Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support custom validation in OidcLogoutAuthenticationProvider #1723

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Support custom validation in OidcLogoutAuthenticationProvider #1723

wants to merge 1 commit into from
+298 −11

Conversation

Kehrlann
Copy link
Contributor

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 17, 2024
@jgrandja jgrandja self-requested a review September 18, 2024 19:03
@jgrandja jgrandja self-assigned this Sep 18, 2024
@jgrandja jgrandja added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 18, 2024
@jgrandja jgrandja added this to the 1.4.0-RC1 milestone Sep 18, 2024
jgrandja
jgrandja requested changes Sep 26, 2024
View reviewed changes
Copy link
Collaborator

@jgrandja jgrandja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @Kehrlann !

In addition to addressing the feedback, please add documentation to the reference similar to Customizing Authorization Request Validation and Customizing Client Credentials Grant Request Validation.

...ecurity/oauth2/server/authorization/oidc/authentication/OidcLogoutAuthenticationContext.java Outdated
@@ -0,0 +1,142 @@
/*
* Copyright 2020-2023 the original author or authors.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update copyright year

...curity/oauth2/server/authorization/oidc/authentication/OidcLogoutAuthenticationProvider.java
@@ -21,6 +21,7 @@
import java.security.Principal;
import java.util.Base64;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update copyright year

...urity/oauth2/server/authorization/oidc/authentication/OidcLogoutAuthenticationValidator.java Outdated
@@ -0,0 +1,94 @@
/*
* Copyright 2020-2023 the original author or authors.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update copyright year

...ecurity/oauth2/server/authorization/oidc/authentication/OidcLogoutAuthenticationContext.java
* Returns the {@link OAuth2Authorization authorization request}.
* @return the {@link OAuth2Authorization}
*/
public OAuth2Authorization getAuthorizationRequest() {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not used so can be removed

Copy link
Contributor Author

@Kehrlann Kehrlann Sep 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should leave it.

Since this is the OidcLogoutAuthenticationContext, it goes beyond just the logout URI. The OAuth2Authorization is part of the the logout context and is loaded from a repository, it may prove useful for users who want to perform further checks.

...urity/oauth2/server/authorization/oidc/authentication/OidcLogoutAuthenticationValidator.java
/**
* The default validator for {@link OidcIdToken#getAudience()}.
*/
public static final Consumer<OidcLogoutAuthenticationContext> DEFAULT_AUDIENCE_VALIDATOR = OidcLogoutAuthenticationValidator::validateAudience;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should reset this change since this issue is to address post_logout_redirect_uri customization. Is this needed here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to give more a bit flexibility in logout validation, and showcase how validators can be composed, similar to what we do in the redirect uri validation.

Happy to remove it though - In I can't think of a valid use-case where the id_token doesn't have the client_id in the aud claim.

@Kehrlann
Support custom validation in OidcLogoutAuthenticationProvider
ef54d36 
- Similar to custom validation in OAuth2AuthorizationCodeRequestAuthenticationProvider
- Closes spring-projectsgh-1693
@Kehrlann Kehrlann force-pushed the customize-post-logout-redirect-uri-check branch from bbd9476 to ef54d36 Compare September 27, 2024 12:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jgrandja jgrandja jgrandja requested changes

Assignees

@jgrandja jgrandja

Labels
type: enhancement A general enhancement
Projects
Spring Security Team
Status: In Progress
Milestone
1.4.0-RC1
Development

Successfully merging this pull request may close these issues.

Customize post_logout_redirect_uri validation in OIDC RP-initiated logout
3 participants
@Kehrlann @jgrandja @spring-projects-issues