Skip to content

Option to provide custom logoutTokenDecoderFactory for OIDC logout #16545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ErwinSteffens opened this issue Feb 6, 2025 · 0 comments
Open

Option to provide custom logoutTokenDecoderFactory for OIDC logout #16545

ErwinSteffens opened this issue Feb 6, 2025 · 0 comments
Labels
status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement

Comments

@ErwinSteffens
Copy link

ErwinSteffens commented Feb 6, 2025
edited
Loading

Expected Behavior

Allow to provide custom logoutTokenDecoderFactory in OidcBackChannelLogoutReactiveAuthenticationManager so we can provide a custom WebClient and can resolve a production connection issue.

We can work on creating PR for this, but we need some guidance for getting to a correct solution.

Current Behavior

We are seeing connection issues with long running HTTP connections to some of our OIDC providers. This shows as the following errors message in our logging:

i.n.c.u.Errors$NativeIoException: recv(..) failed: Connection reset by peer
Wrapped by: o.s.w.r.f.c.WebClientRequestException: recv(..) failed: Connection reset by peer
	at o.s.w.r.f.c.ExchangeFunctions$DefaultExchangeFunction.lambda$wrapException$9(ExchangeFunctions.java:137)
	Suppressed: r.c.p.FluxOnAssembly$OnAssemblyException: 
Error has been observed at the following site(s):
	*__checkpoint ⇢ Request to GET https://xxxx/.well-known/jwks.json [DefaultWebClient]

Similar issue in the login process is described here. There was a lot of discussion on how to resolve this, but there is now an option to create a custom ReactiveJwtDecoderFactory to validate ID token with a custom WebClient instance:

@Component
public class CustomReactiveOidcIdTokenDecoderFactory implements ReactiveJwtDecoderFactory<ClientRegistration> {

	private final WebClient webClient;

	public CustomReactiveOidcIdTokenDecoderFactory(WebClient webClient) {
		this.webClient = webClient;
	}

	public ReactiveJwtDecoder createDecoder(ClientRegistration registration) {
		var issuerUri = registration.getProviderDetails().getIssuerUri();
		var decoder = NimbusReactiveJwtDecoder.withIssuerLocation(issuerUri)
				.webClient(this.webClient)
				.build();
		decoder.setJwtValidator(JwtValidators.createDefaultWithValidators(new OidcIdTokenValidator(registration)));
		decoder.setClaimSetConverter(new ClaimTypeConverter(ReactiveOidcIdTokenDecoderFactory.createDefaultClaimTypeConverters()));
		return decoder;
	}
}

We would like to build similar functionality for the OIDC backchannel logout process but this cannot be accomplished because:

  • OidcBackChannelLogoutTokenValidator is internal class
  • The logoutTokenDecoderFactory in OidcBackChannelLogoutReactiveAuthenticationManager is not configurable now.

Context
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ErwinSteffens