diff --git a/docs/modules/ROOT/pages/reactive/oauth2/login/logout.adoc b/docs/modules/ROOT/pages/reactive/oauth2/login/logout.adoc index 1f059a0827..ac1eb76028 100644 --- a/docs/modules/ROOT/pages/reactive/oauth2/login/logout.adoc +++ b/docs/modules/ROOT/pages/reactive/oauth2/login/logout.adoc @@ -173,7 +173,7 @@ open fun filterChain(http: ServerHttpSecurity): SecurityWebFilterChain { And that's it! -This will stand up the endpoint `/logout/connect/back-channel/+{registrationId}` which the OIDC Provider can request to invalidate a given session of an end user in your application. +This will stand up the endpoint `+/logout/connect/back-channel/{registrationId}+` which the OIDC Provider can request to invalidate a given session of an end user in your application. [NOTE] `oidcLogout` requires that `oauth2Login` also be configured. diff --git a/docs/modules/ROOT/pages/servlet/oauth2/login/advanced.adoc b/docs/modules/ROOT/pages/servlet/oauth2/login/advanced.adoc index 765b5b89e3..9d5fa9918a 100644 --- a/docs/modules/ROOT/pages/servlet/oauth2/login/advanced.adoc +++ b/docs/modules/ROOT/pages/servlet/oauth2/login/advanced.adoc @@ -929,114 +929,5 @@ For MAC-based algorithms (such as `HS256`, `HS384`, or `HS512`), the `client-sec If more than one `ClientRegistration` is configured for OpenID Connect 1.0 Authentication, the JWS algorithm resolver may evaluate the provided `ClientRegistration` to determine which algorithm to return. ==== - -[[oauth2login-advanced-oidc-logout]] -== OpenID Connect 1.0 Logout - -OpenID Connect Session Management 1.0 allows the ability to log out the end user at the Provider by using the Client. -One of the strategies available is https://openid.net/specs/openid-connect-rpinitiated-1_0.html[RP-Initiated Logout]. - -If the OpenID Provider supports both Session Management and https://openid.net/specs/openid-connect-discovery-1_0.html[Discovery], the client can obtain the `end_session_endpoint` `URL` from the OpenID Provider's https://openid.net/specs/openid-connect-session-1_0.html#OPMetadata[Discovery Metadata]. -You can do so by configuring the `ClientRegistration` with the `issuer-uri`, as follows: - -[source,yaml] ----- -spring: - security: - oauth2: - client: - registration: - okta: - client-id: okta-client-id - client-secret: okta-client-secret - ... - provider: - okta: - issuer-uri: https://dev-1234.oktapreview.com ----- - -Also, you can configure `OidcClientInitiatedLogoutSuccessHandler`, which implements RP-Initiated Logout, as follows: - -[tabs] -====== -Java:: -+ -[source,java,role="primary"] ----- -@Configuration -@EnableWebSecurity -public class OAuth2LoginSecurityConfig { - - @Autowired - private ClientRegistrationRepository clientRegistrationRepository; - - @Bean - public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http - .authorizeHttpRequests(authorize -> authorize - .anyRequest().authenticated() - ) - .oauth2Login(withDefaults()) - .logout(logout -> logout - .logoutSuccessHandler(oidcLogoutSuccessHandler()) - ); - return http.build(); - } - - private LogoutSuccessHandler oidcLogoutSuccessHandler() { - OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler = - new OidcClientInitiatedLogoutSuccessHandler(this.clientRegistrationRepository); - - // Sets the location that the End-User's User Agent will be redirected to - // after the logout has been performed at the Provider - oidcLogoutSuccessHandler.setPostLogoutRedirectUri("{baseUrl}"); - - return oidcLogoutSuccessHandler; - } -} ----- - -Kotlin:: -+ -[source,kotlin,role="secondary"] ----- -@Configuration -@EnableWebSecurity -class OAuth2LoginSecurityConfig { - @Autowired - private lateinit var clientRegistrationRepository: ClientRegistrationRepository - - @Bean - open fun filterChain(http: HttpSecurity): SecurityFilterChain { - http { - authorizeRequests { - authorize(anyRequest, authenticated) - } - oauth2Login { } - logout { - logoutSuccessHandler = oidcLogoutSuccessHandler() - } - } - return http.build() - } - - private fun oidcLogoutSuccessHandler(): LogoutSuccessHandler { - val oidcLogoutSuccessHandler = OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository) - - // Sets the location that the End-User's User Agent will be redirected to - // after the logout has been performed at the Provider - oidcLogoutSuccessHandler.setPostLogoutRedirectUri("{baseUrl}") - return oidcLogoutSuccessHandler - } -} ----- -====== - -[NOTE] -==== -`OidcClientInitiatedLogoutSuccessHandler` supports the `+{baseUrl}+` placeholder. -If used, the application's base URL, such as `https://app.example.org`, replaces it at request time. -==== - [[oauth2login-advanced-oidc-logout]] Then, you can proceed to configure xref:reactive/oauth2/login/logout.adoc[logout] diff --git a/docs/modules/ROOT/pages/servlet/oauth2/login/logout.adoc b/docs/modules/ROOT/pages/servlet/oauth2/login/logout.adoc index de36b364ad..24078cf61f 100644 --- a/docs/modules/ROOT/pages/servlet/oauth2/login/logout.adoc +++ b/docs/modules/ROOT/pages/servlet/oauth2/login/logout.adoc @@ -172,7 +172,7 @@ open fun filterChain(http: HttpSecurity): SecurityFilterChain { And that's it! -This will stand up the endpoint `/logout/connect/back-channel/+{registrationId}` which the OIDC Provider can request to invalidate a given session of an end user in your application. +This will stand up the endpoint `+/logout/connect/back-channel/{registrationId}+` which the OIDC Provider can request to invalidate a given session of an end user in your application. [NOTE] `oidcLogout` requires that `oauth2Login` also be configured.