Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Customize post_logout_redirect_uri validation in OIDC RP-initiated logout #1693

Open
Kehrlann opened this issue Aug 16, 2024 · 2 comments · May be fixed by #1723
Open

Customize post_logout_redirect_uri validation in OIDC RP-initiated logout #1693

Kehrlann opened this issue Aug 16, 2024 · 2 comments · May be fixed by #1723
Assignees
@Kehrlann
Labels
status: duplicate A duplicate of another issue type: enhancement A general enhancement

Comments

@Kehrlann
Copy link
Contributor

Context

In local development scenarios, some auth servers relax some specified constraints. For example, in Tanzu, we have use-cases where we remove redirect_uri validation in OAuth2AuthorizationCodeRequestAuthenticationProvider through the OAuth2AuthorizationCoderRequestAuthenticationProvider#setAuthenticationValidator hook.

Feature request

We want to turn off post_logout_redirect_uri validation in OidcLogoutAuthenticationProvider, but it is currently hardcoded.

We would like to have a similar #setAuthenticationValidator in OidcLogoutAuthenticationProvider. We are interested in the redirect uri validation, but maybe this extends to the client identity (e.g. aud claim).

Workaround

For our workaround, we have custom OidcLogoutAuthenticationProvider that wraps around the original, and modifies the client registration (not great). We rely on our custom RegisteredClientRepository and RegisteredClient implementations:

class SsoOidcLogoutAuthenticationProvider implements AuthenticationProvider {

	private final OidcLogoutAuthenticationProvider delegate;

	private final OAuth2AuthorizationService authorizationService;

	private final SsoRegisteredClientRepository registeredClientRepository;

	public SsoOidcLogoutAuthenticationProvider(OidcLogoutAuthenticationProvider delegate,
			OAuth2AuthorizationService authorizationService, SsoRegisteredClientRepository registeredClientRepository) {
		this.delegate = delegate;
		this.authorizationService = authorizationService;
		this.registeredClientRepository = registeredClientRepository;
	}

	@Override
	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
		OidcLogoutAuthenticationToken initialAuth = (OidcLogoutAuthenticationToken) authentication;

		OAuth2Authorization authorization = this.authorizationService.findByToken(initialAuth.getIdTokenHint(),
				new OAuth2TokenType(OidcParameterNames.ID_TOKEN));
		// ... handle error
		SsoRegisteredClient registeredClient = this.registeredClientRepository
			.findById(authorization.getRegisteredClientId());
		// ... handle missing redirect_uri

		// 🚨 Here we modify the registered client to add the current request's
		// post logout redirect uri to the allow-list
		registeredClient.addPostLogoutUri(initialAuth.getPostLogoutRedirectUri());

		return this.delegate.authenticate(initialAuth);
	}

	@Override
	public boolean supports(Class<?> authentication) {
		return this.delegate.supports(authentication);
	}

}

Happy to contribute a PR if that's a valid use-case.
@Kehrlann Kehrlann added the type: enhancement A general enhancement label Aug 16, 2024
@Kehrlann Kehrlann changed the title Customnize post_logout_redirect_uri validation in OIDC RP-initiated logout Customize post_logout_redirect_uri validation in OIDC RP-initiated logout Aug 16, 2024
@jgrandja
Copy link
Collaborator

@Kehrlann Thanks for the details and we can certainly add this enhancement. Would you be interested in submitting a PR that adds OidcLogoutAuthenticationProvider.setAuthenticationValidator()?

@Kehrlann
Copy link
Contributor Author

@jgrandja
Yes, happy to submit a PR. I’ll look at it next week.

Kehrlann added a commit to Kehrlann/spring-authorization-server that referenced this issue Sep 17, 2024
@Kehrlann
Support custom validation in OidcLogoutAuthenticationProvider
ff5a355 
- Similar to custom validation in OAuth2AuthorizationCodeRequestAuthenticationProvider
- Closes spring-projectsgh-1693
Kehrlann added a commit to Kehrlann/spring-authorization-server that referenced this issue Sep 17, 2024
@Kehrlann
Support custom validation in OidcLogoutAuthenticationProvider
bbd9476 
- Similar to custom validation in OAuth2AuthorizationCodeRequestAuthenticationProvider
- Closes spring-projectsgh-1693
@Kehrlann Kehrlann linked a pull request Sep 17, 2024 that will close this issue
Open
@jgrandja jgrandja added the status: duplicate A duplicate of another issue label Sep 18, 2024
Kehrlann added a commit to Kehrlann/spring-authorization-server that referenced this issue Sep 27, 2024
@Kehrlann
Support custom validation in OidcLogoutAuthenticationProvider
ef54d36 
- Similar to custom validation in OAuth2AuthorizationCodeRequestAuthenticationProvider
- Closes spring-projectsgh-1693
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Kehrlann Kehrlann

Labels
status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support custom validation in OidcLogoutAuthenticationProvider Kehrlann/spring-authorization-server
2 participants
@Kehrlann @jgrandja