Set default redirect in OidcClientInitiatedServerLogoutSuccessHandler

[mraible]

Summary

I ❤️ the new OidcClientInitiatedServerLogoutSuccessHandler in Spring Security 5.2! The only problem I see with it is you have to set a postLogoutRedirectUri property. This will likely vary between development, test, and production, so it seems like kind of a pain to have to maintain a new property that could be calculated.

By default, it'd be nice if the postLogoutRedirectUri defaulted to the current context path (/). If people wanted to override it, it'd be cool if they could use a relative URL (that starts with /) or an absolute URL (current behavior).

I'm entering this here as requested by @jgrandja on Stack Overflow.

Actual Behavior

You need to set a postLogoutRedirectUri.

Expected Behavior

I'd like this value to default to /.

Configuration

OIDC with Okta and Keycloak (because JHipster).

Version

Spring Security 5.2

[jzheaux]

@mraible I'm glad you like it!

By /, is it your intent to redirect to the root of the authorization server or the root of the client application?

@jgrandja Have you already considered the possibility of this being part of the ClientRegistration? It seems similar in nature to ClientRegistration#redirectUriTemplate.

[mraible]

By /, I mean the root of the client application.

…

On Jan 17, 2020, at 17:56, Josh Cummings ***@***.***> wrote:  @mraible I'm glad you like it! By /, is it your intent to redirect to the root of the authorization server or the root of the client application? @jgrandja Have you already considered the possibility of this being part of the ClientRegistration? It seems similar in nature to ClientRegistration#redirectUriTemplate. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[jgrandja]

@jzheaux I'm not sure it needs to be part of ClientRegistration. It seems it would be fairly trivial to implement a default postLogoutRedirectUri in the handler itself.

[jzheaux]

By /, I mean the root of the client application.

Got it, @mraible. So, the existing semantics of this handler are to only include a post_logout_redirect_uri parameter if it's specified. I'm concerned that setting a default would surprise users who are upgrading - they'd have to now call setPostLogoutRedirectUri(null) or similar to keep their existing behavior.

What about if setPostLogoutRedirectUri understood the {baseUrl} placeholder in the setter?

handler.setPostLogoutRedirectUri("{baseUrl}")

This would work similarly to the redirect-uri-template configuration. Would that address your deployment concerns?

[mraible]

This would work similarly to the redirect-uri-template configuration. Would that address your deployment concerns?

I believe so. What happens currently if I use the OidcClientInitiatedServerLogoutSuccessHandler without setting a PostLogoutRedirectUri?

[jzheaux]

The parameter is not added to the redirect. It was done that way since that parameter is optional.