Class ServerHttpSecurity.OidcLogoutSpec.BackChannelLogoutConfigurer
- Enclosing class:
- ServerHttpSecurity.OidcLogoutSpec
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionlogoutHandler(ServerLogoutHandler logoutHandler) Configure what and how per-session logout will be performed.Use this endpoint when invoking a back-channel logout.
-
Constructor Details
-
BackChannelLogoutConfigurer
public BackChannelLogoutConfigurer()
-
-
Method Details
-
logoutUri
Use this endpoint when invoking a back-channel logout.The resulting
LogoutHandlerwillPOSTthe session cookie and CSRF token to this endpoint to invalidate the corresponding end-user session.Supports URI templates like
{baseUrl},{baseScheme}, and{basePort}.By default, the URI is set to
{baseUrl}/logout/connect/back-channel/{registrationId}, meaning that the scheme and port of the original back-channel request is preserved, while the host and endpoint are changed.If you are using Spring Security for the logout endpoint, the path part of this URI should match the value configured there.
Otherwise, this is handy in the event that your server configuration means that the scheme, server name, or port in the
Hostheader are different from how you would address the same server internally.- Parameters:
logoutUri- the URI to request logout on the back-channel- Returns:
- the
ServerHttpSecurity.OidcLogoutSpec.BackChannelLogoutConfigurerfor further customizations - Since:
- 6.2.4
-
logoutHandler
public ServerHttpSecurity.OidcLogoutSpec.BackChannelLogoutConfigurer logoutHandler(ServerLogoutHandler logoutHandler) Configure what and how per-session logout will be performed.This overrides any value given to
logoutUri(String)By default, the resulting
LogoutHandlerwillPOSTthe session cookie and OIDC logout token back to the original back-channel logout endpoint.Using this method changes the underlying default that
POSTs the session cookie and CSRF token to your application's/logoutendpoint. As such, it is recommended to call this instead of accepting the/logoutdefault as this does not require any special CSRF configuration, even if you don't require other changes.For example, configuring Back-Channel Logout in the following way:
http .oidcLogout((oidc) -> oidc .backChannel((backChannel) -> backChannel .logoutHandler(new OidcBackChannelServerLogoutHandler()) ) );will make so that the per-session logout invocation no longer requires special CSRF configurations.The default URI is
{baseUrl}/logout/connect/back-channel/{registrationId}, which is simply an internal version of the same endpoint exposed to your Back-Channel services. You can useOidcBackChannelServerLogoutHandler.setLogoutUri(String)to alter the scheme, server name, or port in theHostheader to accommodate how your application would address itself internally.For example, if the way your application would internally call itself is on a different scheme and port than incoming traffic, you can configure the endpoint in the following way:
http .oidcLogout((oidc) -> oidc .backChannel((backChannel) -> backChannel .logoutUri("http://localhost:9000/logout/connect/back-channel/{registrationId}") ) );You can also publish it as a
@Beanas follows:@Bean OidcBackChannelServerLogoutHandler oidcLogoutHandler() { OidcBackChannelServerLogoutHandler logoutHandler = new OidcBackChannelServerLogoutHandler(); logoutHandler.setLogoutUri("http://localhost:9000/logout/connect/back-channel/{registrationId}"); return logoutHandler; }to have the same effect.- Parameters:
logoutHandler- theServerLogoutHandlerto use each individual session- Returns:
ServerHttpSecurity.OidcLogoutSpec.BackChannelLogoutConfigurerfor further customizations- Since:
- 6.4
-