The current OIDC back-channel logout support saves the end-user's CSRF token to use in a self-logout call when the back-channel request comes from the authorization server.
This adds more information to OidcSessionInformation than may be necessary. Instead, I think it would also work to send the logout_token in place of the CSRF token.
The upside is a simpler contract and simpler configuration. The possible downside is the logout token is validated multiple times, once for each session being invalidated.
Comment From: jzheaux
Waiting on #14510
Comment From: jzheaux
Given the feedback in https://github.com/spring-projects/spring-security/issues/15227, I think that's enough to consider adding this without waiting for #14510.