Support for OIDC RP-Initiated form post logout mode

Author: sberyozkin

docs/src/main/asciidoc/security-oidc-expanded-configuration.adoc

@@ -643,6 +643,7 @@ Quarkus OIDC supports three standard OIDC logout options: <<rp-initiated-logout>
 |quarkus.oidc.logout.post-logout-path || Post logout path
 |quarkus.oidc.logout.post-logout-uri-param || Post logout uri param
 |quarkus.oidc.logout.extra-params || Logout extra params
+|quarkus.oidc.logout.logout-mode |query| Logout mode
 |====
 
 `quarkus.oidc.logout.path` is a relative path where a user logout request should be sent to. For example, given `quarkus.oidc.logout.path=/logout`, a `Logout` link in the SPA page can point to `http://localhost:8080/logout`. This path can be virtual, you do not have to create a JAX-RS endpoint or route handler listening on `/logout`. But for the `quarkus.oidc.logout.path` be effective, it must be secured, see the https://quarkus.io/guides/security-oidc-code-flow-authentication#user-initiated-logout[User-initiated logout] section for more details.
@@ -653,6 +654,9 @@ For the post logout redirect to work, OIDC providers usually require registering
 
 `quarkus.oidc.logout.post-logout-uri-param` and `quarkus.oidc.logout.extra-params` can be used to customize the RP-initiated logout query parameters, for example, Auth0 might expect Auth0-specific logout query parameters, see the https://quarkus.io/guides/security-oidc-code-flow-authentication#user-initiated-logout[User-initiated logout] section for more details.
 
+By default, all the logout parameters are serialized as logout URL query parameters.
+Some OIDC providers may require that logout parameters are encoded as HTML form values and auto-submitted in the browser with the HTTP POST method and the `application/x-www-form-urlencoded` content type: set `quarkus.oidc.logout.logout-mode=form-post` in this case.
+
 [[back-channel-logout]]
 === Back-channel Logout
 

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/LogoutUtils.java

@@ -0,0 +1,52 @@
+package io.quarkus.oidc;
+
+import java.util.Map;
+
+import io.quarkus.oidc.common.runtime.OidcCommonUtils;
+import io.quarkus.oidc.common.runtime.OidcConstants;
+import io.quarkus.oidc.runtime.TenantConfigContext;
+import io.vertx.ext.web.RoutingContext;
+
+public final class LogoutUtils {
+
+    private static final String FORM_POST_LOGOUT_START = "<html>"
+            + "   <head><title>Logout Form</title></head>"
+            + "   <body onload=\"javascript:document.forms[0].submit()\">"
+            + "    <form method=\"post\" action=\"";
+    private static final String FORM_POST_LOGOUT_END = "    </form></body></html>";
+
+    private LogoutUtils() {
+
+    }
+
+    public static String createFormPostLogout(TenantConfigContext configContext, RoutingContext context,
+            String idToken, String postLogoutUrl, String postLogoutState) {
+        StringBuilder sb = new StringBuilder();
+        sb.append(FORM_POST_LOGOUT_START);
+        sb.append(configContext.provider().getMetadata().getEndSessionUri()).append("\">");
+        if (idToken != null) {
+            addInput(sb, OidcConstants.LOGOUT_ID_TOKEN_HINT, idToken);
+        }
+        if (postLogoutUrl != null) {
+            addInput(sb, configContext.oidcConfig().logout().postLogoutUriParam(), postLogoutUrl);
+        }
+        if (postLogoutState != null) {
+            addInput(sb, OidcConstants.LOGOUT_STATE, postLogoutState);
+        }
+
+        Map<String, String> extraParams = configContext.oidcConfig().logout().extraParams();
+        if (extraParams != null) {
+            for (Map.Entry<String, String> entry : extraParams.entrySet()) {
+                addInput(sb, entry.getKey(), entry.getValue());
+            }
+        }
+        sb.append(FORM_POST_LOGOUT_END);
+        return sb.toString();
+    }
+
+    private static void addInput(StringBuilder sb, String name, String value) {
+        sb.append("<input type=\"hidden\" name=\"").append(name)
+                .append("\" value=\"").append(OidcCommonUtils.urlEncode(value)).append("\"");
+    }
+
+}

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java

@@ -488,6 +488,8 @@ public static class Logout implements io.quarkus.oidc.runtime.OidcTenantConfig.L
          */
         Optional<Set<ClearSiteData>> clearSiteData = Optional.of(Set.of());
 
+        LogoutMode logoutMode = LogoutMode.QUERY;
+
         /**
          * Back-Channel Logout configuration
          */
@@ -552,6 +554,7 @@ private void addConfigMappingValues(io.quarkus.oidc.runtime.OidcTenantConfig.Log
             postLogoutUriParam = mapping.postLogoutUriParam();
             extraParams = mapping.extraParams();
             clearSiteData = mapping.clearSiteData();
+            logoutMode = mapping.logoutMode();
             backchannel.addConfigMappingValues(mapping.backchannel());
             frontchannel.addConfigMappingValues(mapping.frontchannel());
         }
@@ -590,6 +593,11 @@ public io.quarkus.oidc.runtime.OidcTenantConfig.Frontchannel frontchannel() {
         public Optional<Set<ClearSiteData>> clearSiteData() {
             return clearSiteData;
         }
+
+        @Override
+        public LogoutMode logoutMode() {
+            return logoutMode;
+        }
     }
 
     /**

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java

@@ -28,6 +28,7 @@
 import io.quarkus.oidc.AuthorizationCodeTokens;
 import io.quarkus.oidc.IdTokenCredential;
 import io.quarkus.oidc.JavaScriptRequestChecker;
+import io.quarkus.oidc.LogoutUtils;
 import io.quarkus.oidc.OidcRedirectFilter;
 import io.quarkus.oidc.OidcRedirectFilter.OidcRedirectContext;
 import io.quarkus.oidc.OidcTenantConfig;
@@ -39,6 +40,7 @@
 import io.quarkus.oidc.common.runtime.OidcConstants;
 import io.quarkus.oidc.runtime.OidcTenantConfig.Authentication;
 import io.quarkus.oidc.runtime.OidcTenantConfig.Authentication.ResponseMode;
+import io.quarkus.oidc.runtime.OidcTenantConfig.Logout.LogoutMode;
 import io.quarkus.security.AuthenticationCompletionException;
 import io.quarkus.security.AuthenticationFailedException;
 import io.quarkus.security.AuthenticationRedirectException;
@@ -47,6 +49,7 @@
 import io.quarkus.security.spi.runtime.BlockingSecurityExecutor;
 import io.quarkus.security.spi.runtime.SecurityEventHelper;
 import io.quarkus.vertx.http.runtime.security.ChallengeData;
+import io.quarkus.vertx.http.runtime.security.HttpSecurityUtils;
 import io.smallrye.jwt.build.Jwt;
 import io.smallrye.jwt.build.JwtClaimsBuilder;
 import io.smallrye.jwt.build.JwtSignatureBuilder;
@@ -1435,8 +1438,10 @@ private Uni<AuthorizationCodeTokens> getCodeFlowTokensUni(RoutingContext context
 
     private String buildLogoutRedirectUri(TenantConfigContext configContext, String idToken, RoutingContext context) {
         String logoutPath = configContext.provider().getMetadata().getEndSessionUri();
+        Map<String, String> extraParams = configContext.oidcConfig().logout().extraParams();
         StringBuilder logoutUri = new StringBuilder(logoutPath);
-        if (idToken != null || configContext.oidcConfig().logout().postLogoutPath().isPresent()) {
+        if (idToken != null || configContext.oidcConfig().logout().postLogoutPath().isPresent()
+                || (extraParams != null && !extraParams.isEmpty())) {
             logoutUri.append("?");
         }
         if (idToken != null) {
@@ -1477,10 +1482,29 @@ private Uni<Void> buildLogoutRedirectUriUni(RoutingContext context, TenantConfig
                 .map(new Function<Void, Void>() {
                     @Override
                     public Void apply(Void t) {
-                        String logoutUri = buildLogoutRedirectUri(configContext, idToken, context);
-                        LOG.debugf("Logout uri: %s", logoutUri);
-                        throw new AuthenticationRedirectException(
-                                filterRedirect(context, configContext, logoutUri, Redirect.Location.OIDC_LOGOUT));
+                        if (configContext.oidcConfig().logout().logoutMode() == LogoutMode.QUERY) {
+                            String logoutUri = buildLogoutRedirectUri(configContext, idToken, context);
+                            LOG.debugf("Logout uri: %s", logoutUri);
+                            throw new AuthenticationRedirectException(
+                                    filterRedirect(context, configContext, logoutUri, Redirect.Location.OIDC_LOGOUT));
+                        } else {
+                            String postLogoutUrl = null;
+                            String postLogoutState = null;
+                            if (configContext.oidcConfig().logout().postLogoutPath().isPresent()) {
+                                postLogoutUrl = OidcCommonUtils
+                                        .urlEncode(buildUri(context, isForceHttps(configContext.oidcConfig()),
+                                                configContext.oidcConfig().logout().postLogoutPath().get()));
+                                postLogoutState = generatePostLogoutState(context, configContext);
+                            }
+                            String formPostLogout = LogoutUtils.createFormPostLogout(configContext, context, idToken,
+                                    postLogoutUrl, postLogoutState);
+                            context.put(HttpSecurityUtils.FORM_POST_REDIRECT, formPostLogout);
+
+                            LOG.debugf("Initiating form post logout");
+                            String logoutUrl = filterRedirect(context, configContext,
+                                    configContext.provider().getMetadata().getEndSessionUri(), Redirect.Location.OIDC_LOGOUT);
+                            throw new AuthenticationRedirectException(200, logoutUrl);
+                        }
                     }
                 });
     }

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcTenantConfig.java

@@ -339,6 +339,25 @@ public String directive() {
          * Clear-Site-Data header directives
          */
         Optional<Set<ClearSiteData>> clearSiteData();
+
+        enum LogoutMode {
+            /**
+             * Logout parameters are encoded in the query string
+             */
+            QUERY,
+
+            /**
+             * Logout parameters are encoded as HTML form values that are auto-submitted in the browser
+             * and transmitted by the HTTP POST method using the application/x-www-form-urlencoded content type
+             */
+            FORM_POST
+        }
+
+        /**
+         * Logout mode
+         */
+        @WithDefault("query")
+        LogoutMode logoutMode();
     }
 
     interface Backchannel {

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/builders/LogoutConfigBuilder.java

@@ -12,6 +12,7 @@
 import io.quarkus.oidc.OidcTenantConfigBuilder;
 import io.quarkus.oidc.runtime.OidcTenantConfig;
 import io.quarkus.oidc.runtime.OidcTenantConfig.Logout.ClearSiteData;
+import io.quarkus.oidc.runtime.OidcTenantConfig.Logout.LogoutMode;
 
 /**
  * Builder for the {@link OidcTenantConfig.Logout}.
@@ -20,7 +21,8 @@ public final class LogoutConfigBuilder {
     private record LogoutImpl(Optional<String> path, Optional<String> postLogoutPath, String postLogoutUriParam,
             Map<String, String> extraParams, OidcTenantConfig.Backchannel backchannel,
             OidcTenantConfig.Frontchannel frontchannel,
-            Optional<Set<ClearSiteData>> clearSiteData) implements OidcTenantConfig.Logout {
+            Optional<Set<ClearSiteData>> clearSiteData,
+            LogoutMode logoutMode) implements OidcTenantConfig.Logout {
     }
 
     private record FrontchannelImpl(Optional<String> path) implements OidcTenantConfig.Frontchannel {
@@ -34,6 +36,7 @@ private record FrontchannelImpl(Optional<String> path) implements OidcTenantConf
     private OidcTenantConfig.Backchannel backchannel;
     private OidcTenantConfig.Frontchannel frontchannel;
     private Optional<Set<ClearSiteData>> clearSiteData = Optional.of(new HashSet<>());
+    private LogoutMode logoutMode;
 
     public LogoutConfigBuilder() {
         this(new OidcTenantConfigBuilder());
@@ -51,6 +54,7 @@ public LogoutConfigBuilder(OidcTenantConfigBuilder builder) {
         this.backchannel = logout.backchannel();
         this.frontchannel = logout.frontchannel();
         this.clearSiteData = logout.clearSiteData();
+        this.logoutMode = logout.logoutMode();
     }
 
     /**
@@ -132,6 +136,21 @@ public LogoutConfigBuilder clearSiteData(List<ClearSiteData> directives) {
         return this;
     }
 
+    public LogoutConfigBuilder logoutMode() {
+        this.logoutMode(LogoutMode.QUERY);
+        return this;
+    }
+
+    /**
+     * @param clear site data directives {@link OidcTenantConfig.Logout#clearSiteData()}
+     * @return this builder
+     */
+    public LogoutConfigBuilder logoutMode(LogoutMode logoutMode) {
+        Objects.requireNonNull(logoutMode);
+        this.logoutMode = logoutMode;
+        return this;
+    }
+
     /**
      * @param backchannel {@link OidcTenantConfig.Logout#backchannel()}
      * @return this builder
@@ -162,7 +181,7 @@ public OidcTenantConfigBuilder end() {
      */
     public OidcTenantConfig.Logout build() {
         return new LogoutImpl(path, postLogoutPath, postLogoutUriParam, Map.copyOf(extraParams), backchannel, frontchannel,
-                clearSiteData);
+                clearSiteData, logoutMode);
     }
 
     /**

extensions/oidc/runtime/src/test/java/io/quarkus/oidc/runtime/OidcTenantConfigImpl.java

@@ -162,6 +162,7 @@ enum ConfigMappingMethods {
         LOGOUT_POST_LOGOUT_PATH,
         LOGOUT_POST_LOGOUT_URI_PARAM,
         LOGOUT_CLEAR_SITE_DATA,
+        LOGOUT_MODE,
         LOGOUT_EXTRA_PARAMS,
         LOGOUT_BACK_CHANNEL,
         LOGOUT_FRONT_CHANNEL,
@@ -506,6 +507,12 @@ public Optional<Set<ClearSiteData>> clearSiteData() {
                 return Optional.of(Set.of());
             }
 
+            @Override
+            public LogoutMode logoutMode() {
+                invocationsRecorder.put(ConfigMappingMethods.LOGOUT_MODE, true);
+                return LogoutMode.QUERY;
+            }
+
             @Override
             public Backchannel backchannel() {
                 invocationsRecorder.put(ConfigMappingMethods.LOGOUT_BACK_CHANNEL, true);

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpSecurityRecorder.java

@@ -12,7 +12,12 @@
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.util.*;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
 import java.util.concurrent.CompletionException;
 import java.util.function.BiConsumer;
 import java.util.function.Consumer;
@@ -207,9 +212,15 @@ public void accept(Throwable throwable) {
                 proceed(throwable);
             } else if (throwable instanceof AuthenticationRedirectException redirectEx) {
                 event.response().setStatusCode(redirectEx.getCode());
-                event.response().headers().set(HttpHeaders.LOCATION, redirectEx.getRedirectUri());
                 event.response().headers().set(HttpHeaders.CACHE_CONTROL, "no-store");
                 event.response().headers().set("Pragma", "no-cache");
+
+                String formPostRedirect = event.get(HttpSecurityUtils.FORM_POST_REDIRECT);
+                if (formPostRedirect == null) {
+                    event.response().headers().set(HttpHeaders.LOCATION, redirectEx.getRedirectUri());
+                } else {
+                    event.response().write(formPostRedirect);
+                }
                 proceed(throwable);
             } else {
                 event.put(OTHER_AUTHENTICATION_FAILURE, Boolean.TRUE);

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpSecurityUtils.java

@@ -15,6 +15,7 @@
 public final class HttpSecurityUtils {
     // keep in sync with QuarkusPermissionSecurityIdentityAugmentor
     public final static String ROUTING_CONTEXT_ATTRIBUTE = "quarkus.http.routing.context";
+    public final static String FORM_POST_REDIRECT = "quarkus.http.form.post.redirect";
     static final String SECURITY_IDENTITIES_ATTRIBUTE = "io.quarkus.security.identities";
     static final String COMMON_NAME = "CN";
     private static final String AUTHENTICATION_FAILURE_KEY = "io.quarkus.vertx.http.runtime.security#authentication-failure";

integration-tests/oidc-tenancy/src/main/java/io/quarkus/it/keycloak/OidcResource.java

@@ -1,5 +1,6 @@
 package io.quarkus.it.keycloak;
 
+import java.net.URI;
 import java.security.PublicKey;
 import java.time.Duration;
 import java.util.Arrays;
@@ -16,6 +17,7 @@
 import jakarta.ws.rs.Produces;
 import jakarta.ws.rs.QueryParam;
 import jakarta.ws.rs.core.Context;
+import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.UriInfo;
 
 import org.eclipse.microprofile.jwt.JsonWebToken;
@@ -369,6 +371,12 @@ public boolean disableRotate() {
         return rotate;
     }
 
+    @POST
+    @Path("form-post-logout")
+    public Response formPostLogout(@FormParam("post_logout_redirect_uri") String postLogoutRedirectUri) throws Exception {
+        return Response.seeOther(URI.create(postLogoutRedirectUri)).build();
+    }
+
     private String jwt(String audience, String subject, String kid) {
         return jwt(audience, subject, kid, false);
     }