Add OpenID Connect 1.0 Logout Endpoint

Closes gh-266

Author: jgrandja

docs/src/docs/asciidoc/examples/src/main/java/sample/jpa/entity/client/Client.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 the original author or authors.
+ * Copyright 2020-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -39,6 +39,8 @@ public class Client {
 	@Column(length = 1000)
 	private String redirectUris;
 	@Column(length = 1000)
+	private String postLogoutRedirectUris;
+	@Column(length = 1000)
 	private String scopes;
 	@Column(length = 2000)
 	private String clientSettings;
@@ -118,6 +120,14 @@ public void setRedirectUris(String redirectUris) {
 		this.redirectUris = redirectUris;
 	}
 
+	public String getPostLogoutRedirectUris() {
+		return this.postLogoutRedirectUris;
+	}
+
+	public void setPostLogoutRedirectUris(String postLogoutRedirectUris) {
+		this.postLogoutRedirectUris = postLogoutRedirectUris;
+	}
+
 	public String getScopes() {
 		return scopes;
 	}

docs/src/docs/asciidoc/examples/src/main/java/sample/jpa/repository/authorization/AuthorizationRepository.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022 the original author or authors.
+ * Copyright 2022-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,10 +30,12 @@ public interface AuthorizationRepository extends JpaRepository<Authorization, St
 	Optional<Authorization> findByAuthorizationCodeValue(String authorizationCode);
 	Optional<Authorization> findByAccessTokenValue(String accessToken);
 	Optional<Authorization> findByRefreshTokenValue(String refreshToken);
+	Optional<Authorization> findByOidcIdTokenValue(String idToken);
 	@Query("select a from Authorization a where a.state = :token" +
 			" or a.authorizationCodeValue = :token" +
 			" or a.accessTokenValue = :token" +
-			" or a.refreshTokenValue = :token"
+			" or a.refreshTokenValue = :token" +
+			" or a.oidcIdTokenValue = :token"
 	)
-	Optional<Authorization> findByStateOrAuthorizationCodeValueOrAccessTokenValueOrRefreshTokenValue(@Param("token") String token);
+	Optional<Authorization> findByStateOrAuthorizationCodeValueOrAccessTokenValueOrRefreshTokenValueOrOidcIdTokenValue(@Param("token") String token);
 }

docs/src/docs/asciidoc/examples/src/main/java/sample/jpa/service/authorization/JpaOAuth2AuthorizationService.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022 the original author or authors.
+ * Copyright 2022-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -35,6 +35,7 @@
 import org.springframework.security.oauth2.core.OAuth2Token;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.core.oidc.OidcIdToken;
+import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
@@ -88,7 +89,7 @@ public OAuth2Authorization findByToken(String token, OAuth2TokenType tokenType)
 
 		Optional<Authorization> result;
 		if (tokenType == null) {
-			result = this.authorizationRepository.findByStateOrAuthorizationCodeValueOrAccessTokenValueOrRefreshTokenValue(token);
+			result = this.authorizationRepository.findByStateOrAuthorizationCodeValueOrAccessTokenValueOrRefreshTokenValueOrOidcIdTokenValue(token);
 		} else if (OAuth2ParameterNames.STATE.equals(tokenType.getValue())) {
 			result = this.authorizationRepository.findByState(token);
 		} else if (OAuth2ParameterNames.CODE.equals(tokenType.getValue())) {
@@ -97,6 +98,8 @@ public OAuth2Authorization findByToken(String token, OAuth2TokenType tokenType)
 			result = this.authorizationRepository.findByAccessTokenValue(token);
 		} else if (OAuth2ParameterNames.REFRESH_TOKEN.equals(tokenType.getValue())) {
 			result = this.authorizationRepository.findByRefreshTokenValue(token);
+		} else if (OidcParameterNames.ID_TOKEN.equals(tokenType.getValue())) {
+			result = this.authorizationRepository.findByOidcIdTokenValue(token);
 		} else {
 			result = Optional.empty();
 		}

docs/src/docs/asciidoc/examples/src/main/java/sample/jpa/service/client/JpaRegisteredClientRepository.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022 the original author or authors.
+ * Copyright 2022-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -78,6 +78,8 @@ private RegisteredClient toObject(Client client) {
 				client.getAuthorizationGrantTypes());
 		Set<String> redirectUris = StringUtils.commaDelimitedListToSet(
 				client.getRedirectUris());
+		Set<String> postLogoutRedirectUris = StringUtils.commaDelimitedListToSet(
+				client.getPostLogoutRedirectUris());
 		Set<String> clientScopes = StringUtils.commaDelimitedListToSet(
 				client.getScopes());
 
@@ -94,6 +96,7 @@ private RegisteredClient toObject(Client client) {
 						authorizationGrantTypes.forEach(grantType ->
 								grantTypes.add(resolveAuthorizationGrantType(grantType))))
 				.redirectUris((uris) -> uris.addAll(redirectUris))
+				.postLogoutRedirectUris((uris) -> uris.addAll(postLogoutRedirectUris))
 				.scopes((scopes) -> scopes.addAll(clientScopes));
 
 		Map<String, Object> clientSettingsMap = parseMap(client.getClientSettings());
@@ -124,6 +127,7 @@ private Client toEntity(RegisteredClient registeredClient) {
 		entity.setClientAuthenticationMethods(StringUtils.collectionToCommaDelimitedString(clientAuthenticationMethods));
 		entity.setAuthorizationGrantTypes(StringUtils.collectionToCommaDelimitedString(authorizationGrantTypes));
 		entity.setRedirectUris(StringUtils.collectionToCommaDelimitedString(registeredClient.getRedirectUris()));
+		entity.setPostLogoutRedirectUris(StringUtils.collectionToCommaDelimitedString(registeredClient.getPostLogoutRedirectUris()));
 		entity.setScopes(StringUtils.collectionToCommaDelimitedString(registeredClient.getScopes()));
 		entity.setClientSettings(writeMap(registeredClient.getClientSettings().getSettings()));
 		entity.setTokenSettings(writeMap(registeredClient.getTokenSettings().getSettings()));

docs/src/docs/asciidoc/examples/src/test/java/sample/gettingStarted/SecurityConfigTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 the original author or authors.
+ * Copyright 2020-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -102,7 +102,8 @@ public void oidcLoginWhenGettingStartedConfigUsedThenSuccess() throws Exception
 		assertThatAuthorization(refreshToken, null).isNotNull();
 
 		String idToken = (String) tokenResponse.get(OidcParameterNames.ID_TOKEN);
-		assertThatAuthorization(idToken, OidcParameterNames.ID_TOKEN).isNull(); // id_token is not searchable
+		assertThatAuthorization(idToken, OidcParameterNames.ID_TOKEN).isNotNull();
+		assertThatAuthorization(idToken, null).isNotNull();
 
 		OAuth2Authorization authorization = findAuthorization(accessToken, OAuth2ParameterNames.ACCESS_TOKEN);
 		assertThat(authorization.getToken(idToken)).isNotNull();

docs/src/docs/asciidoc/examples/src/test/java/sample/jpa/JpaTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 the original author or authors.
+ * Copyright 2020-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -117,7 +117,8 @@ public void oidcLoginWhenJpaCoreServicesAutowiredThenUsed() throws Exception {
 		assertThatAuthorization(refreshToken, null).isNotNull();
 
 		String idToken = (String) tokenResponse.get(OidcParameterNames.ID_TOKEN);
-		assertThatAuthorization(idToken, OidcParameterNames.ID_TOKEN).isNull(); // id_token is not searchable
+		assertThatAuthorization(idToken, OidcParameterNames.ID_TOKEN).isNotNull();
+		assertThatAuthorization(idToken, null).isNotNull();
 
 		OAuth2Authorization authorization = findAuthorization(accessToken, OAuth2ParameterNames.ACCESS_TOKEN);
 		assertThat(authorization.getToken(idToken)).isNotNull();

docs/src/docs/asciidoc/examples/src/test/java/sample/util/RegisteredClients.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 the original author or authors.
+ * Copyright 2020-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,6 +37,7 @@ public static RegisteredClient messagingClient() {
 				.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
 				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
 				.redirectUri("http://127.0.0.1:8080/authorized")
+				.postLogoutRedirectUri("http://127.0.0.1:8080/index")
 				.scope(OidcScopes.OPENID)
 				.scope("message.read")
 				.scope("message.write")

docs/src/docs/asciidoc/guides/how-to-jpa.adoc

@@ -45,6 +45,7 @@ CREATE TABLE client (
     clientAuthenticationMethods varchar(1000) NOT NULL,
     authorizationGrantTypes varchar(1000) NOT NULL,
     redirectUris varchar(1000) DEFAULT NULL,
+    postLogoutRedirectUris varchar(1000) DEFAULT NULL,
     scopes varchar(1000) NOT NULL,
     clientSettings varchar(2000) NOT NULL,
     tokenSettings varchar(2000) NOT NULL,

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/InMemoryOAuth2AuthorizationService.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 the original author or authors.
+ * Copyright 2020-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,8 @@
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2RefreshToken;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.oidc.OidcIdToken;
+import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
 import org.springframework.util.Assert;
 
 /**
@@ -150,13 +152,16 @@ private static boolean hasToken(OAuth2Authorization authorization, String token,
 			return matchesState(authorization, token) ||
 					matchesAuthorizationCode(authorization, token) ||
 					matchesAccessToken(authorization, token) ||
+					matchesIdToken(authorization, token) ||
 					matchesRefreshToken(authorization, token);
 		} else if (OAuth2ParameterNames.STATE.equals(tokenType.getValue())) {
 			return matchesState(authorization, token);
 		} else if (OAuth2ParameterNames.CODE.equals(tokenType.getValue())) {
 			return matchesAuthorizationCode(authorization, token);
 		} else if (OAuth2TokenType.ACCESS_TOKEN.equals(tokenType)) {
 			return matchesAccessToken(authorization, token);
+		} else if (OidcParameterNames.ID_TOKEN.equals(tokenType.getValue())) {
+			return matchesIdToken(authorization, token);
 		} else if (OAuth2TokenType.REFRESH_TOKEN.equals(tokenType)) {
 			return matchesRefreshToken(authorization, token);
 		}
@@ -185,6 +190,12 @@ private static boolean matchesRefreshToken(OAuth2Authorization authorization, St
 		return refreshToken != null && refreshToken.getToken().getTokenValue().equals(token);
 	}
 
+	private static boolean matchesIdToken(OAuth2Authorization authorization, String token) {
+		OAuth2Authorization.Token<OidcIdToken> idToken =
+				authorization.getToken(OidcIdToken.class);
+		return idToken != null && idToken.getToken().getTokenValue().equals(token);
+	}
+
 	private static final class MaxSizeHashMap<K, V> extends LinkedHashMap<K, V> {
 		private final int maxSize;
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationService.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 the original author or authors.
+ * Copyright 2020-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,6 +53,7 @@
 import org.springframework.security.oauth2.core.OAuth2Token;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.core.oidc.OidcIdToken;
+import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.jackson2.OAuth2AuthorizationServerJackson2Module;
@@ -112,11 +113,12 @@ public class JdbcOAuth2AuthorizationService implements OAuth2AuthorizationServic
 
 	private static final String PK_FILTER = "id = ?";
 	private static final String UNKNOWN_TOKEN_TYPE_FILTER = "state = ? OR authorization_code_value = ? OR " +
-			"access_token_value = ? OR refresh_token_value = ?";
+			"access_token_value = ? OR oidc_id_token_value = ? OR refresh_token_value = ?";
 
 	private static final String STATE_FILTER = "state = ?";
 	private static final String AUTHORIZATION_CODE_FILTER = "authorization_code_value = ?";
 	private static final String ACCESS_TOKEN_FILTER = "access_token_value = ?";
+	private static final String ID_TOKEN_FILTER = "oidc_id_token_value = ?";
 	private static final String REFRESH_TOKEN_FILTER = "refresh_token_value = ?";
 
 	// @formatter:off
@@ -240,6 +242,7 @@ public OAuth2Authorization findByToken(String token, @Nullable OAuth2TokenType t
 			parameters.add(new SqlParameterValue(Types.VARCHAR, token));
 			parameters.add(mapToSqlParameter("authorization_code_value", token));
 			parameters.add(mapToSqlParameter("access_token_value", token));
+			parameters.add(mapToSqlParameter("oidc_id_token_value", token));
 			parameters.add(mapToSqlParameter("refresh_token_value", token));
 			return findBy(UNKNOWN_TOKEN_TYPE_FILTER, parameters);
 		} else if (OAuth2ParameterNames.STATE.equals(tokenType.getValue())) {
@@ -251,6 +254,9 @@ public OAuth2Authorization findByToken(String token, @Nullable OAuth2TokenType t
 		} else if (OAuth2TokenType.ACCESS_TOKEN.equals(tokenType)) {
 			parameters.add(mapToSqlParameter("access_token_value", token));
 			return findBy(ACCESS_TOKEN_FILTER, parameters);
+		} else if (OidcParameterNames.ID_TOKEN.equals(tokenType.getValue())) {
+			parameters.add(mapToSqlParameter("oidc_id_token_value", token));
+			return findBy(ID_TOKEN_FILTER, parameters);
 		} else if (OAuth2TokenType.REFRESH_TOKEN.equals(tokenType)) {
 			parameters.add(mapToSqlParameter("refresh_token_value", token));
 			return findBy(REFRESH_TOKEN_FILTER, parameters);

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 the original author or authors.
+ * Copyright 2020-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,8 +16,11 @@
 package org.springframework.security.oauth2.server.authorization.authentication;
 
 import java.security.Principal;
+import java.util.ArrayList;
 import java.util.Collections;
+import java.util.Comparator;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 import org.apache.commons.logging.Log;
@@ -27,6 +30,8 @@
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.session.SessionInformation;
+import org.springframework.security.core.session.SessionRegistry;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClaimAccessor;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
@@ -52,6 +57,7 @@
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenContext;
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
 import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.StringUtils;
 
 import static org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthenticationProviderUtils.getAuthenticatedClientElseThrowInvalidClient;
@@ -79,6 +85,7 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth
 	private final Log logger = LogFactory.getLog(getClass());
 	private final OAuth2AuthorizationService authorizationService;
 	private final OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator;
+	private SessionRegistry sessionRegistry;
 
 	/**
 	 * Constructs an {@code OAuth2AuthorizationCodeAuthenticationProvider} using the provided parameters.
@@ -149,10 +156,12 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			this.logger.trace("Validated token request parameters");
 		}
 
+		Authentication principal = authorization.getAttribute(Principal.class.getName());
+
 		// @formatter:off
 		DefaultOAuth2TokenContext.Builder tokenContextBuilder = DefaultOAuth2TokenContext.builder()
 				.registeredClient(registeredClient)
-				.principal(authorization.getAttribute(Principal.class.getName()))
+				.principal(principal)
 				.authorizationServerContext(AuthorizationServerContextHolder.getContext())
 				.authorization(authorization)
 				.authorizedScopes(authorization.getAuthorizedScopes())
@@ -210,6 +219,10 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		// ----- ID token -----
 		OidcIdToken idToken;
 		if (authorizationRequest.getScopes().contains(OidcScopes.OPENID)) {
+			SessionInformation sessionInformation = getSessionInformation(principal);
+			if (sessionInformation != null) {
+				tokenContextBuilder.put(SessionInformation.class, sessionInformation);
+			}
 			// @formatter:off
 			tokenContext = tokenContextBuilder
 					.tokenType(ID_TOKEN_TOKEN_TYPE)
@@ -265,4 +278,32 @@ public boolean supports(Class<?> authentication) {
 		return OAuth2AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication);
 	}
 
+	/**
+	 * Sets the {@link SessionRegistry} used to track OpenID Connect sessions.
+	 *
+	 * @param sessionRegistry the {@link SessionRegistry} used to track OpenID Connect sessions
+	 * @since 1.1.0
+	 */
+	public void setSessionRegistry(SessionRegistry sessionRegistry) {
+		Assert.notNull(sessionRegistry, "sessionRegistry cannot be null");
+		this.sessionRegistry = sessionRegistry;
+	}
+
+	private SessionInformation getSessionInformation(Authentication principal) {
+		SessionInformation sessionInformation = null;
+		if (this.sessionRegistry != null) {
+			List<SessionInformation> sessions = this.sessionRegistry.getAllSessions(principal.getPrincipal(), false);
+			if (!CollectionUtils.isEmpty(sessions)) {
+				sessionInformation = sessions.get(0);
+				if (sessions.size() > 1) {
+					// Get the most recent session
+					sessions = new ArrayList<>(sessions);
+					sessions.sort(Comparator.comparing(SessionInformation::getLastRequest));
+					sessionInformation = sessions.get(sessions.size() - 1);
+				}
+			}
+		}
+		return sessionInformation;
+	}
+
 }