Single sign-off: RP-Initiated logout #24
Comments
|
While spring doesn't support Back-Channel-Logout, some can use (for example with keycloak) OpenID Connect RP-Initiated Logout with e.g. a custom logout success handler like described here: https://stackoverflow.com/a/67853291/1662997 |
|
Yes, exactly! The implementation will start with an RP-Initiated Logout for the first scenario, using the |
|
We can also provide some configuration properties to handle the logout process, for example: vaadin:
auth:
logout-url: /logout
logout-redirect-url: /Those values would be the default, but in case the developer wants to provide a logout confirmation view they'd be able to do so setting a custom |
|
Seems like what Spring does to logout the user when hitting So the For example, this would properly logout from the local security-context and the OIDC provider: public class LogoutView extends VerticalLayout {
public LogoutView(ClientRegistrationRepository clientRegistrationRepository, ApplicationEventPublisher eventPublisher) {
add(new Button("Logout", click -> {
var auth = SecurityContextHolder.getContext().getAuthentication();
var logoutHandler = new SecurityContextLogoutHandler();
var eventPublishingHandler = new LogoutSuccessEventPublishingLogoutHandler();
eventPublishingHandler.setApplicationEventPublisher(eventPublisher);
var handler = new CompositeLogoutHandler(logoutHandler, eventPublishingHandler);
var req = VaadinServletRequest.getCurrent().getHttpServletRequest();
var res = VaadinServletResponse.getCurrent().getHttpServletResponse();
handler.logout(req, res, auth);
var oidcLogoutHandler = OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository);
try {
oidcLogoutHandler.onLogoutSuccess(req, res, auth);
} catch (IOException | ServletException e) {
e.printStackTrace();
}
});
}
}But this does not take into account any custom logout handler that could be added to the security configuration, so it's not optimal. The other way around would be hitting
See also this issue which is related to RP-Initiated logout: https://github.com/vaadin/start/issues/2010 |
|
To avoid writing enormous click listeners we might provide helpers via some kind of object which could also provide the logout functionality, for example the context bean described to get user informations in #14 (comment) |
|
This issue will track RP-Initiated logout, while support for back-channel logout will be tracked by #29. |
In #22 are described the requirements of proper session management when dealing with single sign-on providers, and single sign-off is among the others a sensible one as it involves different scenarios; for example:
The first scenario can be managed within the app, by invalidating both Vaadin's and the servlet's sessions and signaling the provider redirecting the user to the provider's own logout URL.
The OpenID Connect standard specify a standardized way to approach the second scenario, which is called Back-Channel Logout. The spec requires a in-app stateless URL to send logout requests from the provider, with the Session-ID (SID) of the user sessions which should be terminated (being that currently active or not).
Currently Spring does not offer that support, but there is an open request to have this part of the Spring's OIDC implementation: spring-projects/spring-security#7845
We can start implementing support for the first scenario and in the meanwhile investigate if Spring is going to add support for back-channel logout in the short-term.
The text was updated successfully, but these errors were encountered: