-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support custom validation in OidcLogoutAuthenticationProvider #1723
base: main
Are you sure you want to change the base?
Support custom validation in OidcLogoutAuthenticationProvider #1723
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR @Kehrlann !
In addition to addressing the feedback, please add documentation to the reference similar to Customizing Authorization Request Validation and Customizing Client Credentials Grant Request Validation.
@@ -0,0 +1,142 @@ | |||
/* | |||
* Copyright 2020-2023 the original author or authors. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update copyright year
@@ -21,6 +21,7 @@ | |||
import java.security.Principal; | |||
import java.util.Base64; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update copyright year
@@ -0,0 +1,94 @@ | |||
/* | |||
* Copyright 2020-2023 the original author or authors. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update copyright year
* Returns the {@link OAuth2Authorization authorization request}. | ||
* @return the {@link OAuth2Authorization} | ||
*/ | ||
public OAuth2Authorization getAuthorizationRequest() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not used so can be removed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should leave it.
Since this is the OidcLogoutAuthenticationContext
, it goes beyond just the logout URI. The OAuth2Authorization
is part of the the logout context and is loaded from a repository, it may prove useful for users who want to perform further checks.
/** | ||
* The default validator for {@link OidcIdToken#getAudience()}. | ||
*/ | ||
public static final Consumer<OidcLogoutAuthenticationContext> DEFAULT_AUDIENCE_VALIDATOR = OidcLogoutAuthenticationValidator::validateAudience; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should reset this change since this issue is to address post_logout_redirect_uri
customization. Is this needed here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to give more a bit flexibility in logout validation, and showcase how validators can be composed, similar to what we do in the redirect uri validation.
Happy to remove it though - In I can't think of a valid use-case where the id_token
doesn't have the client_id
in the aud
claim.
- Similar to custom validation in OAuth2AuthorizationCodeRequestAuthenticationProvider - Closes spring-projectsgh-1693
bbd9476
to
ef54d36
Compare
OAuth2AuthorizationCodeRequestAuthenticationProvider
post_logout_redirect_uri
validation in OIDC RP-initiated logout #1693