Simplify OIDC Back-Channel Logout DSL (Closes gh-15817) #16698
Conversation
- Introduced a new HttpSecurity method: oidcBackChannelLogout(Customizer.withDefaults()) to simplify OIDC Back-Channel Logout configuration. - Modified OidcLogoutConfigurer: marked backChannel(Customizer<...>) as deprecated (since 6.2, forRemoval = true) and updated its JavaDoc to recommend using the new DSL method. - Added tests (oidcBackChannelLogoutWhenDefaultsThenRemotelyInvalidatesSessions) to verify that the new DSL correctly registers OidcBackChannelLogoutFilter and invalidates sessions. Closes spring-projectsgh-15817 Signed-off-by: Minje Kim <[email protected]>
spring-projects-issues
added
the
status: waiting-for-triage
There was a problem hiding this comment.
Thank you, @alswp006! In addition to my inline feedback, will you please update the OIDC logout documentation to use the new method?
When you are ready, please squash your commitz and have its message look similar to this:
Add oidcBackChannelLogout
Closes gh-15817
| import jakarta.servlet.ServletException; | ||
| import jakarta.servlet.ServletRequest; | ||
| import jakarta.servlet.ServletResponse; | ||
| import jakarta.servlet.*; |
There was a problem hiding this comment.
Please leave the import statements as-is.
| @@ -2870,6 +2844,14 @@ public HttpSecurity oidcLogout(Customizer<OidcLogoutConfigurer<HttpSecurity>> oi | |||
| return HttpSecurity.this; | |||
| } | |||
|
|
|||
| public HttpSecurity oidcBackChannelLogout(Customizer<OidcLogoutConfigurer<HttpSecurity>> oidcBackChannelLogoutCustomizer) | |||
There was a problem hiding this comment.
Please add JavaDoc so folks can read how to use the method. Please make sure the JavaDoc includes @since 6.5.
| */ | ||
| @Deprecated(since = "6.2", forRemoval = true) |
There was a problem hiding this comment.
Please change the since value to 6.5
jzheaux
added
in: config
|
Hi, @alswp006, are you able to apply the requested changes? |
This commit introduces the new top-level DSL method `oidcBackChannelLogout(Customizer<OidcLogoutConfigurer<HttpSecurity>>)` to simplify OIDC Back-Channel Logout configuration. The new method creates an OidcLogoutConfigurer internally and applies default back-channel configuration. Additionally, the deprecated `backChannel(Customizer)` method in OidcLogoutConfigurer has been updated to include the @SInCE tag of 6.5, along with updated documentation recommending the use of the new DSL. Closes spring-projectsgh-15817 Sorry for the delay – I was tied up with company work.
|
Hi, I’ve applied the requested changes including the updates to the OIDC logout documentation and the @SInCE tag. The new commits have been pushed to this branch, so the PR is now updated. My apologies for the delay—I was busy with company work. Please review the changes when you have a moment. Thank you! |
Currently, OIDC Back-Channel Logout is configured with a nested DSL: This nested structure makes the DSL less navigable. To improve clarity and consistency with other logout DSLs (such as logout() and saml2Logout()), we introduce a new top-level DSL method:
Changes in this PR
A new method oidcBackChannelLogout(Customizer<OidcLogoutConfigurer>) has been added to HttpSecurity. This method internally creates an OidcLogoutConfigurer and applies the default back-channel configuration, thereby simplifying the DSL.
The existing backChannel(Customizer) method is now marked as deprecated with: Its JavaDoc has been updated to recommend using the new DSL method oidcBackChannelLogout(Customizer.withDefaults()) instead.
A new test method, oidcBackChannelLogoutWhenDefaultsThenRemotelyInvalidatesSessions(), has been added to verify that when using the new DSL, the OIDC Back-Channel Logout filter is properly registered and that sessions are invalidated as expected.
Related
Closes gh-15817