Description
This is related to #14904, which addresses the issue of using Spring Session together with OIDC Backchannel logout, as Spring Session expects a base64-encoded session cookie value (in DefaultCookieSerializer), while OidcBackChannelLogoutHandler does not base64-encode it when posting the logout request.
The issue was partly fixed in #15540, but only the naming of the cookie, i.e. that you can now configure OidcBackChannelLogoutHandler to use a cookie name of SESSION instead of the default JSESSIONID. But the encoding part is still missing for this to work properly.
I also realize that this can also be a question of who has the responsibility of configuring the session cookie; Spring OAuth2 Client or Spring Session. But as it is now, while setting the cookie name to SESSION in OidcBackChannelLogoutHandler I still need to override the default behavior of DefaultCookieSerializer to skip base64-decoding (as suggested in #14904 (comment)), thus leaving it a bit redundant.
As such, this is a request for enhancement to either:
- Let OidcBackChannelLogoutHandler be configurable to also base64 encode the session cookie value, or
- Leave the configuration of the session cookie to Spring Session by overriden the DefaultCookieSerializer, and then refer to this in the documentation of https://docs.spring.io/spring-security/reference/servlet/oauth2/login/logout.html#_customizing_the_session_logout_cookie_name
To reproduce
- Prepare an application which uses Spring Session stored in JDBC + OIDC backchannel logout configured
- Log in to the application using OIDC integration
- Trigger OIDC back channel logout
Expected Behavior
The user's session is successfully invalidated and the backchannel logout thus completes sucessfully.
Current Behavior
The user's session is not invalidated, and the backchannel logout thus fails.
Context
My workaround right now is to set the cookie name in OidcBackChannelLogoutHandler to SESSION, and only configuring the CookieSerializer to not use base64-encoding.
An alternative is to skip setting the session cookie name in OidcBackChannelLogoutHandler altogether, and leaving it as the default JSESSIONID, and instead keeping the overridden definition of the Spring Seesion CookieSerializer as described in #14904 (comment).
Using Spring Boot 3.4.2, Spring Session (JDBC) 3.4.1, and Spring Security 6.4.2.
Minimal example of the security config:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http, OidcBackChannelLogoutHandler oidcBackChannelLogoutHandler, ...) {
return http
...
.oidcLogout(oidcLogout -> oidcLogout
.backChannel(backChannel -> {
.backChannel(backChannel -> backChannel.logoutHandler(oidcBackChannelLogoutHandler))
})
)
...
.build();
}
@Bean
public CookieSerializer cookieSerializer() {
var serializer = new DefaultCookieSerializer();
serializer.setUseBase64Encoding(false);
return serializer;
}
@Bean
public OidcBackChannelLogoutHandler oidcBackChannelLogoutHandler(OidcSessionRegistry oidcSessionRegistry) {
OidcBackChannelLogoutHandler logoutHandler = new OidcBackChannelLogoutHandler(oidcSessionRegistry);
logoutHandler.setLogoutUri("http://localhost:8080/logout");
logoutHandler.setSessionCookieName("SESSION");
return logoutHandler;
}