It would be nice to be able to perform OAuth2 Logout in v5.8.x (same functionality as v6 offers in that regard: local/back-channel/client-initiated).
Background:
We have 3 "login capable" products that authenticate using Keycloaks deprecated adapter. Those 3 products are currently stuck on the Javax Servlet API due to other frameworks (one of those products is stuck due to a massive amount of Struts v1.2 code, so that will probably never be running on Jakarta Servlet API or the new spring libraries).
Side-note: The KC adapter has caused us a great deal of grief over the years, so we'd really like to jump on a plain Spring Security setup for this (and in our case the logout functionality is the only blocker).
I am aware that it is a bit arbitrary to request a feature backport for a single feature. So if there is not a case for this, it would be very helpful with a good advice on how to proceed. I choose to make it a feature request, so others can chime in, if they are/have been stuck in a similar situation.
I see that v5.8.x is being touted as a stepping stone for v6.x and was wondering if it would be a minor task to backport and maintain the OAuth2 Logout on top of that (not necessarily a Spring Security project) - I assume that it would be doable/viable, if the underlying concepts/code align to a certain degree across v5.8.x and v6.x - If it is necessary to come up with (and implement) most of it from scratch, then we will probably not be throwing developer resources at it.
Comment From: jzheaux
Hey, @cpoulsen-dezide, thanks for reaching out. Given that 5.8.x is offered as a release to facilitate upgrading to 6.x, there are no plans to add features to it.
That said, it in the end is a set of filters and components that you can copy from 6 and wire in your filter chain as a custom filter, so I imagine you could still borrow the Spring Security code without needing to write it yourself.
Comment From: xiechangning20
Hey, @cpoulsen-dezide, thanks for reaching out. Given that 5.8.x is offered as a release to facilitate upgrading to 6.x, there are no plans to add features to it.
That said, it in the end is a set of filters and components that you can copy from 6 and wire in your filter chain as a custom filter, so I imagine you could still borrow the Spring Security code without needing to write it yourself.
Hi @jzheaux,
I'm working on implementing OIDC backchannel logout using Spring Security 5.7, referencing the code from version 6.x. So far, I've identified two key components involved:
OidcBackChannelLogoutHandler: This receives the backchannel logout request from the OIDC provider (Keycloak in our case), locates and removes the corresponding OIDC session from the session registry, and then sends an internal logout request with the logout token in the request body.
LogoutFilter: This handles the internal logout request, but appears to rely on the SecurityContext to fetch the Authentication, which seems odd in the context of a backchannel request.
My question is: how is the logout token from the OidcBackChannelLogoutHandler step transferred or made available to the SecurityContext (or to whatever LogoutHandler needs it)? Is there a filter or component in between that extracts the token and sets the appropriate authentication into the context, or is there some other mechanism I'm missing?
Thanks!