The OidcClientInitiatedLogoutSuccessHandler url-encodes the PostLogoutRedirectUri twice. This leads to corrupted URLs.
My used postLogoutRedirectUri is: https://localhost:8443/loginselect?forwardUrl=secureduserinfo%3F0-1.-userinfo-sessioninvalidate
OidcClientInitiatedLogoutSuccessHandler adds this uri as queryparam "post_logout_redirect_uri" to the generated targetUrl. URL-encoding this uri as queryparam should lead to a queryparam like this: ...&post_logout_redirect_uri =https://localhost:8443/loginselect?forwardUrl%3Dsecureduserinfo%253F0-1.-userinfo-sessioninvalidate But it is url-encoded twice: ...&post_logout_redirect_uri=https://localhost:8443/loginselect?forwardUrl%3Dsecureduserinfo%25253F0-1.-userinfo-sessioninvalidate (%2525 instead of %25)
Version: spring-security-oauth2-client 5.4.5
Comment From: jgrandja
@hosea The supplied postLogoutRedirectUri is already encoded:
https://localhost:8443/loginselect?forwardUrl=secureduserinfo%3F0-1.-userinfo-sessioninvalidate -> %3F
I believe if you change it to the (un)encoded version, it will work:
https://localhost:8443/loginselect?forwardUrl=secureduserinfo?0-1.-userinfo-sessioninvalidate -> %3F to ?
Please try this and let me know if it worked.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: hosea
Hi @jgrandja,
unfortunatly this does not work. If I replace the encoding with an unencoded version, the result is also wrong: Unencoded version: https://localhost:8443/loginselect?forwardUrl=secureduserinfo?0-1.-userinfo-sessioninvalidate Result: ...&post_logout_recdirect_uri=https://localhost:8443/loginselect?forwardUrl%3Dsecureduserinfo?0-1.-userinfo-sessioninvalidate Now the "?" is never encoded.
But I could break down the problem a little bit. I think, the method private URI postLogoutRedirectUri(HttpServletRequest request) in OidcClientInitiatedLogoutSuccessHandler is not working as expected. The intention of this method is to replace the well-known placeholder "baseUrl" but leave the rest of the postLogoutRedirectUri unchanged. But "unchanged" is not true in my case. My postLogoutRedirectUri is https://localhost:8443/loginselect?forwardUrl=secureduserinfo%3F0-1.-userinfo-sessioninvalidate but after processing this method the Uri https://localhost:8443/loginselect?forwardUrl=secureduserinfo%253F0-1.-userinfo-sessioninvalidate is used.
Kind regards Hans
Comment From: hosea
Hi @jgrandja, I just attached a simple Java-Program that does the same processing steps with my URI as OidcClientInitiatedLogoutSuccessHandler. Hope that helps. I used it for reproducing the uri processing. Kind regards Hans
Comment From: jzheaux
Thanks, @hosea, I was able to confirm the issue.
It appears that both postLogoutRedirectUri and endpointUri are encoding the post_logout_redirect_uri value.
I think this can be addressed by changing postLogoutRedirectUri(HttpServletRequest) to call toUriString instead of toUri.
@hosea, are you able to submit a PR that addresses the issue and adds a test to confirm the bug is fixed?
Comment From: hosea
Hi @jzheaux ,
changing from toUri to toUriString solved the issue. I fixed it, added a test and submitted a PR https://github.com/spring-projects/spring-security/pull/9672
Thank you Kind regards Hans