Spring Boot OAuth2 Single Sign Off (Logout)

java spring spring-boot spring-security spring-security-oauth2
17,148

After a lot of tests I have realized that this can be solved just with a redirect to the AuthServer and doing logout programmatically like this:

  • In the client app (WebSecurityConfigurerAdapter): 

    @Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .logout()
            .logoutSuccessUrl("http://your-auth-server/exit");
}

  • In the authorization server:

    @Controller
public class LogoutController {

    @RequestMapping("/exit")
    public void exit(HttpServletRequest request, HttpServletResponse response) {
        // token can be revoked here if needed
        new SecurityContextLogoutHandler().logout(request, null, null);
        try {
            //sending back to client app
            response.sendRedirect(request.getHeader("referer"));
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

I have posted a sample app on github with a full example of this implementation.

Share:
17,148
Juan Carlos Mendoza
Author by

Juan Carlos Mendoza

Developer and amateur musician.

Updated on June 07, 2022

Comments

  • Juan Carlos Mendoza
    Juan Carlos Mendoza almost 2 years

    I'm considering to use OAuth2 for my application. The architecture I'm trying to implement is as follows:

    • I will have my own (and only this) Authorization Server
    • Some Resource Apps validating access to their resources using the Authorization Server
    • Some client apps (web, mobile) which will redirect the user to the Authorization Server for authentication and on success will consume the api's on the Resource Apps.

    So far I have managed to implement this interaction between 3 basic apps (1 auth server, 1 resource server and 1 client). The thing I don't get working is the logout functionality. I have read of the "notoriously tricky problem" that Dave Syer describes in his tutorial, but in this case I really need the user to re-login after loging out. I have tried giving few seconds to the access token and the refresh token, but instead of being prompted to login again when the expiration arrives, I'm getting a NPE on the client app. I have also tried the solutions proposed in this post to remove the token from the token store, but it doesn't work. The single sign off is for me the desirable behaviour for this implementation. How can I achieve this using Spring Boot Oauth2. If it is not possible for some reason, which alternatives I could use to implement a centralized security using Spring Boot?

    Thanks in advance.

  • Almir Campos
    Almir Campos almost 7 years
    This simple answer led me to a simple solution.
  • eugene
    eugene over 6 years
    What is this code doing? Logging out from a client app (website) logs out the user from the one authorization server? Does it mean when user logged in to multiple clients app, logging out from one of them would lead to logging out from all of the clients app?
  • Juan Carlos Mendoza
    Juan Carlos Mendoza over 6 years
    @eugene I have tested this solution using 2 client apps and when logging out from one doesn't affect the other. What this solution does is that when you click logout and then click login again you have to re-enter your credentials. Is an alternative to solve the "notoriously tricky problem".
  • gstackoverflow
    gstackoverflow almost 6 years
    What if I don't want to logoutn from resource server? I just want to logout my application from that resource
  • S.Step
    S.Step over 4 years
    @Juan Carlos Mendoza which one should be done first? logging out from client or auth server? Isn't it more secure to log out from auth server first by client sending log out request to auth server with token, auth server verifies token and if valid logs out and then redirects to client log out endpoint?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Consider defining a bean of type 'org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository' in your configuration
Spring Security 5 : There is no PasswordEncoder mapped for the id "null"
Why Spring Security permitAll() is not working with OAuth2.0?
Spring security - allowing anonymous access
Customize auth error from Spring Security using OAuth2
Extract Currently Logged in User information from JWT token using Spring Security
Spring security 401 Unauthorized even with permitAll
Spring Security Oauth2: Flow to Handling Expired AccessToken
How to enable CORS at Spring Security level in Spring boot
Java Spring Security - User.withDefaultPasswordEncoder() is deprecated?