Expected Behavior
It should be possible to set end_session_endpoint used by OidcClientInitiatedLogoutSuccessHandler via other mechanisms than by configuring the ClientRegistration with the issuer-uri.
Current Behavior
OidcClientInitiatedLogoutSuccessHandler determine end_session_endpoint using ClientRegistration.providerDetails.configurationMetadata obtained during Discovery from URI pointed by ClientRegistration.issuer-uri
private URI endSessionEndpoint(ClientRegistration clientRegistration) {
if (clientRegistration != null) {
ProviderDetails providerDetails = clientRegistration.getProviderDetails();
Object endSessionEndpoint = providerDetails.getConfigurationMetadata().get("end_session_endpoint");
if (endSessionEndpoint != null) {
return URI.create(endSessionEndpoint.toString());
}
}
return null;
}
Context
According to RP-Initiated Logout documentation, the OP's Logout Endpoint "is normally obtained via the end_session_endpoint element of the OP's Discovery response or may be learned via other mechanisms"
In case of an Oidc Provider which do not expose Discovery endpoint, but support RP-Initiated Logout, it is not possible to use OidcClientInitiatedLogoutSuccessHandler as is.
I did not find better workaround than copy/paste the code of OidcClientInitiatedLogoutSuccessHandler and rewrite endSessionEndpoint method as it is proposed in this stackoverflow response.
If there is no better workaround, it would be interresting to avoid copy/paste OidcClientInitiatedLogoutSuccessHandler. Either by exposing a public setter to configure end_session_endpoint or by creating a new ClientRegistration.endSessionEndpoint attribute and use it in endSessionEndpoint method. Another option would be to make OidcClientInitiatedLogoutSuccessHandler non final.
Maybe a setter with the possibility to add some custom attributes in ClientRegistration as proposed in #9669 would be sufficient.
Comment From: jzheaux
I agree that #9669 seems the most sensible way to do this since it would allow applications to specify the endpoint in a custom way.
Comment From: jzheaux
@lmagnien, I think there may be a simpler way. Can you see if this works for you when you are constructing your ClientRegistration instance?
ClientRegistration registration = ClientRegistration.withRegistrationId("id")
// ...
.providerConfigurationMetadata(Collections.singletonMap("end_session_endpoint", computedEndpoint()))
.build();
Comment From: lmagnien
Yes, you are right. It should work.
I was wrong in my description of the issue. Actually, I should have written that springboot, via autoconfiguration (OAuth2ClientAutoConfiguration), does not allow to set the end_session_endpoint used by OidcClientInitiatedLogoutSuccessHandler via other mechanisms than setting the spring.security.oauth2.client.provider.[providerId].issuer-uri property.
Maybe, I didn't think about your option, which seems to be the right one, because I would have had to give up springboot’s autoconfiguration for the entire ClientRegistration configuration. Which is not very convenient.
Finally, a possible evolution, if one had to be done, would be to make the Springboot autoconfiguration allow setting the ClientRegistration.ProviderDetails.configurationMetadata. As I understand it, that is what is proposed here : https://github.com/spring-projects/spring-security/issues/9669#issuecomment-827700567.
Thank you very much for your time and help with this issue.
Comment From: jzheaux
It may be reasonable to add the Spring Boot end_session_endpoint property. If you wish, you can log an issue there, and ping jgrandja for his thoughts.
As far as Spring Security is concerned, it looks like there's nothing more to do for now, so I'll close this issue.