Deprecate custom Back-Channel Logout filter (#160)

* Deprecate custom Back-Channel Logout filter * Use Spring Back-Channel Logout in Hilla * Deprecate LogoutTokenClaimNames
vaadin · Dec 2, 2024 · 13ff57c · 13ff57c
1 parent be15f24
commit 13ff57c
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 0 deletions.
diff --git a/sso-kit-core/src/main/java/com/vaadin/sso/core/AbstractSingleSignOnProperties.java b/sso-kit-core/src/main/java/com/vaadin/sso/core/AbstractSingleSignOnProperties.java
@@ -37,7 +37,10 @@ public abstract class AbstractSingleSignOnProperties {
      * client registration-id: {@code registrationId}.
      *
      * @see https://openid.net/specs/openid-connect-backchannel-1_0.html
+     * @deprecated Use built-in Spring Security support for OpenID Connect
+     *             Back-Channel Logout
      */
+    @Deprecated(since = "3.1", forRemoval = true)
     public static final String DEFAULT_BACKCHANNEL_LOGOUT_ROUTE = "/logout/back-channel/{"
             + BackChannelLogoutFilter.REGISTRATION_ID_URI_VARIABLE_NAME + "}";
 

diff --git a/sso-kit-core/src/main/java/com/vaadin/sso/core/BackChannelLogoutFilter.java b/sso-kit-core/src/main/java/com/vaadin/sso/core/BackChannelLogoutFilter.java
@@ -39,7 +39,10 @@
  * @author Vaadin Ltd
  * @since 1.0
  * @see https://openid.net/specs/openid-connect-backchannel-1_0.html
+ * @deprecated Use built-in Spring Security support for OpenID Connect
+ *             Back-Channel Logout
  */
+@Deprecated(since = "3.1", forRemoval = true)
 public class BackChannelLogoutFilter extends GenericFilterBean {
 
     /* Value defined by the specification */

diff --git a/sso-kit-core/src/main/java/com/vaadin/sso/core/LogoutTokenClaimNames.java b/sso-kit-core/src/main/java/com/vaadin/sso/core/LogoutTokenClaimNames.java
@@ -17,7 +17,10 @@
  * @author Vaadin Ltd
  * @since 1.0
  * @see https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken
+ * @deprecated Use built-in Spring Security support for OpenID Connect
+ *             Back-Channel Logout
  */
+@Deprecated(since = "3.1", forRemoval = true)
 public interface LogoutTokenClaimNames {
 
     /**

diff --git a/sso-kit-core/src/main/java/com/vaadin/sso/core/OidcLogoutTokenValidator.java b/sso-kit-core/src/main/java/com/vaadin/sso/core/OidcLogoutTokenValidator.java
@@ -35,7 +35,10 @@
  * @author Vaadin Ltd
  * @since 1.0
  * @see https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation
+ * @deprecated Use built-in Spring Security support for OpenID Connect
+ *             Back-Channel Logout
  */
+@Deprecated(since = "3.1", forRemoval = true)
 public final class OidcLogoutTokenValidator
         implements OAuth2TokenValidator<Jwt> {
 

diff --git a/...t-starter-hilla/src/main/java/com/vaadin/hilla/sso/starter/SingleSignOnConfiguration.java b/...t-starter-hilla/src/main/java/com/vaadin/hilla/sso/starter/SingleSignOnConfiguration.java
@@ -18,6 +18,7 @@
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Conditional;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.session.SessionRegistry;
@@ -162,6 +163,8 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
             // Disable CSRF for Back-Channel logout requests
             final var matcher = backChannelLogoutFilter.getRequestMatcher();
             http.csrf().ignoringRequestMatchers(matcher);
+        } else {
+            http.oidcLogout().backChannel(Customizer.withDefaults());
         }
 
         return http.build();

diff --git a/sso-kit-starter/src/main/java/com/vaadin/sso/starter/SingleSignOnConfiguration.java b/sso-kit-starter/src/main/java/com/vaadin/sso/starter/SingleSignOnConfiguration.java
@@ -16,6 +16,7 @@
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.annotation.Conditional;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.session.SessionRegistry;
@@ -158,6 +159,8 @@ protected void configure(HttpSecurity http) throws Exception {
             // Disable CSRF for Back-Channel logout requests
             final var matcher = backChannelLogoutFilter.getRequestMatcher();
             http.csrf().ignoringRequestMatchers(matcher);
+        } else {
+            http.oidcLogout().backChannel(Customizer.withDefaults());
         }
     }
 }