spring-projects
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutAuthentication.java
Lines changed: 9 additions & 1 deletion b/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutAuthentication.java
Lines changed: 9 additions & 1 deletion
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutAuthenticationProvider.java
Lines changed: 1 addition & 1 deletion b/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutAuthenticationProvider.java
Lines changed: 1 addition & 1 deletion
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutFilter.java
Lines changed: 4 additions & 12 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutFilter.java
Lines changed: 4 additions & 12 deletions
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutHandler.java
Lines changed: 26 additions & 34 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutHandler.java
Lines changed: 26 additions & 34 deletions
@@ -20,6 +20,7 @@
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.oauth2.client.oidc.authentication.logout.OidcLogoutToken;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
 
 /**
  * An {@link org.springframework.security.core.Authentication} implementation that
@@ -37,13 +38,16 @@ class OidcBackChannelLogoutAuthentication extends AbstractAuthenticationToken {
 
 	private final OidcLogoutToken logoutToken;
 
+	private final ClientRegistration clientRegistration;
+
 	/**
 	 * Construct an {@link OidcBackChannelLogoutAuthentication}
 	 * @param logoutToken a deserialized, verified OIDC Logout Token
 	 */
-	OidcBackChannelLogoutAuthentication(OidcLogoutToken logoutToken) {
+	OidcBackChannelLogoutAuthentication(OidcLogoutToken logoutToken, ClientRegistration clientRegistration) {
 		super(Collections.emptyList());
 		this.logoutToken = logoutToken;
+		this.clientRegistration = clientRegistration;
 		setAuthenticated(true);
 	}
 
@@ -63,4 +67,8 @@ public OidcLogoutToken getCredentials() {
 		return this.logoutToken;
 	}
 
+	ClientRegistration getClientRegistration() {
+		return this.clientRegistration;
+	}
+
 }
@@ -99,7 +99,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		OidcLogoutToken oidcLogoutToken = OidcLogoutToken.withTokenValue(logoutToken)
 			.claims((claims) -> claims.putAll(jwt.getClaims()))
 			.build();
-		return new OidcBackChannelLogoutAuthentication(oidcLogoutToken);
+		return new OidcBackChannelLogoutAuthentication(oidcLogoutToken, registration);
 	}
 
 	/**
 
@@ -58,7 +58,7 @@ class OidcBackChannelLogoutFilter extends OncePerRequestFilter {
 
 	private final OAuth2ErrorHttpMessageConverter errorHttpMessageConverter = new OAuth2ErrorHttpMessageConverter();
 
-	private LogoutHandler logoutHandler = new OidcBackChannelLogoutHandler();
+	private final LogoutHandler logoutHandler;
 
 	/**
 	 * Construct an {@link OidcBackChannelLogoutFilter}
@@ -68,11 +68,13 @@ class OidcBackChannelLogoutFilter extends OncePerRequestFilter {
 	 * Logout Tokens
 	 */
 	OidcBackChannelLogoutFilter(AuthenticationConverter authenticationConverter,
-			AuthenticationManager authenticationManager) {
+			AuthenticationManager authenticationManager, LogoutHandler logoutHandler) {
 		Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
 		Assert.notNull(authenticationManager, "authenticationManager cannot be null");
+		Assert.notNull(logoutHandler, "logoutHandler cannot be null");
 		this.authenticationConverter = authenticationConverter;
 		this.authenticationManager = authenticationManager;
+		this.logoutHandler = logoutHandler;
 	}
 
 	/**
@@ -126,14 +128,4 @@ private OAuth2Error oauth2Error(Exception ex) {
 				"https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation");
 	}
 
-	/**
-	 * The strategy for expiring all Client sessions indicated by the logout request.
-	 * Defaults to {@link OidcBackChannelLogoutHandler}.
-	 * @param logoutHandler the {@link LogoutHandler} to use
-	 */
-	void setLogoutHandler(LogoutHandler logoutHandler) {
-		Assert.notNull(logoutHandler, "logoutHandler cannot be null");
-		this.logoutHandler = logoutHandler;
-	}
-
 }
@@ -29,17 +29,18 @@
 
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
 import org.springframework.http.server.ServletServerHttpResponse;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.oauth2.client.oidc.authentication.logout.OidcLogoutToken;
-import org.springframework.security.oauth2.client.oidc.session.InMemoryOidcSessionRegistry;
 import org.springframework.security.oauth2.client.oidc.session.OidcSessionInformation;
 import org.springframework.security.oauth2.client.oidc.session.OidcSessionRegistry;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.http.converter.OAuth2ErrorHttpMessageConverter;
 import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
 import org.springframework.web.client.RestClientException;
 import org.springframework.web.client.RestOperations;
 import org.springframework.web.client.RestTemplate;
@@ -51,25 +52,29 @@
  * Back-Channel Logout Token and invalidates each one.
  *
  * @author Josh Cummings
- * @since 6.2
+ * @since 6.4
  * @see <a target="_blank" href=
  * "https://openid.net/specs/openid-connect-backchannel-1_0.html">OIDC Back-Channel Logout
  * Spec</a>
  */
-final class OidcBackChannelLogoutHandler implements LogoutHandler {
+public final class OidcBackChannelLogoutHandler implements LogoutHandler {
 
 	private final Log logger = LogFactory.getLog(getClass());
 
-	private OidcSessionRegistry sessionRegistry = new InMemoryOidcSessionRegistry();
+	private final OidcSessionRegistry sessionRegistry;
 
 	private RestOperations restOperations = new RestTemplate();
 
-	private String logoutUri = "{baseScheme}://localhost{basePort}/logout";
+	private String logoutUri = "{baseUrl}/logout/connect/back-channel/{registrationId}";
 
 	private String sessionCookieName = "JSESSIONID";
 
 	private final OAuth2ErrorHttpMessageConverter errorHttpMessageConverter = new OAuth2ErrorHttpMessageConverter();
 
+	public OidcBackChannelLogoutHandler(OidcSessionRegistry sessionRegistry) {
+		this.sessionRegistry = sessionRegistry;
+	}
+
 	@Override
 	public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
 		if (!(authentication instanceof OidcBackChannelLogoutAuthentication token)) {
@@ -86,7 +91,7 @@ public void logout(HttpServletRequest request, HttpServletResponse response, Aut
 		for (OidcSessionInformation session : sessions) {
 			totalCount++;
 			try {
-				eachLogout(request, session);
+				eachLogout(request, token, session);
 				invalidatedCount++;
 			}
 			catch (RestClientException ex) {
@@ -103,18 +108,23 @@ public void logout(HttpServletRequest request, HttpServletResponse response, Aut
 		}
 	}
 
-	private void eachLogout(HttpServletRequest request, OidcSessionInformation session) {
+	private void eachLogout(HttpServletRequest request, OidcBackChannelLogoutAuthentication token,
+			OidcSessionInformation session) {
 		HttpHeaders headers = new HttpHeaders();
 		headers.add(HttpHeaders.COOKIE, this.sessionCookieName + "=" + session.getSessionId());
 		for (Map.Entry<String, String> credential : session.getAuthorities().entrySet()) {
 			headers.add(credential.getKey(), credential.getValue());
 		}
-		String logout = computeLogoutEndpoint(request);
-		HttpEntity<?> entity = new HttpEntity<>(null, headers);
+		headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
+		String logout = computeLogoutEndpoint(request, token);
+		MultiValueMap<String, String> body = new LinkedMultiValueMap();
+		body.add("logout_token", token.getPrincipal().getTokenValue());
+		body.add("_spring_security_internal_logout", "true");
+		HttpEntity<?> entity = new HttpEntity<>(body, headers);
 		this.restOperations.postForEntity(logout, entity, Object.class);
 	}
 
-	String computeLogoutEndpoint(HttpServletRequest request) {
+	String computeLogoutEndpoint(HttpServletRequest request, OidcBackChannelLogoutAuthentication token) {
 		// @formatter:off
 		UriComponents uriComponents = UriComponentsBuilder
 				.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
@@ -137,6 +147,9 @@ String computeLogoutEndpoint(HttpServletRequest request) {
 		int port = uriComponents.getPort();
 		uriVariables.put("basePort", (port == -1) ? "" : ":" + port);
 
+		String registrationId = token.getClientRegistration().getRegistrationId();
+		uriVariables.put("registrationId", registrationId);
+
 		return UriComponentsBuilder.fromUriString(this.logoutUri)
 				.buildAndExpand(uriVariables)
 				.toUriString();
@@ -158,34 +171,13 @@ private void handleLogoutFailure(HttpServletResponse response, OAuth2Error error
 		}
 	}
 
-	/**
-	 * Use this {@link OidcSessionRegistry} to identify sessions to invalidate. Note that
-	 * this class uses
-	 * {@link OidcSessionRegistry#removeSessionInformation(OidcLogoutToken)} to identify
-	 * sessions.
-	 * @param sessionRegistry the {@link OidcSessionRegistry} to use
-	 */
-	void setSessionRegistry(OidcSessionRegistry sessionRegistry) {
-		Assert.notNull(sessionRegistry, "sessionRegistry cannot be null");
-		this.sessionRegistry = sessionRegistry;
-	}
-
-	/**
-	 * Use this {@link RestOperations} to perform the per-session back-channel logout
-	 * @param restOperations the {@link RestOperations} to use
-	 */
-	void setRestOperations(RestOperations restOperations) {
-		Assert.notNull(restOperations, "restOperations cannot be null");
-		this.restOperations = restOperations;
-	}
-
 	/**
 	 * Use this logout URI for performing per-session logout. Defaults to {@code /logout}
 	 * since that is the default URI for
 	 * {@link org.springframework.security.web.authentication.logout.LogoutFilter}.
 	 * @param logoutUri the URI to use
 	 */
-	void setLogoutUri(String logoutUri) {
+	public void setLogoutUri(String logoutUri) {
 		Assert.hasText(logoutUri, "logoutUri cannot be empty");
 		this.logoutUri = logoutUri;
 	}
@@ -197,7 +189,7 @@ void setLogoutUri(String logoutUri) {
 	 * Note that if you are using Spring Session, this likely needs to change to SESSION.
 	 * @param sessionCookieName the cookie name to use
 	 */
-	void setSessionCookieName(String sessionCookieName) {
+	public void setSessionCookieName(String sessionCookieName) {
 		Assert.hasText(sessionCookieName, "clientSessionCookieName cannot be empty");
 		this.sessionCookieName = sessionCookieName;
 	}
Original file line number	Diff line number	Diff line change
`@@ -99,7 +99,7 @@ public Authentication authenticate(Authentication authentication) throws Authent`
`99`	`99`	`OidcLogoutToken oidcLogoutToken = OidcLogoutToken.withTokenValue(logoutToken)`
`100`	`100`	`.claims((claims) -> claims.putAll(jwt.getClaims()))`
`101`	`101`	`.build();`
`102`		`- return new OidcBackChannelLogoutAuthentication(oidcLogoutToken);`
	`102`	`+ return new OidcBackChannelLogoutAuthentication(oidcLogoutToken, registration);`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`/**`