Spring Security OIDC Backchannel Logout Handler Endpoint 404

I have configured OIDC backchannel logout in an application with a context-path. Issuing the logout from the provider does not destroy the client session.

Stepping through code lead me to the below snippet OidcBackChannelLogoutHandler.eachLogout.

        String url = request.getRequestURL().toString();
        String logout = UriComponentsBuilder.fromHttpUrl(url).replacePath(this.logoutEndpointName).build().toUriString();

In the above, logout does not include the context-path and the resulting post returns 404.

OidcBackChannelLogoutHandler.logoutEndpointName is assigned "/logout" by default. There does not appear a way to override this property through DSL or through an ObjectPostProcessor.

I have reviewed https://github.com/spring-projects/spring-security/issues/13767 and understand the delay for supporting DSL. In light of this is there another way to configure logoutEndpointName?

EDIT The version of Spring Security this was identified in is 6.2.0-RC2.

Comment From: seanhinkley

in the event someone comes across this issue, I used reflection to modify the value. After http.build(), I iterate over the list of filters to find the back channel filter and then modify the handler's endpoint

It's important to note that due to the private scope of both classes (OidcBackChannelLogoutFilter and OidcBackChannelLogoutHandler), I could not use instanceof and tested the name of the class.

Comment From: jzheaux

Hi, @seanhinkley. Unfortunately for now, the logout endpoint must remain hardcoded, though I hope that we can take another look at https://github.com/spring-projects/spring-security/issues/13767 in 6.3.