Add oidcBackChannelLogout

This commit introduces the new top-level DSL method
`oidcBackChannelLogout(Customizer<OidcLogoutConfigurer<HttpSecurity>>)` to simplify
OIDC Back-Channel Logout configuration. The new method creates an OidcLogoutConfigurer
internally and applies default back-channel configuration. Additionally, the deprecated
`backChannel(Customizer)` method in OidcLogoutConfigurer has been updated to include
the @SInCE tag of 6.5, along with updated documentation recommending the use of the new DSL.

Closes spring-projectsgh-15817

Sorry for the delay – I was tied up with company work.

Author: alswp006

Diff for: config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -16,8 +16,18 @@
 
 package org.springframework.security.config.annotation.web.builders;
 
-import jakarta.servlet.*;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
+
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.context.ApplicationContext;
@@ -38,8 +48,29 @@
 import org.springframework.security.config.annotation.web.RequestMatcherFactory;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
-import org.springframework.security.config.annotation.web.configurers.*;
+import org.springframework.security.config.annotation.web.configurers.AnonymousConfigurer;
+import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
 import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry;
+import org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer;
+import org.springframework.security.config.annotation.web.configurers.CorsConfigurer;
+import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
+import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
+import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
+import org.springframework.security.config.annotation.web.configurers.HttpBasicConfigurer;
+import org.springframework.security.config.annotation.web.configurers.HttpsRedirectConfigurer;
+import org.springframework.security.config.annotation.web.configurers.JeeConfigurer;
+import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
+import org.springframework.security.config.annotation.web.configurers.PasswordManagementConfigurer;
+import org.springframework.security.config.annotation.web.configurers.PortMapperConfigurer;
+import org.springframework.security.config.annotation.web.configurers.RememberMeConfigurer;
+import org.springframework.security.config.annotation.web.configurers.RequestCacheConfigurer;
+import org.springframework.security.config.annotation.web.configurers.SecurityContextConfigurer;
+import org.springframework.security.config.annotation.web.configurers.ServletApiConfigurer;
+import org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer;
+import org.springframework.security.config.annotation.web.configurers.WebAuthnConfigurer;
+import org.springframework.security.config.annotation.web.configurers.X509Configurer;
 import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2ClientConfigurer;
 import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer;
 import org.springframework.security.config.annotation.web.configurers.oauth2.client.OidcLogoutConfigurer;
@@ -72,10 +103,6 @@
 import org.springframework.web.filter.CorsFilter;
 import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
 
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
 
 /**
  * A {@link HttpSecurity} is similar to Spring Security's XML <http> element in the
@@ -2844,6 +2871,24 @@ public HttpSecurity oidcLogout(Customizer<OidcLogoutConfigurer<HttpSecurity>> oi
 		return HttpSecurity.this;
 	}
 
+	/**
+	 * Configures OpenID Connect (OIDC) Back-Channel Logout support.
+	 *
+	 * <p>This method enables the configuration of OIDC Back-Channel Logout by applying
+	 * the provided {@link Customizer} to an instance of {@link OidcLogoutConfigurer}. It
+	 * initializes the back-channel logout support with default settings, making it easier
+	 * to integrate with other logout configurations.
+	 *
+	 * <p>For example, to enable OIDC Back-Channel Logout with default settings:
+	 * <pre>
+	 *     http.oidcBackChannelLogout(Customizer.withDefaults());
+	 * </pre>
+	 *
+	 * @param oidcBackChannelLogoutCustomizer the customizer to configure OIDC Back-Channel Logout options
+	 * @return the {@code HttpSecurity} instance for further customizations
+	 * @throws Exception if an error occurs during configuration
+	 * @since 6.5
+	 */
 	public HttpSecurity oidcBackChannelLogout(Customizer<OidcLogoutConfigurer<HttpSecurity>> oidcBackChannelLogoutCustomizer)
 			throws Exception {
 		oidcBackChannelLogoutCustomizer.customize(

Diff for: config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java

@@ -104,7 +104,7 @@ public OidcLogoutConfigurer<B> oidcSessionRegistry(OidcSessionRegistry oidcSessi
 	 * @deprecated For removal in a future release. Use
 	 * {@link HttpSecurity#oidcBackChannelLogout(Customizer)} instead.
 	 */
-	@Deprecated(since = "6.2", forRemoval = true)
+	@Deprecated(since = "6.5", forRemoval = true)
 	public OidcLogoutConfigurer<B> backChannel(Customizer<BackChannelLogoutConfigurer> backChannelLogoutConfigurer) {
 		if (this.backChannel == null) {
 			this.backChannel = new BackChannelLogoutConfigurer();
@@ -159,6 +159,35 @@ private LogoutHandler logoutHandler(B http) {
 			return logoutHandler;
 		}
 
+		/**
+		 * Use this endpoint when invoking a back-channel logout.
+		 *
+		 * <p>
+		 * The resulting {@link LogoutHandler} will {@code POST} the session cookie and
+		 * CSRF token to this endpoint to invalidate the corresponding end-user session.
+		 *
+		 * <p>
+		 * Supports URI templates like {@code {baseUrl}}, {@code {baseScheme}}, and
+		 * {@code {basePort}}.
+		 *
+		 * <p>
+		 * By default, the URI is set to
+		 * {@code {baseScheme}://localhost{basePort}/logout}, meaning that the scheme and
+		 * port of the original back-channel request is preserved, while the host and
+		 * endpoint are changed.
+		 *
+		 * <p>
+		 * If you are using Spring Security for the logout endpoint, the path part of this
+		 * URI should match the value configured there.
+		 *
+		 * <p>
+		 * Otherwise, this is handy in the event that your server configuration means that
+		 * the scheme, server name, or port in the {@code Host} header are different from
+		 * how you would address the same server internally.
+		 * @param logoutUri the URI to request logout on the back-channel
+		 * @return the {@link BackChannelLogoutConfigurer} for further customizations
+		 * @since 6.2.4
+		 */
 		public BackChannelLogoutConfigurer logoutUri(String logoutUri) {
 			this.logoutHandler = (http) -> {
 				OidcBackChannelLogoutHandler logoutHandler = new OidcBackChannelLogoutHandler(

Diff for: config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurerTests.java

@@ -16,6 +16,16 @@
 
 package org.springframework.security.config.annotation.web.configurers.oauth2.client;
 
+import java.io.IOException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.interfaces.RSAPublicKey;
+import java.time.Instant;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.function.Consumer;
+
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.RSAKey;
 import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
@@ -34,6 +44,7 @@
 import org.htmlunit.util.UrlUtils;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
+
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@@ -64,7 +75,11 @@
 import org.springframework.security.oauth2.core.oidc.TestOidcIdTokens;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
-import org.springframework.security.oauth2.jwt.*;
+import org.springframework.security.oauth2.jwt.JwsHeader;
+import org.springframework.security.oauth2.jwt.JwtClaimsSet;
+import org.springframework.security.oauth2.jwt.JwtEncoder;
+import org.springframework.security.oauth2.jwt.JwtEncoderParameters;
+import org.springframework.security.oauth2.jwt.NimbusJwtEncoder;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.logout.LogoutHandler;
@@ -77,22 +92,14 @@
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
-import java.io.IOException;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.interfaces.RSAPublicKey;
-import java.time.Instant;
-import java.util.List;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.function.Consumer;
-
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
 import static org.hamcrest.Matchers.containsString;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.willThrow;
-import static org.mockito.Mockito.*;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.verify;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;