Add POST Binding for RP-initiated OIDC Logout #13002
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
type: enhancement
A general enhancement
Comments
yuezk
added
status: waiting-for-triage
yuezk
changed the title
jzheaux
changed the title
jzheaux
added
in: oauth2
candrews
added a commit
to candrews/spring-security
that referenced
this issue
Dec 4, 2024
FormRedirectStrategy redirects using an autosubmitting HTML form using the POST method versus DefaultRedirectStrategy which redirects using the GET method. Can be used to implement POST binding for relying party initiated OIDC logout by setting FormRedirectStrategy as the redirection strategy on OidcClientInitiatedLogoutSuccessHandler. Closes spring-projectsgh-13002
candrews
added a commit
to candrews/spring-security
that referenced
this issue
Dec 4, 2024
FormRedirectStrategy redirects using an autosubmitting HTML form using the POST method versus DefaultRedirectStrategy which redirects using the GET method. Can be used to implement POST binding for relying party initiated OIDC logout by setting FormRedirectStrategy as the redirection strategy on OidcClientInitiatedLogoutSuccessHandler. Closes spring-projectsgh-13002 Signed-off-by: Craig Andrews <[email protected]>
candrews
added a commit
to candrews/spring-security
that referenced
this issue
Dec 4, 2024
FormRedirectStrategy redirects using an autosubmitting HTML form using the POST method versus DefaultRedirectStrategy which redirects using the GET method. Can be used to implement POST binding for relying party initiated OIDC logout by setting FormRedirectStrategy as the redirection strategy on OidcClientInitiatedLogoutSuccessHandler. Closes spring-projectsgh-13002 Signed-off-by: Craig Andrews <[email protected]>
candrews
added a commit
to candrews/spring-security
that referenced
this issue
Dec 4, 2024
FormRedirectStrategy redirects using an autosubmitting HTML form using the POST method versus DefaultRedirectStrategy which redirects using the GET method. Can be used to implement POST binding for relying party initiated OIDC logout by setting FormRedirectStrategy as the redirection strategy on OidcClientInitiatedLogoutSuccessHandler. Closes spring-projectsgh-13002 Signed-off-by: Craig Andrews <[email protected]>
candrews
added a commit
to candrews/spring-security
that referenced
this issue
Dec 4, 2024
FormRedirectStrategy redirects using an autosubmitting HTML form using the POST method versus DefaultRedirectStrategy which redirects using the GET method. Can be used to implement POST binding for relying party initiated OIDC logout by setting FormRedirectStrategy as the redirection strategy on OidcClientInitiatedLogoutSuccessHandler. Closes spring-projectsgh-13002 Signed-off-by: Craig Andrews <[email protected]>
candrews
added a commit
to candrews/spring-security
that referenced
this issue
Dec 4, 2024
FormRedirectStrategy redirects using an autosubmitting HTML form using the POST method versus DefaultRedirectStrategy which redirects using the GET method. Can be used to implement POST binding for relying party initiated OIDC logout by setting FormRedirectStrategy as the redirection strategy on OidcClientInitiatedLogoutSuccessHandler. Closes spring-projectsgh-13002 Signed-off-by: Craig Andrews <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
According to the OIDC spec, the RP-initiated global logout request method could be POST or GET. But currently, the framework doesn't support the POST method.
Current Behavior
The OIDC global logout request seems only to support the GET request method in
org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler.Context
My question is: Is there any plan to support this, or is there any suggestions on implementing this at the production code? Thanks.
The text was updated successfully, but these errors were encountered: