Merge pull request #48575 from sberyozkin/oidc_logout_post_method

Support for OIDC RP-Initiated form post logout mode

Author: sberyozkin

docs/src/main/asciidoc/security-oidc-expanded-configuration.adoc

@@ -643,6 +643,7 @@ Quarkus OIDC supports three standard OIDC logout options: <<rp-initiated-logout>
 |quarkus.oidc.logout.post-logout-path || Post logout path
 |quarkus.oidc.logout.post-logout-uri-param || Post logout uri param
 |quarkus.oidc.logout.extra-params || Logout extra params
+|quarkus.oidc.logout.logout-mode |query| Logout mode
 |====
 
 `quarkus.oidc.logout.path` is a relative path where a user logout request should be sent to. For example, given `quarkus.oidc.logout.path=/logout`, a `Logout` link in the SPA page can point to `http://localhost:8080/logout`. This path can be virtual, you do not have to create a JAX-RS endpoint or route handler listening on `/logout`. But for the `quarkus.oidc.logout.path` be effective, it must be secured, see the https://quarkus.io/guides/security-oidc-code-flow-authentication#user-initiated-logout[User-initiated logout] section for more details.
@@ -653,6 +654,9 @@ For the post logout redirect to work, OIDC providers usually require registering
 
 `quarkus.oidc.logout.post-logout-uri-param` and `quarkus.oidc.logout.extra-params` can be used to customize the RP-initiated logout query parameters, for example, Auth0 might expect Auth0-specific logout query parameters, see the https://quarkus.io/guides/security-oidc-code-flow-authentication#user-initiated-logout[User-initiated logout] section for more details.
 
+By default, all the logout parameters are serialized as logout URL query parameters.
+Some OIDC providers may require that logout parameters are encoded as HTML form values and auto-submitted in the browser with the HTTP POST method and the `application/x-www-form-urlencoded` content type: set `quarkus.oidc.logout.logout-mode=form-post` in this case.
+
 [[back-channel-logout]]
 === Back-channel Logout
 

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/LogoutUtils.java

@@ -0,0 +1,51 @@
+package io.quarkus.oidc;
+
+import java.util.Map;
+
+import io.quarkus.oidc.common.runtime.OidcConstants;
+import io.quarkus.oidc.runtime.OidcTenantConfig.Logout;
+
+public final class LogoutUtils {
+
+    private static final String FORM_POST_LOGOUT_START = "<html>"
+            + "   <head><title>Logout Form</title></head>"
+            + "   <body onload=\"javascript:document.forms[0].submit()\">"
+            + "    <form method=\"post\" action=\"";
+    private static final String FORM_POST_LOGOUT_END = "    </form></body></html>";
+
+    private LogoutUtils() {
+
+    }
+
+    public static String createFormPostLogout(Logout logoutConfig, String logoutUrl,
+            String idToken, String postLogoutUrl, String postLogoutState) {
+        StringBuilder sb = new StringBuilder();
+        sb.append(FORM_POST_LOGOUT_START);
+        sb.append(logoutUrl).append("\">");
+        if (idToken != null) {
+            addInput(sb, OidcConstants.LOGOUT_ID_TOKEN_HINT, idToken);
+        }
+        if (postLogoutUrl != null) {
+            addInput(sb, logoutConfig.postLogoutUriParam(), postLogoutUrl);
+        }
+        if (postLogoutState != null) {
+            addInput(sb, OidcConstants.LOGOUT_STATE, postLogoutState);
+        }
+
+        Map<String, String> extraParams = logoutConfig.extraParams();
+        if (extraParams != null) {
+            for (Map.Entry<String, String> entry : extraParams.entrySet()) {
+                addInput(sb, entry.getKey(), entry.getValue());
+            }
+        }
+        sb.append(FORM_POST_LOGOUT_END);
+        return sb.toString();
+    }
+
+    private static void addInput(StringBuilder sb, String name, String value) {
+        sb.append("<input type=\"hidden\" name=\"").append(name).append("\" ")
+                .append("value=\"").append(value).append("\"")
+                .append("/>");
+    }
+
+}

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java

@@ -488,6 +488,8 @@ public static class Logout implements io.quarkus.oidc.runtime.OidcTenantConfig.L
          */
         Optional<Set<ClearSiteData>> clearSiteData = Optional.of(Set.of());
 
+        LogoutMode logoutMode = LogoutMode.QUERY;
+
         /**
          * Back-Channel Logout configuration
          */
@@ -552,6 +554,7 @@ private void addConfigMappingValues(io.quarkus.oidc.runtime.OidcTenantConfig.Log
             postLogoutUriParam = mapping.postLogoutUriParam();
             extraParams = mapping.extraParams();
             clearSiteData = mapping.clearSiteData();
+            logoutMode = mapping.logoutMode();
             backchannel.addConfigMappingValues(mapping.backchannel());
             frontchannel.addConfigMappingValues(mapping.frontchannel());
         }
@@ -590,6 +593,11 @@ public io.quarkus.oidc.runtime.OidcTenantConfig.Frontchannel frontchannel() {
         public Optional<Set<ClearSiteData>> clearSiteData() {
             return clearSiteData;
         }
+
+        @Override
+        public LogoutMode logoutMode() {
+            return logoutMode;
+        }
     }
 
     /**

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/CodeAuthenticationMechanism.java

@@ -28,6 +28,7 @@
 import io.quarkus.oidc.AuthorizationCodeTokens;
 import io.quarkus.oidc.IdTokenCredential;
 import io.quarkus.oidc.JavaScriptRequestChecker;
+import io.quarkus.oidc.LogoutUtils;
 import io.quarkus.oidc.OidcRedirectFilter;
 import io.quarkus.oidc.OidcRedirectFilter.OidcRedirectContext;
 import io.quarkus.oidc.OidcTenantConfig;
@@ -39,6 +40,7 @@
 import io.quarkus.oidc.common.runtime.OidcConstants;
 import io.quarkus.oidc.runtime.OidcTenantConfig.Authentication;
 import io.quarkus.oidc.runtime.OidcTenantConfig.Authentication.ResponseMode;
+import io.quarkus.oidc.runtime.OidcTenantConfig.Logout.LogoutMode;
 import io.quarkus.security.AuthenticationCompletionException;
 import io.quarkus.security.AuthenticationFailedException;
 import io.quarkus.security.AuthenticationRedirectException;
@@ -1435,8 +1437,10 @@ private Uni<AuthorizationCodeTokens> getCodeFlowTokensUni(RoutingContext context
 
     private String buildLogoutRedirectUri(TenantConfigContext configContext, String idToken, RoutingContext context) {
         String logoutPath = configContext.provider().getMetadata().getEndSessionUri();
+        Map<String, String> extraParams = configContext.oidcConfig().logout().extraParams();
         StringBuilder logoutUri = new StringBuilder(logoutPath);
-        if (idToken != null || configContext.oidcConfig().logout().postLogoutPath().isPresent()) {
+        if (idToken != null || configContext.oidcConfig().logout().postLogoutPath().isPresent()
+                || (extraParams != null && !extraParams.isEmpty())) {
             logoutUri.append("?");
         }
         if (idToken != null) {
@@ -1477,10 +1481,29 @@ private Uni<Void> buildLogoutRedirectUriUni(RoutingContext context, TenantConfig
                 .map(new Function<Void, Void>() {
                     @Override
                     public Void apply(Void t) {
-                        String logoutUri = buildLogoutRedirectUri(configContext, idToken, context);
-                        LOG.debugf("Logout uri: %s", logoutUri);
-                        throw new AuthenticationRedirectException(
-                                filterRedirect(context, configContext, logoutUri, Redirect.Location.OIDC_LOGOUT));
+                        if (configContext.oidcConfig().logout().logoutMode() == LogoutMode.QUERY) {
+                            String logoutUri = buildLogoutRedirectUri(configContext, idToken, context);
+                            LOG.debugf("Logout uri: %s", logoutUri);
+                            throw new AuthenticationRedirectException(
+                                    filterRedirect(context, configContext, logoutUri, Redirect.Location.OIDC_LOGOUT));
+                        } else {
+                            String postLogoutUrl = null;
+                            String postLogoutState = null;
+                            if (configContext.oidcConfig().logout().postLogoutPath().isPresent()) {
+                                postLogoutUrl = buildUri(context, isForceHttps(configContext.oidcConfig()),
+                                        configContext.oidcConfig().logout().postLogoutPath().get());
+                                postLogoutState = generatePostLogoutState(context, configContext);
+                            }
+
+                            String logoutUrl = filterRedirect(context, configContext,
+                                    configContext.provider().getMetadata().getEndSessionUri(), Redirect.Location.OIDC_LOGOUT);
+                            // Target URL is embedded in the form post payload
+                            String formPostLogout = LogoutUtils.createFormPostLogout(configContext.oidcConfig().logout(),
+                                    logoutUrl, idToken,
+                                    postLogoutUrl, postLogoutState);
+                            LOG.debugf("Initiating form post logout");
+                            throw new AuthenticationRedirectException(200, formPostLogout);
+                        }
                     }
                 });
     }

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcTenantConfig.java

@@ -339,6 +339,25 @@ public String directive() {
          * Clear-Site-Data header directives
          */
         Optional<Set<ClearSiteData>> clearSiteData();
+
+        enum LogoutMode {
+            /**
+             * Logout parameters are encoded in the query string
+             */
+            QUERY,
+
+            /**
+             * Logout parameters are encoded as HTML form values that are auto-submitted in the browser
+             * and transmitted by the HTTP POST method using the application/x-www-form-urlencoded content type
+             */
+            FORM_POST
+        }
+
+        /**
+         * Logout mode
+         */
+        @WithDefault("query")
+        LogoutMode logoutMode();
     }
 
     interface Backchannel {

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/builders/LogoutConfigBuilder.java

@@ -12,6 +12,7 @@
 import io.quarkus.oidc.OidcTenantConfigBuilder;
 import io.quarkus.oidc.runtime.OidcTenantConfig;
 import io.quarkus.oidc.runtime.OidcTenantConfig.Logout.ClearSiteData;
+import io.quarkus.oidc.runtime.OidcTenantConfig.Logout.LogoutMode;
 
 /**
  * Builder for the {@link OidcTenantConfig.Logout}.
@@ -20,7 +21,8 @@ public final class LogoutConfigBuilder {
     private record LogoutImpl(Optional<String> path, Optional<String> postLogoutPath, String postLogoutUriParam,
             Map<String, String> extraParams, OidcTenantConfig.Backchannel backchannel,
             OidcTenantConfig.Frontchannel frontchannel,
-            Optional<Set<ClearSiteData>> clearSiteData) implements OidcTenantConfig.Logout {
+            Optional<Set<ClearSiteData>> clearSiteData,
+            LogoutMode logoutMode) implements OidcTenantConfig.Logout {
     }
 
     private record FrontchannelImpl(Optional<String> path) implements OidcTenantConfig.Frontchannel {
@@ -34,6 +36,7 @@ private record FrontchannelImpl(Optional<String> path) implements OidcTenantConf
     private OidcTenantConfig.Backchannel backchannel;
     private OidcTenantConfig.Frontchannel frontchannel;
     private Optional<Set<ClearSiteData>> clearSiteData = Optional.of(new HashSet<>());
+    private LogoutMode logoutMode;
 
     public LogoutConfigBuilder() {
         this(new OidcTenantConfigBuilder());
@@ -51,6 +54,7 @@ public LogoutConfigBuilder(OidcTenantConfigBuilder builder) {
         this.backchannel = logout.backchannel();
         this.frontchannel = logout.frontchannel();
         this.clearSiteData = logout.clearSiteData();
+        this.logoutMode = logout.logoutMode();
     }
 
     /**
@@ -132,6 +136,21 @@ public LogoutConfigBuilder clearSiteData(List<ClearSiteData> directives) {
         return this;
     }
 
+    public LogoutConfigBuilder logoutMode() {
+        this.logoutMode(LogoutMode.QUERY);
+        return this;
+    }
+
+    /**
+     * @param clear site data directives {@link OidcTenantConfig.Logout#clearSiteData()}
+     * @return this builder
+     */
+    public LogoutConfigBuilder logoutMode(LogoutMode logoutMode) {
+        Objects.requireNonNull(logoutMode);
+        this.logoutMode = logoutMode;
+        return this;
+    }
+
     /**
      * @param backchannel {@link OidcTenantConfig.Logout#backchannel()}
      * @return this builder
@@ -162,7 +181,7 @@ public OidcTenantConfigBuilder end() {
      */
     public OidcTenantConfig.Logout build() {
         return new LogoutImpl(path, postLogoutPath, postLogoutUriParam, Map.copyOf(extraParams), backchannel, frontchannel,
-                clearSiteData);
+                clearSiteData, logoutMode);
     }
 
     /**

extensions/oidc/runtime/src/test/java/io/quarkus/oidc/runtime/OidcTenantConfigImpl.java

@@ -162,6 +162,7 @@ enum ConfigMappingMethods {
         LOGOUT_POST_LOGOUT_PATH,
         LOGOUT_POST_LOGOUT_URI_PARAM,
         LOGOUT_CLEAR_SITE_DATA,
+        LOGOUT_MODE,
         LOGOUT_EXTRA_PARAMS,
         LOGOUT_BACK_CHANNEL,
         LOGOUT_FRONT_CHANNEL,
@@ -506,6 +507,12 @@ public Optional<Set<ClearSiteData>> clearSiteData() {
                 return Optional.of(Set.of());
             }
 
+            @Override
+            public LogoutMode logoutMode() {
+                invocationsRecorder.put(ConfigMappingMethods.LOGOUT_MODE, true);
+                return LogoutMode.QUERY;
+            }
+
             @Override
             public Backchannel backchannel() {
                 invocationsRecorder.put(ConfigMappingMethods.LOGOUT_BACK_CHANNEL, true);

extensions/resteasy-classic/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/AuthenticationRedirectExceptionMapper.java

@@ -2,21 +2,34 @@
 
 import jakarta.ws.rs.core.HttpHeaders;
 import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.Response.ResponseBuilder;
 import jakarta.ws.rs.ext.ExceptionMapper;
 import jakarta.ws.rs.ext.Provider;
 
+import org.jboss.logging.Logger;
+
 import io.quarkus.security.AuthenticationRedirectException;
 
 @Provider
 public class AuthenticationRedirectExceptionMapper implements ExceptionMapper<AuthenticationRedirectException> {
+    private static final Logger log = Logger.getLogger(AuthenticationRedirectExceptionMapper.class);
 
     @Override
     public Response toResponse(AuthenticationRedirectException ex) {
-        return Response.status(ex.getCode())
-                .header(HttpHeaders.LOCATION, ex.getRedirectUri())
+
+        ResponseBuilder builder = Response.status(ex.getCode())
                 .header(HttpHeaders.CACHE_CONTROL, "no-store")
-                .header("Pragma", "no-cache")
-                .build();
+                .header("Pragma", "no-cache");
+        if (ex.getCode() == 200) {
+            // The target URL is embedded in the auto-submitted form post payload
+            log.debugf("Form post redirect to %s", ex.getRedirectUri());
+            builder.entity(ex.getRedirectUri())
+                    .type("text/html; charset=UTF-8");
+        } else {
+            log.debugf("Redirect to %s ", ex.getRedirectUri());
+            builder.header(HttpHeaders.LOCATION, ex.getRedirectUri());
+        }
+        return builder.build();
     }
 
 }

extensions/resteasy-reactive/rest/runtime/src/main/java/io/quarkus/resteasy/reactive/server/runtime/exceptionmappers/AuthenticationRedirectExceptionMapper.java

@@ -2,19 +2,31 @@
 
 import jakarta.ws.rs.core.HttpHeaders;
 import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.Response.ResponseBuilder;
 import jakarta.ws.rs.ext.ExceptionMapper;
 
+import org.jboss.logging.Logger;
+
 import io.quarkus.security.AuthenticationRedirectException;
 
 public class AuthenticationRedirectExceptionMapper implements ExceptionMapper<AuthenticationRedirectException> {
+    private static final Logger log = Logger.getLogger(AuthenticationRedirectExceptionMapper.class);
 
     @Override
     public Response toResponse(AuthenticationRedirectException ex) {
-        return Response.status(ex.getCode())
-                .header(HttpHeaders.LOCATION, ex.getRedirectUri())
+
+        ResponseBuilder builder = Response.status(ex.getCode())
                 .header(HttpHeaders.CACHE_CONTROL, "no-store")
-                .header("Pragma", "no-cache")
-                .build();
+                .header("Pragma", "no-cache");
+        if (ex.getCode() == 200) {
+            // The target URL is embedded in the auto-submitted form post payload
+            log.debugf("Form post redirect to %s", ex.getRedirectUri());
+            builder.entity(ex.getRedirectUri())
+                    .type("text/html; charset=UTF-8");
+        } else {
+            log.debugf("Redirect to %s ", ex.getRedirectUri());
+            builder.header(HttpHeaders.LOCATION, ex.getRedirectUri());
+        }
+        return builder.build();
     }
-
 }

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/HttpSecurityRecorder.java

@@ -12,7 +12,12 @@
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.util.*;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
 import java.util.concurrent.CompletionException;
 import java.util.function.BiConsumer;
 import java.util.function.Consumer;
@@ -45,6 +50,7 @@
 import io.smallrye.mutiny.subscription.UniSubscriber;
 import io.smallrye.mutiny.subscription.UniSubscription;
 import io.smallrye.mutiny.tuples.Functions;
+import io.vertx.core.AsyncResult;
 import io.vertx.core.Context;
 import io.vertx.core.Handler;
 import io.vertx.core.Vertx;
@@ -212,10 +218,25 @@ public void accept(Throwable throwable) {
                 proceed(throwable);
             } else if (throwable instanceof AuthenticationRedirectException redirectEx) {
                 event.response().setStatusCode(redirectEx.getCode());
-                event.response().headers().set(HttpHeaders.LOCATION, redirectEx.getRedirectUri());
                 event.response().headers().set(HttpHeaders.CACHE_CONTROL, "no-store");
                 event.response().headers().set("Pragma", "no-cache");
-                proceed(throwable);
+
+                if (redirectEx.getCode() == 200) {
+                    // The target URL is embedded in the auto-submitted form post payload
+                    log.debugf("Form post redirect to %s", redirectEx.getRedirectUri());
+                    event.response().putHeader("Content-Type", "text/html; charset=UTF-8");
+                    event.response().write(redirectEx.getRedirectUri()).onComplete(
+                            new Handler<AsyncResult<Void>>() {
+                                @Override
+                                public void handle(AsyncResult<Void> v) {
+                                    proceed(redirectEx);
+                                }
+                            });
+                } else {
+                    log.debugf("Redirect to %s ", redirectEx.getRedirectUri());
+                    event.response().headers().set(HttpHeaders.LOCATION, redirectEx.getRedirectUri());
+                    proceed(throwable);
+                }
             } else {
                 event.put(OTHER_AUTHENTICATION_FAILURE, Boolean.TRUE);
                 event.fail(throwable);