Supporting logout+jwt for back-channel logout with spring-webflux

[c1rd3cm]

Expected Behavior
We are using an IDP that sends back-channel logout request with a token type set as logout+jwt which should be accepted by spring-security when using spring-webflux.

Current Behavior
The back-channel is currently rejected because the only token type supported is jwt.

Error has been observed at the following site(s):
    *__________Mono.error ⇢ at org.springframework.security.config.web.server.OidcBackChannelLogoutReactiveAuthenticationManager.lambda$decode$2(OidcBackChannelLogoutReactiveAuthenticationManager.java:92)
    *__Mono.onErrorResume ⇢ at org.springframework.security.config.web.server.OidcBackChannelLogoutReactiveAuthenticationManager.decode(OidcBackChannelLogoutReactiveAuthenticationManager.java:88)
    |_           Mono.map ⇢ at org.springframework.security.config.web.server.OidcBackChannelLogoutReactiveAuthenticationManager.authenticate(OidcBackChannelLogoutReactiveAuthenticationManager.java:80)
    |_           Mono.map ⇢ at org.springframework.security.config.web.server.OidcBackChannelLogoutReactiveAuthenticationManager.authenticate(OidcBackChannelLogoutReactiveAuthenticationManager.java:83)
    *________Mono.flatMap ⇢ at org.springframework.security.config.web.server.OidcBackChannelLogoutWebFilter.filter(OidcBackChannelLogoutWebFilter.java:90)

Caused by: com.nimbusds.jose.proc.BadJOSEException: JOSE header typ (type) logout+jwt not allowed
    at com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier.verify(DefaultJOSEObjectTypeVerifier.java:148)
    at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:378)
    at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:340)
    at org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder.createClaimsSet(NimbusReactiveJwtDecoder.java:292)
    at org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder$JwkSetUriReactiveJwtDecoderBuilder.lambda$processor$13(NimbusReactiveJwtDecoder.java:449)
    at reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber.onNext(FluxMapFuseable.java:113)
    at reactor.core.publisher.FluxOnAssembly$OnAssemblySubscriber.onNext(FluxOnAssembly.java:539)

Context

We are using spring-cloud-gateway to manage authentication with spring-session. We have configured the back-channel security but the logout requests don't work because the token type is invalid.

.oidcLogout(oidcLogout -> oidcLogout
    .clientRegistrationRepository(clientRegistrationRepository)
    .backChannel(Customizer.withDefaults()))

This is blocking our user from being logged out from all the RP and user can still navigate to some application because the session is not fully terminated in all applications. There is no way to customize to token type for back-channel logout because class are package protected. I believe this is no workaround other than duplicating the OIDC back-channel logout.

[jzheaux]

Hi, @c1rd3csf, thanks for pointing this out. This was recently added on the Servlet side. Would you be able to open a PR to do the same on the reactive side?

[c1rd3cm]

Yes @jzheaux, I should be able to open a PR to do the same on the reactive side.

[c1rd3cm]

@jzheaux can I backport the fix for 6.3.x?