-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add FormRedirectStrategy to enable POST OIDC Logout #16214
base: main
Are you sure you want to change the base?
Conversation
cd8b993
to
2c41332
Compare
I need to register the filter that handles
Line 102 in dc82a6e
Line 153 in dc82a6e
Line 3055 in dc82a6e
FormRedirectStrategy would be set up by the user not as bean or via any other special method, so I don't see a way to conditionally register the handler for /form-redirect.js . Should it be unconditionally registered? Should some kind of configuration be added to conditionally register it?
|
2b6f36f
to
95babac
Compare
FormRedirectStrategy redirects using an autosubmitting HTML form using the POST method versus DefaultRedirectStrategy which redirects using the GET method. Can be used to implement POST binding for relying party initiated OIDC logout by setting FormRedirectStrategy as the redirection strategy on OidcClientInitiatedLogoutSuccessHandler. Closes spring-projectsgh-13002 Signed-off-by: Craig Andrews <candrews@integralblue.com>
@candrews thanks for the PR!
For this reason and and because of the simplicity of the javascript, I feel that registering a static resource for the javascript is not necessary in this case. Would you please consider adding inline javascript at the end of the page instead? I think this case should similarly have its own CSS inline as well. I think it would be best to not rely on registering additional filters in order for the |
Inline javascript requires the CSP to allow
Many organizations prohibit |
Thanks. That's a good point. However, it does make this issue more difficult. Requiring additional configuration to add the javascript necessary for this simple page is not ideal. We might need to think about this a bit more and see if there's a more "all-inclusive" way to simply register the strategy and have the configuration work. I don't have anything in mind for what that would look like though. |
Could we generate a
This seems like it would be very easy to do and well supported by browsers. |
We could - but I don't see anywhere in Spring Security where we could set that CSP in that way and not impact existing users. |
By that, do you mean this would impact existing headers written by the |
Yes. If a project uses
I think it would be automatic: if |
The Another option might be to provide a mechanism to influence the CSP header that's written by the writer. In any case, I think it would be nice to explore some alternative options because configuring static assets served by the filter chain seems like something we would only really do for things like the default login page, not collaborators/strategies like this one.
Yes, I agree. That would be ideal. |
FormRedirectStrategy redirects using an autosubmitting HTML form using the POST method versus DefaultRedirectStrategy which redirects using the GET method.
Can be used to implement POST binding for relying party initiated OIDC logout by setting FormRedirectStrategy as the redirection strategy on OidcClientInitiatedLogoutSuccessHandler.
Closes gh-13002