Expected Behavior

OIDC backchannel logout should be configured easily using XML security configuration by Spring namespaces (if possible without the "Spring reactive stack") same way as it is supported by DSL java reactive configuration. The https://www.springframework.org/schema/security/spring-security.xsd namespaces should define elements with attributes like for instance similarly like current with easy attribute configuration options. I am referring to the java equivalents in: org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2LoginSpec org.springframework.security.config.web.server.ServerHttpSecurity.OidcLogoutSpec where org.springframework.security.config.web.server.ServerHttpSecurity.OidcLogoutSpec.BackChannelLogoutConfigurer allows the configuration of logoutUri.

Current Behavior In the Spring Security version 6.3.1 it is possible to use org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler to destroy session on IDP/OpenID Provider however the backchannel logout that would perform the "global logout" (for all Relying Parties) cannot be easily configured using XML a most probably requires reactive dependencies and configuration.

There is no option to use OIDC backchannel logout easily using XML security configurations The https://www.springframework.org/schema/security/spring-security.xsd contains elements like security:oauth2-login with easy attribute configuration options however there are no attributes supporting the new DSL features for backchannel logout: https://github.com/spring-projects/spring-security/issues/7845 https://docs.spring.io/spring-security/reference/reactive/oauth2/login/logout.html#configure-provider-initiated-oidc-logout .oidcLogout((logout) -> logout .backChannel(Customizer.withDefaults()) );

Context

I do not see any simple way to introduce the backchannel logout in the current Spring Security Config XML configuration. The namespaces do not contain the java DSL OIDC backchannel logout possibilities. The documentation refers to reactive stack which was not yet required and it is not yet available in our application.

I am wondering if there is a simple way to support OIDC backchannel logout in the current Spring/Spring Security application. In cases we would like to introduce the beans manually, the reactive stack needs to be activated. Also the filter OidcBackChannelLogoutWebFilter is package private class without public setters so there is no way to inject any beans in the XML configuration. The same applies for OidcBackChannelServerLogoutHandler. It there a way to register OidcBackChannelLogoutWebFilter to ServerHttpSecurity (represented by \<http> element)? Most probably for registering WebFilters is additional reactive stack configuration required.

I am also open if you see any workarounds for configuring OIDC backchannel in XML security configuration. Currently we support multiple Spring Security configurations with different mechanisms using XML configuration and we would like to avoid using java DSL configuration if possible.