(syncope) branch 4_0_X updated: Fixing OIDC logout for Console and Enduser

[ilgrosso]

This is an automated email from the ASF dual-hosted git repository.

ilgrosso pushed a commit to branch 4_0_X
in repository https://gitbox.apache.org/repos/asf/syncope.git


The following commit(s) were added to refs/heads/4_0_X by this push:
     new c85a6bf591 Fixing OIDC logout for Console and Enduser
c85a6bf591 is described below

commit c85a6bf591228edb71c4da366eb8716a95c2ce21
Author: Francesco Chicchiriccò <ilgro...@apache.org>
AuthorDate: Wed Feb 18 08:03:21 2026 +0100

    Fixing OIDC logout for Console and Enduser
---
 .../apache/syncope/core/logic/oidc/OIDCClientCache.java    | 14 ++++++++------
 wa/starter/src/main/resources/wa.properties                |  2 ++
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git 
a/ext/oidcc4ui/logic/src/main/java/org/apache/syncope/core/logic/oidc/OIDCClientCache.java
 
b/ext/oidcc4ui/logic/src/main/java/org/apache/syncope/core/logic/oidc/OIDCClientCache.java
index 6064a67467..f4d67344c6 100644
--- 
a/ext/oidcc4ui/logic/src/main/java/org/apache/syncope/core/logic/oidc/OIDCClientCache.java
+++ 
b/ext/oidcc4ui/logic/src/main/java/org/apache/syncope/core/logic/oidc/OIDCClientCache.java
@@ -112,7 +112,12 @@ public class OIDCClientCache {
                 
Optional.ofNullable(op.getEndSessionEndpoint()).map(URI::create).orElse(null));
         if (op.getHasDiscovery()) {
             try {
-                
metadata.setIDTokenJWSAlgs(fetchMetadata(op.getIssuer()).getIDTokenJWSAlgs());
+                OIDCProviderMetadata fetched = fetchMetadata(op.getIssuer());
+
+                metadata.setIDTokenJWSAlgs(fetched.getIDTokenJWSAlgs());
+
+                
metadata.setSupportsBackChannelLogout(fetched.supportsBackChannelLogout());
+                
metadata.setSupportsBackChannelLogoutSession(fetched.supportsBackChannelLogoutSession());
             } catch (Exception e) {
                 LOG.error("While fetching OIDC metadata for issuer {}", 
op.getIssuer(), e);
                 metadata.setIDTokenJWSAlgs(List.of(JWSAlgorithm.HS256));
@@ -134,11 +139,8 @@ public class OIDCClientCache {
             }
 
             @Override
-            public TokenValidator getTokenValidator() {
-                if (tokenValidator == null) {
-                    tokenValidator = new TokenValidator(configuration, 
metadata);
-                }
-                return tokenValidator;
+            protected TokenValidator createTokenValidator() {
+                return new TokenValidator(configuration, metadata);
             }
         });
 
diff --git a/wa/starter/src/main/resources/wa.properties 
b/wa/starter/src/main/resources/wa.properties
index b7164687f3..6769260ae9 100644
--- a/wa/starter/src/main/resources/wa.properties
+++ b/wa/starter/src/main/resources/wa.properties
@@ -83,6 +83,8 @@ cas.authn.oidc.core.issuer=${cas.server.prefix}/oidc
 
cas.authn.oidc.discovery.id-token-signing-alg-values-supported=RS256,RS384,RS512,PS256,PS384,PS512,ES256,ES384,ES512,HS256,HS384,HS512
 
cas.authn.oidc.discovery.user-info-signing-alg-values-supported=RS256,RS384,RS512,PS256,PS384,PS512,ES256,ES384,ES512,HS256,HS384,HS512
 cas.authn.oidc.discovery.scopes=openid,profile,email,address,phone,syncope
+cas.authn.oidc.logout.backchannel-logout-supported=true
+cas.authn.oidc.logout.frontchannel-logout-supported=true
 cas.authn.oauth.core.user-profile-view-type=FLAT
 
 # Disable access to the login endpoint