Closed rigon closed 3 years ago
I wonder if this is related to https://github.com/spring-projects/spring-security/commit/0486d5add983dd09295fffeee13015cdd74bf322.
@rigon, if you specify the list of scopes that you require in the spring.security.oauth2.client.registration.keycloak.scope
property, does that repair the behavior?
It would need to at least include openid
:
spring:
security:
oauth2:
client:
registration:
keycloak:
scope: openid
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
@jzheaux That is actually true. Specifying the scope openid
solves the problem, the application works as intended. Thanks a lot for the tip.
I was migrating my Spring Boot application from 2.3 to 2.4. The confusion with this had to do with the fact that I was relying on default scopes without realizing it and wasn't clear in the documentation. Closing this issue.
Glad that worked, @rigon. Is there someplace in the documentation that you feel should be changed? If so, would you be able to submit a PR?
Today I ran into the same issue with spring-boot-starter-oauth2-client:2.6.3
. After having added scope: openid
to my application.yml
, the end_session_endpoint
was correctly resolved from Keycloak configuration URL.
However, I quite don't understand the relation between the scope
parameter and this issue. Has there been an update of the documentation which I might be missing? @jzheaux
Having read #5494 and especially this comment my understanding is this:
scope
parameter is OPTIONAL with regards to the OAuth2 spec. This is why Spring Security allows it to be empty/null and doesn't complain.oauth2Login()
and logout()
features, e.g. OidcClientInitiatedServerLogoutSuccessHandler
, require the scope
parameter to be at least openid
.Is my understanding correct?
Yes, @straurob, you've got it right.
Describe the bug When
OidcClientInitiatedServerLogoutSuccessHandler
is configured, the redirect logout is not initiated in the client. I think something changed in Spring Security. This was working as expected up to version2.3.10.RELEASE
of Spring Boot, but after2.4.0
stopped working.This behaviour is visible in these two places:
authentication.getPrincipal()
does not produce an instance ofOidcUser
in here@AuthenticationPrincipal OidcUser oidcUser
to an endpoint always givesnull
.To Reproduce
oidcUser
when calling the endpointGET /
Expected behavior Perform the logout from the Identity Provider. The URL used for this is defined by
end_session_endpoint
and we should see a redirect with it in the network log (browser inspector).Sample Used dependencies:
org.springframework.boot:spring-boot-starter-webflux:2.4.5
org.springframework.boot:spring-boot-starter-oauth2-client:2.4.5
application.yml:
Sample application: