Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support customizing the serverLogoutSuccessHandler for OidcClientInitiatedServerLogoutSuccessHandler #14808

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -23,6 +23,7 @@

import reactor.core.publisher.Mono;

import org.springframework.core.convert.converter.Converter;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
Expand All @@ -35,6 +36,7 @@
import org.springframework.security.web.server.authentication.logout.RedirectServerLogoutSuccessHandler;
import org.springframework.security.web.server.authentication.logout.ServerLogoutSuccessHandler;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;

Expand All @@ -57,6 +59,8 @@ public class OidcClientInitiatedServerLogoutSuccessHandler implements ServerLogo

private String postLogoutRedirectUri;

private Converter<RedirectUriParameters, Mono<String>> redirectUriResolver = new DefaultRedirectUriResolver();

/**
* Constructs an {@link OidcClientInitiatedServerLogoutSuccessHandler} with the
* provided parameters
Expand All @@ -79,15 +83,10 @@ public Mono<Void> onLogoutSuccess(WebFilterExchange exchange, Authentication aut
.map(OAuth2AuthenticationToken.class::cast)
.map(OAuth2AuthenticationToken::getAuthorizedClientRegistrationId)
.flatMap(this.clientRegistrationRepository::findByRegistrationId)
.flatMap((clientRegistration) -> {
URI endSessionEndpoint = endSessionEndpoint(clientRegistration);
if (endSessionEndpoint == null) {
return Mono.empty();
}
String idToken = idToken(authentication);
String postLogoutRedirectUri = postLogoutRedirectUri(exchange.getExchange().getRequest(), clientRegistration);
return Mono.just(endpointUri(endSessionEndpoint, idToken, postLogoutRedirectUri));
})
.flatMap((clientRegistration) ->
this.redirectUriResolver.convert(
new RedirectUriParameters(exchange.getExchange(), authentication, clientRegistration))
)
.switchIfEmpty(
this.serverLogoutSuccessHandler.onLogoutSuccess(exchange, authentication).then(Mono.empty())
)
Expand Down Expand Up @@ -189,4 +188,79 @@ public void setLogoutSuccessUrl(URI logoutSuccessUrl) {
this.serverLogoutSuccessHandler.setLogoutSuccessUrl(logoutSuccessUrl);
}

/**
* Set the {@link Converter} that converts {@link RedirectUriParameters} to redirect
* URI
* @param redirectUriResolver {@link Converter}
* @since 6.5
*/
public void setRedirectUriResolver(Converter<RedirectUriParameters, Mono<String>> redirectUriResolver) {
Assert.notNull(redirectUriResolver, "redirectUriResolver cannot be null");
this.redirectUriResolver = redirectUriResolver;
}

/**
* Parameters, required for redirect URI resolving.
*
* @author Max Batischev
* @since 6.5
*/
public static final class RedirectUriParameters {

private final ServerWebExchange serverWebExchange;

private final Authentication authentication;

private final ClientRegistration clientRegistration;

public RedirectUriParameters(ServerWebExchange serverWebExchange, Authentication authentication,
ClientRegistration clientRegistration) {
Assert.notNull(clientRegistration, "clientRegistration cannot be null");
Assert.notNull(serverWebExchange, "serverWebExchange cannot be null");
Assert.notNull(authentication, "authentication cannot be null");
this.serverWebExchange = serverWebExchange;
this.authentication = authentication;
this.clientRegistration = clientRegistration;
}

public ServerWebExchange getServerWebExchange() {
return this.serverWebExchange;
}

public Authentication getAuthentication() {
return this.authentication;
}

public ClientRegistration getClientRegistration() {
return this.clientRegistration;
}

}

/**
* Default {@link Converter} for redirect uri resolving.
*
* @since 6.5
*/
private final class DefaultRedirectUriResolver implements Converter<RedirectUriParameters, Mono<String>> {

@Override
public Mono<String> convert(RedirectUriParameters redirectUriParameters) {
// @formatter:off
return Mono.just(redirectUriParameters.authentication)
.flatMap((authentication) -> {
URI endSessionEndpoint = endSessionEndpoint(redirectUriParameters.clientRegistration);
if (endSessionEndpoint == null) {
return Mono.empty();
}
String idToken = idToken(authentication);
String postLogoutRedirectUri = postLogoutRedirectUri(
redirectUriParameters.serverWebExchange.getRequest(), redirectUriParameters.clientRegistration);
return Mono.just(endpointUri(endSessionEndpoint, idToken, postLogoutRedirectUri));
});
// @formatter:on
}

}

}
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -19,6 +19,7 @@
import java.io.IOException;
import java.net.URI;
import java.util.Collections;
import java.util.Objects;

import jakarta.servlet.ServletException;
import org.junit.jupiter.api.BeforeEach;
Expand Down Expand Up @@ -199,6 +200,25 @@ public void setPostLogoutRedirectUriTemplateWhenGivenNullThenThrowsException() {
assertThatIllegalArgumentException().isThrownBy(() -> this.handler.setPostLogoutRedirectUri((String) null));
}

@Test
public void logoutWhenCustomRedirectUriResolverSetThenRedirects() {
OAuth2AuthenticationToken token = new OAuth2AuthenticationToken(TestOidcUsers.create(),
AuthorityUtils.NO_AUTHORITIES, this.registration.getRegistrationId());
WebFilterExchange filterExchange = new WebFilterExchange(this.exchange, this.chain);
given(this.exchange.getRequest())
.willReturn(MockServerHttpRequest.get("/").queryParam("location", "https://test.com").build());
// @formatter:off
this.handler.setRedirectUriResolver((params) -> Mono.just(
Objects.requireNonNull(params.getServerWebExchange()
.getRequest()
.getQueryParams()
.getFirst("location"))));
// @formatter:on
this.handler.onLogoutSuccess(filterExchange, token).block();

assertThat(redirectedUrl(this.exchange)).isEqualTo("https://test.com");
}

private String redirectedUrl(ServerWebExchange exchange) {
return exchange.getResponse().getHeaders().getFirst("Location");
}
Expand Down