Spring Security Support for RFC7009: OAuth 2.0 Token Revocation

Expected Behavior

Using the latest version of Spring Security with Spring Boot, when configuring it for OAuth2 with a custom provider (custom IdP, OpenId Certified, such as IdentityServer). Spring Security does not revoke tokens when performing a logout.

I expect Spring to manage the tokens and revoke them when logging out using the IdP revocation_endpoint... especially for refresh tokens, which may be used after logout and could be a security risk.

Current Behavior

Spring Security can perform a simple logout and a logout with a post-logout URL, performing a RP initiated logout, but cannot revoke tokens in this process. Therefore, the only way to revoke tokens is to manually making a POST request to the IdP to revoke the tokens.

Context

I consider this support essential when developing clients that uses an external IdP, considering security risks.

How has this issue affected you?: I can't revoke requested tokens out-of-the-box using spring security, and make my clients more secure.

What are you trying to accomplish?: To revoke tokens transparently using Spring Security.

What other alternatives have you considered?: Implement a custom library to abstract this behaviour.

Are you aware of any workarounds?: Making a POST request manually to the revocation_endpoint after logging out.

Comment From: jgrandja

@piraces The OAuth2AuthorizedClientRepository is responsible for managing OAuth2AuthorizedClient(s) and its associated tokens. If you require tokens to be automatically removed after a session terminates then you can explicitly configure:

@Bean
OAuth2AuthorizedClientRepository authorizedClientRepository() {
    return new HttpSessionOAuth2AuthorizedClientRepository();
}

This will remove all OAuth2AuthorizedClient(s) from the session.

As far as revoking the tokens by calling the revocation endpoint, this can be performed using a custom LogoutSuccessHandler similar to how OidcClientInitiatedLogoutSuccessHandler is implemented.

I expect Spring to manage the tokens and revoke them when logging out using the IdP revocation_endpoint

I don't recall reading this in any of the specs? Our main goal is to implement to spec but also provide the hooks to allow for customization.

Comment From: jgrandja

@piraces In addition to the LogoutSuccessHandler...

HttpSessionListener should be registered to perform the token revocation request. This will handle the scenario when a HttpSession expires, without explicit log out.

Comment From: piraces

You are right @jgrandja, I have implemented my custom LogoutSuccessHandler to handle the revocation request. With this and HttpSessionListener, will be enough to customize the flow to accomplish the RFC. Thank you, I will close the issue.