I have a customize IDP server which implemented with Spring-authorization-server(1.1.2) and spring-security(6.1.1). With that I implemented the SSO with between the clients.
I met wit an issue that when doing RP-Initiated SLO.
Client: Client will redirect a request to IDP server when user clicking logout button.
@GetMapping("/custom-logout/{idToken}")
public String customLogout(HttpServletRequest request, @PathVariable(value = "idToken") String idToken) {
// Get the user's ID token (replace with actual retrieval logic)
// Create the logout URL with the id_token_hint parameter
String logoutUrl = "http://auth-server:8000/connect/logout?id_token_hint=" + idToken
+ "&post_logout_redirect_uri=http://127.0.0.1:8080/logged-out";
// Redirect the user to the authorization server's logout endpoint
return "redirect:" + logoutUrl;
}
IDP Server
The idp server can get the request and try to convert the request via OidcLogoutAuthenticationConverter. However, there's an issue that SecurityContextHolder.getContext().getAuthentication(); return null. Also, the HttpSession session = request.getSession(false); is null too.
@Override
public Authentication convert(HttpServletRequest request) {
MultiValueMap<String, String> parameters = getParameters(request);
// id_token_hint (REQUIRED) // RECOMMENDED as per spec
String idTokenHint = request.getParameter("id_token_hint");
if (!StringUtils.hasText(idTokenHint) ||
request.getParameterValues("id_token_hint").length != 1) {
throwError(OAuth2ErrorCodes.INVALID_REQUEST, "id_token_hint");
}
Authentication principal = SecurityContextHolder.getContext().getAuthentication();
if (principal == null) {
principal = ANONYMOUS_AUTHENTICATION;
}
String sessionId = null;
HttpSession session = request.getSession(false);
if (session != null) {
sessionId = session.getId();
}
Any ideas about the issue or what I did wrong? Thanks in advance!
I tried to hit the end_session_endpoint with both GET and POST. But didn't work.