Class ServerHttpSecurity.OidcLogoutSpec.BackChannelLogoutConfigurer

Method Details

• logoutUri

  public ServerHttpSecurity.OidcLogoutSpec.BackChannelLogoutConfigurer logoutUri(String logoutUri)

  Use this endpoint when invoking a back-channel logout.

  The resulting LogoutHandler will POST the session cookie and CSRF token to this endpoint to invalidate the corresponding end-user session.

  Supports URI templates like {baseUrl}, {baseScheme}, and {basePort}.

  By default, the URI is set to {baseUrl}/logout/connect/back-channel/{registrationId}, meaning that the scheme and port of the original back-channel request is preserved, while the host and endpoint are changed.

  If you are using Spring Security for the logout endpoint, the path part of this URI should match the value configured there.

  Otherwise, this is handy in the event that your server configuration means that the scheme, server name, or port in the Host header are different from how you would address the same server internally.

  Parameters:

  logoutUri - the URI to request logout on the back-channel

  Returns:

  the ServerHttpSecurity.OidcLogoutSpec.BackChannelLogoutConfigurer for further customizations

  Since:

  6.2.4

• logoutHandler

  public ServerHttpSecurity.OidcLogoutSpec.BackChannelLogoutConfigurer logoutHandler(ServerLogoutHandler logoutHandler)

  Configure what and how per-session logout will be performed.

  This overrides any value given to logoutUri(String)

  By default, the resulting LogoutHandler will POST the session cookie and OIDC logout token back to the original back-channel logout endpoint.

  Using this method changes the underlying default that POSTs the session cookie and CSRF token to your application's /logout endpoint. As such, it is recommended to call this instead of accepting the /logout default as this does not require any special CSRF configuration, even if you don't require other changes.

  For example, configuring Back-Channel Logout in the following way:

          http
          .oidcLogout((oidc) -> oidc
                  .backChannel((backChannel) -> backChannel
                          .logoutHandler(new OidcBackChannelServerLogoutHandler())
                  )
          );
   

  will make so that the per-session logout invocation no longer requires special CSRF configurations.

  The default URI is {baseUrl}/logout/connect/back-channel/{registrationId}, which is simply an internal version of the same endpoint exposed to your Back-Channel services. You can use OidcBackChannelServerLogoutHandler.setLogoutUri(String) to alter the scheme, server name, or port in the Host header to accommodate how your application would address itself internally.

  For example, if the way your application would internally call itself is on a different scheme and port than incoming traffic, you can configure the endpoint in the following way:

          http
                  .oidcLogout((oidc) -> oidc
                          .backChannel((backChannel) -> backChannel
                                  .logoutUri("http://localhost:9000/logout/connect/back-channel/{registrationId}")
                          )
                  );
   

  You can also publish it as a @Bean as follows:

          @Bean
          OidcBackChannelServerLogoutHandler oidcLogoutHandler() {
          OidcBackChannelServerLogoutHandler logoutHandler = new OidcBackChannelServerLogoutHandler();
          logoutHandler.setLogoutUri("http://localhost:9000/logout/connect/back-channel/{registrationId}");
          return logoutHandler;
          }
   

  to have the same effect.

  Parameters:

  logoutHandler - the ServerLogoutHandler to use each individual session

  Returns:

  ServerHttpSecurity.OidcLogoutSpec.BackChannelLogoutConfigurer for further customizations

  Since:

  6.4