Summary
I ❤️ the new OidcClientInitiatedServerLogoutSuccessHandler in Spring Security 5.2! The only problem I see with it is you have to set a postLogoutRedirectUri property. This will likely vary between development, test, and production, so it seems like kind of a pain to have to maintain a new property that could be calculated.
By default, it'd be nice if the postLogoutRedirectUri defaulted to the current context path (/). If people wanted to override it, it'd be cool if they could use a relative URL (that starts with /) or an absolute URL (current behavior).
I'm entering this here as requested by @jgrandja on Stack Overflow.
Actual Behavior
You need to set a postLogoutRedirectUri.
Expected Behavior
I'd like this value to default to /.
Configuration
OIDC with Okta and Keycloak (because JHipster).
Version
Spring Security 5.2
Comment From: jzheaux
@mraible I'm glad you like it!
By /, is it your intent to redirect to the root of the authorization server or the root of the client application?
@jgrandja Have you already considered the possibility of this being part of the ClientRegistration? It seems similar in nature to ClientRegistration#redirectUriTemplate.
Comment From: mraible
By /, I mean the root of the client application.
On Jan 17, 2020, at 17:56, Josh Cummings notifications@github.com wrote:
@mraible I'm glad you like it!
By /, is it your intent to redirect to the root of the authorization server or the root of the client application?
@jgrandja Have you already considered the possibility of this being part of the ClientRegistration? It seems similar in nature to ClientRegistration#redirectUriTemplate.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
Comment From: jgrandja
@jzheaux I'm not sure it needs to be part of ClientRegistration. It seems it would be fairly trivial to implement a default postLogoutRedirectUri in the handler itself.
Comment From: jzheaux
By /, I mean the root of the client application.
Got it, @mraible. So, the existing semantics of this handler are to only include a post_logout_redirect_uri parameter if it's specified. I'm concerned that setting a default would surprise users who are upgrading - they'd have to now call setPostLogoutRedirectUri(null) or similar to keep their existing behavior.
What about if setPostLogoutRedirectUri understood the {baseUrl} placeholder in the setter?
handler.setPostLogoutRedirectUri("{baseUrl}")
This would work similarly to the redirect-uri-template configuration. Would that address your deployment concerns?
Comment From: mraible
This would work similarly to the
redirect-uri-templateconfiguration. Would that address your deployment concerns?
I believe so. What happens currently if I use the OidcClientInitiatedServerLogoutSuccessHandler without setting a PostLogoutRedirectUri?
Comment From: jzheaux
The parameter is not added to the redirect. It was done that way since that parameter is optional.
Comment From: victorchicu
It would be nice to have postLogoutRedirectUri method as protected in that case we could build a redirect uri with the information based on the request or whatever else.
public static class RefererOidcClientInitiatedServerLogoutSuccessHandler extends OidcClientInitiatedServerLogoutSuccessHandler {
/**
* Constructs an {@link OidcClientInitiatedServerLogoutSuccessHandler} with the
* provided parameters
*
* @param clientRegistrationRepository The
* {@link ReactiveClientRegistrationRepository} to use to derive the
* end_session_endpoint value
*/
public RefererOidcClientInitiatedServerLogoutSuccessHandler(ReactiveClientRegistrationRepository clientRegistrationRepository) {
super(clientRegistrationRepository);
}
@Override
protected String postLogoutRedirectUri(ServerHttpRequest request, ClientRegistration clientRegistration) {
return Objects.requireNonNullElse(request.getHeaders().getFirst(HttpHeaders.REFERER), super.postLogoutRedirectUri(request, clientRegistration));
}
}