spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Consider OIDC Back-Channel favoring logout_token over CSRF

Open jzheaux opened this issue 2 years ago • 1 comments

The current OIDC back-channel logout support saves the end-user's CSRF token to use in a self-logout call when the back-channel request comes from the authorization server.

This adds more information to OidcSessionInformation than may be necessary. Instead, I think it would also work to send the logout_token in place of the CSRF token.

The upside is a simpler contract and simpler configuration. The possible downside is the logout token is validated multiple times, once for each session being invalidated.

jzheaux avatar Sep 16 '23 21:09 jzheaux

Waiting on #14510

jzheaux avatar Jan 31 '24 23:01 jzheaux

Given the feedback in https://github.com/spring-projects/spring-security/issues/15227, I think that's enough to consider adding this without waiting for #14510.

jzheaux avatar Jul 22 '24 20:07 jzheaux