Add support for Spring Session Cookie in OIDC Backchannel logout

[aelillie]

This is related to #14904, which addresses the issue of using Spring Session together with OIDC Backchannel logout, as Spring Session expects a base64-encoded session cookie value (in DefaultCookieSerializer), while OidcBackChannelLogoutHandler does not base64-encode it when posting the logout request.

The issue was partly fixed in #15540, but only the naming of the cookie, i.e. that you can now configure OidcBackChannelLogoutHandler to use a cookie name of SESSION instead of the default JSESSIONID. But the encoding part is still missing for this to work properly.

I also realize that this can also be a question of who has the responsibility of configuring the session cookie; Spring OAuth2 Client or Spring Session. But as it is now, while setting the cookie name to SESSION in OidcBackChannelLogoutHandler I still need to override the default behavior of DefaultCookieSerializer to skip base64-decoding (as suggested in #14904 (comment)), thus leaving it a bit redundant.

As such, this is a request for enhancement to either:

1. Let OidcBackChannelLogoutHandler be configurable to also base64 encode the session cookie value, or
2. Leave the configuration of the session cookie to Spring Session by overriden the DefaultCookieSerializer, and then refer to this in the documentation of https://docs.spring.io/spring-security/reference/servlet/oauth2/login/logout.html#_customizing_the_session_logout_cookie_name

To reproduce

1. Prepare an application which uses Spring Session stored in JDBC + OIDC backchannel logout configured
2. Log in to the application using OIDC integration
3. Trigger OIDC back channel logout

Expected Behavior

The user's session is successfully invalidated and the backchannel logout thus completes sucessfully.

Current Behavior

The user's session is not invalidated, and the backchannel logout thus fails.

Context

My workaround right now is to set the cookie name in OidcBackChannelLogoutHandler to SESSION, and only configuring the CookieSerializer to not use base64-encoding.

An alternative is to skip setting the session cookie name in OidcBackChannelLogoutHandler altogether, and leaving it as the default JSESSIONID, and instead keeping the overridden definition of the Spring Seesion CookieSerializer as described in #14904 (comment).

Using Spring Boot 3.4.2, Spring Session (JDBC) 3.4.1, and Spring Security 6.4.2.

Minimal example of the security config:

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http, OidcBackChannelLogoutHandler oidcBackChannelLogoutHandler, ...) {
        return http
                ...
                .oidcLogout(oidcLogout -> oidcLogout
                        .backChannel(backChannel -> {
                            .backChannel(backChannel -> backChannel.logoutHandler(oidcBackChannelLogoutHandler))
                        })
                )
               ...
                .build();
    }

    @Bean
    public CookieSerializer cookieSerializer() {
        var serializer = new DefaultCookieSerializer();
        serializer.setUseBase64Encoding(false);
        return serializer;
    }

    @Bean
    public OidcBackChannelLogoutHandler oidcBackChannelLogoutHandler(OidcSessionRegistry oidcSessionRegistry) {
        OidcBackChannelLogoutHandler logoutHandler = new OidcBackChannelLogoutHandler(oidcSessionRegistry);
        logoutHandler.setLogoutUri("http://localhost:8080/logout");
        logoutHandler.setSessionCookieName("SESSION");
        return logoutHandler;
    }