Add Reactive Support for Internal Call to Back-Channel Endpoint

Issue gh-13841

Author: jzheaux

config/src/main/java/org/springframework/security/config/web/server/OidcBackChannelLogoutAuthentication.java

@@ -20,6 +20,7 @@
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.oauth2.client.oidc.authentication.logout.OidcLogoutToken;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
 
 /**
  * An {@link org.springframework.security.core.Authentication} implementation that
@@ -37,13 +38,16 @@ class OidcBackChannelLogoutAuthentication extends AbstractAuthenticationToken {
 
 	private final OidcLogoutToken logoutToken;
 
+	private final ClientRegistration clientRegistration;
+
 	/**
 	 * Construct an {@link OidcBackChannelLogoutAuthentication}
 	 * @param logoutToken a deserialized, verified OIDC Logout Token
 	 */
-	OidcBackChannelLogoutAuthentication(OidcLogoutToken logoutToken) {
+	OidcBackChannelLogoutAuthentication(OidcLogoutToken logoutToken, ClientRegistration clientRegistration) {
 		super(Collections.emptyList());
 		this.logoutToken = logoutToken;
+		this.clientRegistration = clientRegistration;
 		setAuthenticated(true);
 	}
 
@@ -63,4 +67,8 @@ public OidcLogoutToken getCredentials() {
 		return this.logoutToken;
 	}
 
+	ClientRegistration getClientRegistration() {
+		return this.clientRegistration;
+	}
+
 }

config/src/main/java/org/springframework/security/config/web/server/OidcBackChannelLogoutReactiveAuthenticationManager.java

@@ -80,7 +80,7 @@ public Mono<Authentication> authenticate(Authentication authentication) throws A
 			.map((jwt) -> OidcLogoutToken.withTokenValue(logoutToken)
 				.claims((claims) -> claims.putAll(jwt.getClaims()))
 				.build())
-			.map(OidcBackChannelLogoutAuthentication::new);
+			.map((oidcLogoutToken) -> new OidcBackChannelLogoutAuthentication(oidcLogoutToken, registration));
 	}
 
 	private Mono<Jwt> decode(ClientRegistration registration, String token) {

config/src/main/java/org/springframework/security/config/web/server/OidcBackChannelServerLogoutHandler.java

@@ -43,6 +43,9 @@
 import org.springframework.security.web.server.WebFilterExchange;
 import org.springframework.security.web.server.authentication.logout.ServerLogoutHandler;
 import org.springframework.util.Assert;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.reactive.function.BodyInserters;
 import org.springframework.web.reactive.function.client.WebClient;
 import org.springframework.web.util.UriComponents;
 import org.springframework.web.util.UriComponentsBuilder;
@@ -84,7 +87,7 @@ public Mono<Void> logout(WebFilterExchange exchange, Authentication authenticati
 		AtomicInteger invalidatedCount = new AtomicInteger(0);
 		return this.sessionRegistry.removeSessionInformation(token.getPrincipal()).concatMap((session) -> {
 			totalCount.incrementAndGet();
-			return eachLogout(exchange, session).flatMap((response) -> {
+			return eachLogout(exchange, session, token).flatMap((response) -> {
 				invalidatedCount.incrementAndGet();
 				return Mono.empty();
 			}).onErrorResume((ex) -> {
@@ -105,17 +108,26 @@ public Mono<Void> logout(WebFilterExchange exchange, Authentication authenticati
 		});
 	}
 
-	private Mono<ResponseEntity<Void>> eachLogout(WebFilterExchange exchange, OidcSessionInformation session) {
+	private Mono<ResponseEntity<Void>> eachLogout(WebFilterExchange exchange, OidcSessionInformation session,
+			OidcBackChannelLogoutAuthentication token) {
 		HttpHeaders headers = new HttpHeaders();
 		headers.add(HttpHeaders.COOKIE, this.sessionCookieName + "=" + session.getSessionId());
 		for (Map.Entry<String, String> credential : session.getAuthorities().entrySet()) {
 			headers.add(credential.getKey(), credential.getValue());
 		}
-		String logout = computeLogoutEndpoint(exchange.getExchange().getRequest());
-		return this.web.post().uri(logout).headers((h) -> h.putAll(headers)).retrieve().toBodilessEntity();
+		String logout = computeLogoutEndpoint(exchange.getExchange().getRequest(), token);
+		MultiValueMap<String, String> body = new LinkedMultiValueMap<>();
+		body.add("logout_token", token.getPrincipal().getTokenValue());
+		body.add("_spring_security_internal_logout", "true");
+		return this.web.post()
+			.uri(logout)
+			.headers((h) -> h.putAll(headers))
+			.body(BodyInserters.fromFormData(body))
+			.retrieve()
+			.toBodilessEntity();
 	}
 
-	String computeLogoutEndpoint(ServerHttpRequest request) {
+	String computeLogoutEndpoint(ServerHttpRequest request, OidcBackChannelLogoutAuthentication token) {
 		// @formatter:off
 		UriComponents uriComponents = UriComponentsBuilder.fromUri(request.getURI())
 				.replacePath(request.getPath().contextPath().value())
@@ -137,6 +149,9 @@ String computeLogoutEndpoint(ServerHttpRequest request) {
 		int port = uriComponents.getPort();
 		uriVariables.put("basePort", (port == -1) ? "" : ":" + port);
 
+		String registrationId = token.getClientRegistration().getRegistrationId();
+		uriVariables.put("registrationId", registrationId);
+
 		return UriComponentsBuilder.fromUriString(this.logoutUri)
 				.buildAndExpand(uriVariables)
 				.toUriString();

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -5539,7 +5539,9 @@ private ServerLogoutHandler logoutHandler() {
 			 * @return the {@link OidcLogoutConfigurer.BackChannelLogoutConfigurer} for
 			 * further customizations
 			 * @since 6.2.4
+			 * @deprecated Please use {@link #sessionLogout} instead
 			 */
+			@Deprecated
 			public BackChannelLogoutConfigurer logoutUri(String logoutUri) {
 				this.logoutHandler = () -> {
 					OidcBackChannelServerLogoutHandler logoutHandler = new OidcBackChannelServerLogoutHandler();
@@ -5550,13 +5552,166 @@ public BackChannelLogoutConfigurer logoutUri(String logoutUri) {
 				return this;
 			}
 
+			/**
+			 * Configure what and how per-session logout will be performed.
+			 *
+			 * <p>
+			 * This overrides any value given to {@link #logoutUri(String)}
+			 *
+			 * <p>
+			 * By default, the resulting {@link LogoutHandler} will {@code POST} the
+			 * session cookie and OIDC logout token back to the original back-channel
+			 * logout endpoint.
+			 *
+			 * <p>
+			 * Using this method changes the underlying default that {@code POST}s the
+			 * session cookie and CSRF token to your application's {@code /logout}
+			 * endpoint. As such, it is recommended to call this instead of accepting the
+			 * {@code /logout} default as this does not require any special CSRF
+			 * configuration, even if you don't require other changes.
+			 *
+			 * <p>
+			 * For example, configuring Back-Channel Logout in the following way:
+			 *
+			 * <pre>
+			 * 	http
+			 *     	.oidcLogout((oidc) -> oidc
+			 *     		.backChannel((backChannel) -> backChannel
+			 *     			.sessionLogout(Customizer.withDefaults())
+			 *     		)
+			 *     	);
+			 * </pre>
+			 *
+			 * will make so that the per-session logout invocation no longer requires
+			 * special CSRF configurations.
+			 *
+			 * <p>
+			 * By default, the URI is set to
+			 * {@code {baseScheme}://localhost{basePort}/logout/connect/back-channel/{registrationId}},
+			 * which is simply an internal version of the same endpoint exposed to your
+			 * Back-Channel services. You can use {@link SessionLogoutConfigurer#uri} to
+			 * alter the scheme, server name, or port in the {@code Host} header to
+			 * accommodate how your application would address itself internally.
+			 *
+			 * <p>
+			 * For example, if the way your application would internally call itself is on
+			 * a different scheme and port than incoming traffic, you can configure the
+			 * endpoint in the following way:
+			 *
+			 * <pre>
+			 * 	http
+			 * 		.oidcLogout((oidc) -&gt; oidc
+			 * 			.backChannel((backChannel) -&gt; backChannel
+			 * 				.sessionLogout((logout) -&gt; logout
+			 * 					.uri("http://localhost:9000/logout/connect/back-channel/{registrationId}")
+			 * 				)
+			 * 			)
+			 * 		);
+			 * </pre>
+			 * @param sessionLogout a {@link Customizer} for configuring how to log out of
+			 * each individual session
+			 * @return {@link OidcLogoutConfigurer.BackChannelLogoutConfigurer} for
+			 * further customizations
+			 * @since 6.4
+			 */
+			public BackChannelLogoutConfigurer sessionLogout(Customizer<SessionLogoutConfigurer> sessionLogout) {
+				this.logoutHandler = () -> {
+					SessionLogoutConfigurer logoutHandler = new SessionLogoutConfigurer();
+					sessionLogout.customize(logoutHandler);
+					return logoutHandler.configure();
+				};
+				return this;
+			}
+
 			void configure(ServerHttpSecurity http) {
 				OidcBackChannelLogoutWebFilter filter = new OidcBackChannelLogoutWebFilter(authenticationConverter(),
 						authenticationManager());
-				filter.setLogoutHandler(this.logoutHandler.get());
+				ServerLogoutHandler oidcLogout = this.logoutHandler.get();
+				ServerLogoutHandler sessionLogout = new SecurityContextServerLogoutHandler();
+				LogoutSpec logout = ServerHttpSecurity.this.logout;
+				if (logout != null) {
+					sessionLogout = new DelegatingServerLogoutHandler(logout.logoutHandlers);
+				}
+				filter.setLogoutHandler(new EitherLogoutHandler(oidcLogout, sessionLogout));
 				http.addFilterBefore(filter, SecurityWebFiltersOrder.CSRF);
 			}
 
+			private static final class EitherLogoutHandler implements ServerLogoutHandler {
+
+				private final ServerLogoutHandler left;
+
+				private final ServerLogoutHandler right;
+
+				EitherLogoutHandler(ServerLogoutHandler left, ServerLogoutHandler right) {
+					this.left = left;
+					this.right = right;
+				}
+
+				@Override
+				public Mono<Void> logout(WebFilterExchange exchange, Authentication authentication) {
+					return exchange.getExchange().getFormData().flatMap((data) -> {
+						if (data.getFirst("_spring_security_internal_logout") == null) {
+							return this.left.logout(exchange, authentication);
+						}
+						else {
+							return this.right.logout(exchange, authentication);
+						}
+					});
+				}
+
+			}
+
+			/**
+			 * A configurer for logging out each internal session as identified by the
+			 * external session listed in the OIDC Logout Token.
+			 *
+			 * @author Josh Cummings
+			 * @since 6.4
+			 */
+			public final class SessionLogoutConfigurer {
+
+				private String logoutUri = "{baseScheme}://localhost{basePort}/logout/connect/back-channel/{registrationId}";
+
+				private SessionLogoutConfigurer() {
+
+				}
+
+				/**
+				 * Use this URI to log out a specific session indicated by the OIDC Logout
+				 * Token.
+				 *
+				 * <p>
+				 * Defaults to pointing back to the original Back-Channel OIDC endpoint,
+				 * now including the session cookie value that corresponds to the
+				 * {@code sid} referenced in the OIDC Logout Token.
+				 *
+				 * <p>
+				 * This default value is
+				 * {@code {baseScheme}://localhost{basePort}/logout/connect/back-channel/{registrationId}}
+				 *
+				 * <p>
+				 * If needed for backward compatibility, you can also set this to a
+				 * different logout endpoint, like the Spring Security logout endpoint:
+				 * {@code {baseScheme}://localhost{basePort}/logout}.
+				 * @param uri the URI to invoke to log out specific sessions
+				 * @return the
+				 * {@link OidcLogoutConfigurer.BackChannelLogoutConfigurer.SessionLogoutConfigurer}
+				 * for further customizations
+				 */
+				public SessionLogoutConfigurer uri(String uri) {
+					this.logoutUri = uri;
+					return this;
+				}
+
+				private ServerLogoutHandler configure() {
+					OidcBackChannelServerLogoutHandler logoutHandler = new OidcBackChannelServerLogoutHandler();
+					logoutHandler.setSessionRegistry(OidcLogoutSpec.this.getSessionRegistry());
+					logoutHandler.setLogoutUri(this.logoutUri);
+					return logoutHandler;
+				}
+
+			}
+
 		}
 
 	}

config/src/test/java/org/springframework/security/config/web/server/OidcBackChannelServerLogoutHandlerTests.java

@@ -19,6 +19,8 @@
 import org.junit.jupiter.api.Test;
 
 import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.security.oauth2.client.oidc.authentication.logout.TestOidcLogoutTokens;
+import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
@@ -27,15 +29,19 @@
  */
 public class OidcBackChannelServerLogoutHandlerTests {
 
+	private final OidcBackChannelLogoutAuthentication token = new OidcBackChannelLogoutAuthentication(
+			TestOidcLogoutTokens.withSubject("issuer", "subject").build(),
+			TestClientRegistrations.clientRegistration().build());
+
 	// gh-14553
 	@Test
 	public void computeLogoutEndpointWhenDifferentHostnameThenLocalhost() {
 		OidcBackChannelServerLogoutHandler logoutHandler = new OidcBackChannelServerLogoutHandler();
 		MockServerHttpRequest request = MockServerHttpRequest
 			.get("https://host.docker.internal:8090/back-channel/logout")
 			.build();
-		String endpoint = logoutHandler.computeLogoutEndpoint(request);
-		assertThat(endpoint).isEqualTo("https://localhost:8090/logout");
+		String endpoint = logoutHandler.computeLogoutEndpoint(request, this.token);
+		assertThat(endpoint).startsWith("https://localhost:8090/logout");
 	}
 
 	@Test
@@ -45,8 +51,8 @@ public void computeLogoutEndpointWhenUsingBaseUrlTemplateThenServerName() {
 		MockServerHttpRequest request = MockServerHttpRequest
 			.get("http://host.docker.internal:8090/back-channel/logout")
 			.build();
-		String endpoint = logoutHandler.computeLogoutEndpoint(request);
-		assertThat(endpoint).isEqualTo("http://host.docker.internal:8090/logout");
+		String endpoint = logoutHandler.computeLogoutEndpoint(request, this.token);
+		assertThat(endpoint).startsWith("http://host.docker.internal:8090/logout");
 	}
 
 	// gh-14609
@@ -55,8 +61,8 @@ public void computeLogoutEndpointWhenLogoutUriThenUses() {
 		OidcBackChannelServerLogoutHandler logoutHandler = new OidcBackChannelServerLogoutHandler();
 		logoutHandler.setLogoutUri("http://localhost:8090/logout");
 		MockServerHttpRequest request = MockServerHttpRequest.get("https://server-one.com/back-channel/logout").build();
-		String endpoint = logoutHandler.computeLogoutEndpoint(request);
-		assertThat(endpoint).isEqualTo("http://localhost:8090/logout");
+		String endpoint = logoutHandler.computeLogoutEndpoint(request, this.token);
+		assertThat(endpoint).startsWith("http://localhost:8090/logout");
 	}
 
 }

config/src/test/java/org/springframework/security/config/web/server/OidcLogoutSpecTests.java

@@ -268,6 +268,29 @@ void logoutWhenRemoteLogoutUriThenUses() {
 		this.test.get().uri("/token/logout").cookie("SESSION", one).exchange().expectStatus().isOk();
 	}
 
+	@Test
+	void logoutWhenSelfRemoteLogoutUriThenUses() {
+		this.spring.register(WebServerConfig.class, OidcProviderConfig.class, SelfLogoutUriConfig.class).autowire();
+		String registrationId = this.clientRegistration.getRegistrationId();
+		String sessionId = login();
+		String logoutToken = this.test.get()
+			.uri("/token/logout")
+			.cookie("SESSION", sessionId)
+			.exchange()
+			.expectStatus()
+			.isOk()
+			.returnResult(String.class)
+			.getResponseBody()
+			.blockFirst();
+		this.test.post()
+			.uri(this.web.url("/logout/connect/back-channel/" + registrationId).toString())
+			.body(BodyInserters.fromFormData("logout_token", logoutToken))
+			.exchange()
+			.expectStatus()
+			.isOk();
+		this.test.get().uri("/token/logout").cookie("SESSION", sessionId).exchange().expectStatus().isUnauthorized();
+	}
+
 	@Test
 	void logoutWhenRemoteLogoutFailsThenReportsPartialLogout() {
 		this.spring.register(WebServerConfig.class, OidcProviderConfig.class, WithBrokenLogoutConfig.class).autowire();
@@ -444,6 +467,30 @@ SecurityWebFilterChain filters(ServerHttpSecurity http) throws Exception {
 
 	}
 
+	@Configuration
+	@EnableWebFluxSecurity
+	@Import(RegistrationConfig.class)
+	static class SelfLogoutUriConfig {
+
+		@Bean
+		@Order(1)
+		SecurityWebFilterChain filters(ServerHttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.authorizeExchange((authorize) -> authorize.anyExchange().authenticated())
+				.oauth2Login(Customizer.withDefaults())
+				.oidcLogout((oidc) -> oidc
+					.backChannel((backchannel) -> backchannel
+						.sessionLogout(Customizer.withDefaults())
+					)
+				);
+			// @formatter:on
+
+			return http.build();
+		}
+
+	}
+
 	@Configuration
 	@EnableWebFluxSecurity
 	@Import(RegistrationConfig.class)