forked from apache/geode
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
GEODE-7851: Pulse logout requests end of OAuth session
When Pulse is configured to use OAuth, and a user logs out of Pulse, Pulse redirects the browser to a page where the user can take action to end their session. The available actions depend on the OAuth provider, but may include revoking the token or logging out of the OAuth provider entirely. Main changes: - Changed OAuthSecurityConfig to install two logout handlers: A RepositoryLogoutHandler (renamed from LogoutHandler) and an OidcClientInitiatedLogoutSuccessHandler. - Added a pulse.security.oauth.endSessionEndpoint property to specify the URL to which the OidcClientInitiatedLogoutSuccessHandler should redirect the browser on logout. - Configured the OAuthSecurityConfig to add the "end session endpoint" property value to the client configuration metadata. On logout, the OidcClientInitiatedLogoutSuccessHandler redirects the browser to this endpoint, where the user can take action to end the session. - In the OAuthClientConfig class (extracted from OAuthSecurityConfig), restored the code to explicitly list the scopes that Pulse is requesting, in particular to list "openid" in the scopes. Though authentication works just fine without that explicit list, the OidcClientInitiatedLogoutSuccessHandler does not. The OidcClientInitiatedLogoutSuccessHandler handles logout only if the the principal is an OidcUser. If "openid" is not explicitly listed in the client's scopes. Spring creates OAuth2User principals instead of OidcUser principals, and OidcClientInitiatedLogoutSuccessHandler return without redirecting the browser. Also refactored to support the above changes: - Moved the oauth client service configuration from OAuthSecurityConfig to a new OAuthClientConfig class. This breaks Respository's dependence on OAuthSecurityConfig, which in turn (through the LogoutHandler) depended on Repository. Repository now gets its OAuth2AuthorizedClientService from the OAuthClientConfig class, which does not in turn depend on Repository. - Marked two Repository constructors as non-required. Spring will pick whichever one has the most dependencies it can satisfy. So if the profile specifies an OAuth2AuthorizedClientService, Spring will call the constructor that takes one of those. Otherwise Spring will call the no-args constructor. - Renamed LogoutHandler to RepositoryLogoutHandler to better reflect its specific responsibilities. - Changed RepositoryLogoutHandler to implement LogoutHandler instead of LogoutSuccessHandler. Now it does its work *during* logout instead of *after.* - Changed DefaultSecurityConfig to specify the logout success URL directly instead of via a logout success handler. (OAuthSecurityConfig no longer needs a logout success URL, because the OIDC logout handler redirects to the OAuth provider instead.) Co-authored-by: Dale Emery <[email protected]> Co-authored-by: Joris Melchior <[email protected]>
- Loading branch information
1 parent
88b3603
commit f9d9479
Showing
12 changed files
with
191 additions
and
163 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
109 changes: 109 additions & 0 deletions
109
...pulse/src/main/java/org/apache/geode/tools/pulse/internal/security/OAuthClientConfig.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| /* | ||
| * Licensed to the Apache Software Foundation (ASF) under one or more contributor license | ||
| * agreements. See the NOTICE file distributed with this work for additional information regarding | ||
| * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the | ||
| * "License"); you may not use this file except in compliance with the License. You may obtain a | ||
| * copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software distributed under the License | ||
| * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express | ||
| * or implied. See the License for the specific language governing permissions and limitations under | ||
| * the License. | ||
| */ | ||
|
|
||
| package org.apache.geode.tools.pulse.internal.security; | ||
|
|
||
| import static java.util.Collections.singletonMap; | ||
|
|
||
| import org.springframework.beans.factory.annotation.Value; | ||
| import org.springframework.context.annotation.Bean; | ||
| import org.springframework.context.annotation.Configuration; | ||
| import org.springframework.context.annotation.Profile; | ||
| import org.springframework.context.annotation.PropertySource; | ||
| import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService; | ||
| import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService; | ||
| import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler; | ||
| import org.springframework.security.oauth2.client.registration.ClientRegistration; | ||
| import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; | ||
| import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository; | ||
| import org.springframework.security.oauth2.client.web.AuthenticatedPrincipalOAuth2AuthorizedClientRepository; | ||
| import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository; | ||
| import org.springframework.security.oauth2.core.AuthorizationGrantType; | ||
|
|
||
| /** | ||
| * Configures Pulse to use the OAuth 2 provider defined by properties in {@code pulse.properties}. | ||
| */ | ||
| @Configuration | ||
| @Profile("pulse.authentication.oauth") | ||
| @PropertySource("classpath:pulse.properties") | ||
| public class OAuthClientConfig { | ||
| @Value("${pulse.oauth.providerId}") | ||
| private String providerId; | ||
| @Value("${pulse.oauth.providerName}") | ||
| private String providerName; | ||
| @Value("${pulse.oauth.clientId}") | ||
| private String clientId; | ||
| @Value("${pulse.oauth.clientSecret}") | ||
| private String clientSecret; | ||
| @Value("${pulse.oauth.authorizationUri}") | ||
| private String authorizationUri; | ||
| @Value("${pulse.oauth.tokenUri}") | ||
| private String tokenUri; | ||
| @Value("${pulse.oauth.userInfoUri}") | ||
| private String userInfoUri; | ||
| @Value("${pulse.oauth.jwkSetUri}") | ||
| private String jwkSetUri; | ||
| @Value("${pulse.oauth.endSessionEndpoint}") | ||
| private String endSessionEndpoint; | ||
| @Value("${pulse.oauth.userNameAttributeName}") | ||
| private String userNameAttributeName; | ||
|
|
||
| @Bean | ||
| ClientRegistration clientRegistration() { | ||
| return ClientRegistration.withRegistrationId(providerId) | ||
| .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) | ||
| .redirectUriTemplate("{baseUrl}/login/oauth2/code/{registrationId}") | ||
| .clientId(clientId) | ||
| .clientSecret(clientSecret) | ||
| .scope("openid", "CLUSTER:READ", "CLUSTER:WRITE", "DATA:READ", "DATA:WRITE") | ||
| .authorizationUri(authorizationUri) | ||
| .tokenUri(tokenUri) | ||
| .userInfoUri(userInfoUri) | ||
| .jwkSetUri(jwkSetUri) | ||
| .providerConfigurationMetadata( | ||
| singletonMap("end_session_endpoint", endSessionEndpoint)) | ||
| // When Spring shows the login page, it displays a link to the OAuth provider's | ||
| // authorization URI. Spring uses the value passed to clientName() as the text for that | ||
| // link. We pass the providerName property here, to let the user know which OAuth provider | ||
| // they will be redirected to. | ||
| .clientName(providerName) | ||
| .userNameAttributeName(userNameAttributeName) | ||
| .build(); | ||
| } | ||
|
|
||
| @Bean | ||
| public ClientRegistrationRepository clientRegistrationRepository( | ||
| ClientRegistration clientRegistration) { | ||
| return new InMemoryClientRegistrationRepository(clientRegistration); | ||
| } | ||
|
|
||
| @Bean | ||
| public OAuth2AuthorizedClientService authorizedClientService( | ||
| ClientRegistrationRepository clientRegistrationRepository) { | ||
| return new InMemoryOAuth2AuthorizedClientService(clientRegistrationRepository); | ||
| } | ||
|
|
||
| @Bean | ||
| public OAuth2AuthorizedClientRepository authorizedClientRepository( | ||
| OAuth2AuthorizedClientService authorizedClientService) { | ||
| return new AuthenticatedPrincipalOAuth2AuthorizedClientRepository(authorizedClientService); | ||
| } | ||
|
|
||
| @Bean | ||
| public OidcClientInitiatedLogoutSuccessHandler oidcLogoutHandler( | ||
| ClientRegistrationRepository clientRegistrationRepository) { | ||
| return new OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository); | ||
| } | ||
| } |
Oops, something went wrong.