Expected Behavior
I have set up a spring cloud gateway that acts as an oauth2 client for token handling (back-end for front-end kind of approach)
When spring authorization server is proxied via spring cloud gateway, the logout URL generated by OidcClientInitiatedLogoutSuccessHandler generates a logout URL that is based on the "internal" hostname and port as configured on the registered client.
This is an example of my gateway config:
server:
port: 80
spring:
cloud:
gateway:
server:
webflux:
discovery:
locator:
enabled: true
routes:
- id: resource-server
uri: http://localhost:8090
predicates:
Path=/resource/**
filters:
- TokenRelay
- RemoveRequestHeader=Cookie
- id: auth-server
uri: http://localhost:8080
predicates:
Path=/auth/**
filters:
- PreserveHostHeader
security:
oauth2:
resourceserver:
jwt:
issuer-uri: http://localhost:8080/auth
jwk-set-uri: http://localhost:8080/auth/oauth2/jwks
client:
registration:
sample-oidc:
provider: gateway-client-provider
client-id: sample-client
client-secret: sample-client
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
scope:
- openid
- profile
client-name: sample-oidc
provider:
gateway-client-provider:
issuer-uri: http://localhost:8080/auth
authorization-uri: http://localhost/auth/oauth2/authorize
token-uri: http://localhost:8080/auth/oauth2/token
jwk-set-uri: http://localhost:8080/auth/oauth2/jwks
user-info-uri: http://localhost:8080/auth/userinfo
user-name-attribute: sub
My security filter chain in the gateway looks like this:
@Bean
public SecurityWebFilterChain browserFilterChain(ServerHttpSecurity http, ReactiveClientRegistrationRepository reactiveClientRegistrationRepository) {
http
.authorizeExchange(authorize -> authorize
.pathMatchers("/auth/**").permitAll()
.anyExchange().authenticated()
)
.oauth2Login(Customizer.withDefaults())
.logout(logout -> logout.logoutSuccessHandler(new OidcClientInitiatedServerLogoutSuccessHandler(reactiveClientRegistrationRepository)))
.cors(ServerHttpSecurity.CorsSpec::disable)
.csrf(ServerHttpSecurity.CsrfSpec::disable);
return http.build();
}
When I call localhost/logout, spring security will now redirect to http://localhost:8080/auth/connect/logout?id_token_hint=eyJraWQ.... I would expect that it redirects to http://localhost/auth/connect/logout?id_token_hint=eyJraWQ...
So far, I did not find any workaround yet apart from creating a rough copy of OidcClientInitiatedServerLogoutSuccessHandler and changing the logic for determining the logout URL.
Expected Behavior
I have set up a spring cloud gateway that acts as an oauth2 client for token handling (back-end for front-end kind of approach)
When spring authorization server is proxied via spring cloud gateway, the logout URL generated by
OidcClientInitiatedLogoutSuccessHandlergenerates a logout URL that is based on the "internal" hostname and port as configured on the registered client.This is an example of my gateway config:
My security filter chain in the gateway looks like this:
When I call localhost/logout, spring security will now redirect to
http://localhost:8080/auth/connect/logout?id_token_hint=eyJraWQ.... I would expect that it redirects tohttp://localhost/auth/connect/logout?id_token_hint=eyJraWQ...So far, I did not find any workaround yet apart from creating a rough copy of
OidcClientInitiatedServerLogoutSuccessHandlerand changing the logic for determining the logout URL.