}
+
 	@Configuration
 	@EnableWebSecurity
 	@Import(RegistrationConfig.class)
@@ -600,12 +664,15 @@ private static class MockMvcDispatcher extends Dispatcher {
 
 		private MockMvc mvc;
 
+		private Consumer<RecordedRequest> assertion = (rr) -> { };
+
 		MockMvcDispatcher(ObjectProvider<MockMvc> mvc) {
 			this.mvcProvider = mvc;
 		}
 
 		@Override
 		public MockResponse dispatch(RecordedRequest request) throws InterruptedException {
+			this.assertion.accept(request);
 			this.mvc = this.mvcProvider.getObject();
 			String method = request.getMethod();
 			String path = request.getPath();
@@ -642,6 +709,10 @@ void registerSession(MockHttpSession session) {
 			this.session.put(session.getId(), session);
 		}
 
+		void setAssertion(Consumer<RecordedRequest> assertion) {
+			this.assertion = assertion;
+		}
+
 		private MockHttpSession session(RecordedRequest request) {
 			String cookieHeaderValue = request.getHeader("Cookie");
 			if (cookieHeaderValue == null) {
@@ -654,6 +725,10 @@ private MockHttpSession session(RecordedRequest request) {
 					return this.session.computeIfAbsent(parts[1],
 							(k) -> new MockHttpSession(new MockServletContext(), parts[1]));
 				}
+				if ("SESSION".equals(parts[0])) {
+					return this.session.computeIfAbsent(parts[1],
+							(k) -> new MockHttpSession(new MockServletContext(), parts[1]));
+				}
 			}
 			return new MockHttpSession();
 		}