How can I perform a backchannel logout with BFF, with a single browser call?

[sisco70]

Hi,

I'm following the BFF tutorial (https://www.baeldung.com/spring-cloud-gateway-bff-oauth2) and I want to use BFF as an OAuth2 client.
I've configured a reverse proxy with NGINX and I'm using Keyclok for authentication.
I'm using spring-addons-starter-oidc and an application.yaml file that is based on the tutorial.

I would like to implement a web page logout with a single call, without having to perform a POST to /logout and then a redirect to the URL retrieved from the 'location' header.
Is it possible? Should I customize SecurityWebFilterChain?

I probably don't understand the backchannel-logout mechanism very well.
Could you get a general logout by directly invoking end_session_endpoint?
I tried, but I can't invalidate the session on the BFF (on Keycloak I use as Backchannel logout URL: https://local.biv/logout/connect/back-channel/bivdt-client).

Thank you

[sisco70]

I have an error like this:

Possibly related to this?
spring-projects/spring-security#14553

[ch4mpy]

User logout from an OAuth2 system

Users have sessions on the authorization server and on each OAuth2 client with which they use authorization code flow. So, that's a minimum of two sessions to close (the one on the BFF and the one on Keycloak in your case).

RP-Initiated Logout

This is the mechanism used in the tutorial. As exposed in the spec:

An RP requests that the OP log out the End-User by redirecting the End-User's User Agent to the OP's Logout Endpoint.

In the case of the tutorial, the relying party (RP) is the BFF and the OpenID provider (OP) is Keycloak.

Purpose of the Back-Channel Logout

This is designed to provide single sign-out in "Single Sign-On" environment: in the case where a user has authorized sessions on several OAuth2 clients, when he logs out from one of these clients, the authorization server can notify other clients through Back-Channel Logout.

A notable difference with RP-Initiated Logout is that it is direct communication from the OP to RPs (user agent is not used). This of course requires that RPs are server applications (which is the case of a BFF).

A sample would be if we decided to use a different BFF instance for each of the three apps in the tutorial. A flow could look something like that:

1. user clicks "login" in Angular app
2. the Angular BFF redirects the user to Keycloak to get tokens using authorization code flow
3. Keycloak displays login forms and returns an authorization code to the Angular BFF
4. the Angular BFF exchanges the code for tokens and redirects the user to the Angular app
5. user clicks "login" in React app
6. the React BFF redirects the user to Keycloak to get tokens using authorization code flow
7. as user is already logged in on Keycloak, Keycloak returns authorization code to the React BFF, without displaying login forms
8. React BFF exchanges the code for tokens. At this point, the user has 3 active sessions: on Keycloak, and on the two BFFs.
9. User clicks "logout" in the Angular app
10. the Angular BFF terminates its session and returns a URL on Keycloak's end_session_endpoint (regular RP-Initiated Logout)
11. the frontend follows to Keycloak which terminates its session for the user
12. Keycloak sends a Back-Channel Logout request to the React BFF to notify it that the user logged out
13. the react BFF terminates its session for the user.

Logging the user out with a single user agent request

An option is using Keycloak's "logout" form and Back-Channel Logout to notify the BFF.

Another option would be using Keycloak's admin API in a custom ServerLogoutSuccessHandler: the logout would be initiated on the BFF, which would call Keycloak directly (not via the user agent) after successfully terminating a user session. If you register a ServerLogoutSuccessHandler bean in your BFF configuration, spring-addons default one (SpringAddonsServerLogoutSuccessHandler) will back-off and your bean will be used instead.

The inconvenient of both of these methods compared to RP-Initiated Logout is that it is not part of the OpenID standard: if you change to something else than Keycloak, maybe you can't keep the same flow, even if the new authorization server complies with OIDC.

My advice

Just stick to RP-Initiated Logout as defined in OpenID standard and implemented in the tutorial and have the user agent follow the redirections.

[sisco70]

Thank you very much,
Now I understand how it works better!

Continuing to read the answers to: spring-projects/spring-security#14679

I realized that I could solve it using the internal host and port, without going through the reverse-proxy:

And indeed, it seems to work, using, for example:
https://lan.biv/auth/realms/bivdt-realm/protocol/openid-connect/logout?post_logout_redirect_uri=[ENCODED URL]&client_id=bivdt-client

I'm a little undecided about which solution to adopt....

[ch4mpy]

It could work because you are not in a "production" configuration (and with a Back-CHannel Logout URL containing localhost, because your Keycloak probably isn't running in a Docker container).

As wrote in my answer, I think you should stick with the solution in the article and use RP-Initiated Logout.

What exactly is your problem with the two requests flow?

[ch4mpy]

I just noticed that the Spring Back-Channel Logout implementation has evolved a lot lately and that it is now possible to use it in most cases.

I just added a spring-addons configuration property to change the default internal URI used during Back-Channel Logout. So in case the new (improved) default doesn't meet your needs, you can still force the value without writing Java conf. This is released as 7.8.2.

[sisco70]

Thank you again. You are doing a great job.

I am testing the new version 7.8.2.
I tried restoring the keycloak configuration, using the reverse-proxy in the Keycloak's Backchannel logout URL:
https://local.biv/logout/connect/back-channel/bivdt-client

Which via to NGINX points to:
http://localhost:7081/logout/connect/back-channel/bivdt-client

But now I get this error:

2024-06-11T15:10:29.988+02:00 DEBUG 22731 --- [or-http-epoll-4] c.w.s.OidcBackChannelServerLogoutHandler : Failed to invalidate session

org.springframework.web.reactive.function.client.WebClientResponseException$NotFound: 404 Not Found from POST http://localhost:7081
	at org.springframework.web.reactive.function.client.WebClientResponseException.create(WebClientResponseException.java:310) ~[spring-webflux-6.1.8.jar:6.1.8]
	Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException: 
Error has been observed at the following site(s):
	*__checkpoint ⇢ 404 NOT_FOUND from POST http://localhost:7081 [DefaultWebClient]

Am I missing something? bff-uri it's http://localhost:7081

com:
  c4-soft:
    springaddons:
      oidc:
        ops:
          - iss: ${issuer}
            username-claim: ${username-claim-json-path}
            authorities:
              - path: ${authorities-json-path}
        client:
          client-uri: ${reverse-proxy-uri}
          security-matchers:
            - /**
          permit-all:
            - /login/**
            - /oauth2/**
          csrf: disable
          back-channel-logout:
            enabled: true
            internal-logout-uri: ${bff-uri}
          oauth2-redirections:
            rp-initiated-logout: ACCEPTED
          post-login-redirect-host: ${reverse-proxy-uri}

[ch4mpy]

You never answered to my question: what exactly is your issue with the RP-Initiated Logout?

Do not use images for code or traces.

What you want to configure as internal URI for Back-Channel Logout is probably ${bff-uri}/logout (mind the /logout path).

[sisco70]

Sorry for the images..

Yes, /logout is needed:

 `back-channel-logout:
        enabled: true
        internal-logout-uri: ${bff-uri}/logout`     

Now it works perfectly.

Regarding the original question:
I am trying to integrate a legacy Spring application using JSP and JQuery into a new infrastructure with BFF and Keycloak.

This web application, in case of tab or browser closure makes a call to the backend, to logout, intercepting $(window).on(“beforeunload” ..

I would have liked to replicate the old behavior with a single call, because I am afraid (but I would have to verify it) that with two calls it may happen to close the session on BFF, but leave it active on Keycloak..

[ch4mpy]

You don't need a BFF.

A Spring application rendering JSPs runs on the backend already and can be configured as a confidential OAuth2 client.

As stated at the beginning of the Baeldung article, an OAuth2 BFF is useful for single-page (Angular, React, Vue, etc.) and mobile applications.

[sisco70]

It is not one application, but about 20 web applications (WAR) deployed in a Wildfly application server, developed with Spring Framework (not Spring Boot).
Authentication did not rely on the application server, but was based on IBM ISAM (WebSeal).
Now, for non-technical reasons, we need to find an open-source replacement, trying to modify the legacy web applications as little as possible.

Do you think there are more suitable solutions? I am still in the study and testing phase.

[ch4mpy]

I tried to activate Back-Channel Logout to the Docker stack of the Baeldung article but hit a major limitation: Back-Channel Logout fails with cookie-based CSRF protection.

As a side note, it is very unsafe to disable CSRF protection in a security filter-chain with oauth2Login (as you did in your conf). Requests authorization in such filter-chains is based on sessions, which are the vector for CSRF attacks.

Fortunately, as your applications are rendered on the server, you can use session store for CSRF tokens.

[sisco70]

Back-Channel Logout fails with cookie-based CSRF protection
I have a doubt, maybe I am wrong....
Could it depend on keycloak? Have you tried the new version 25.0.0?

[sisco70]

You are absolutely right !
I temporarily disabled csrf, just for my testing.