Spring Boot OAuth2 Single Sign Off (Logout)

java spring spring-boot spring-security spring-security-oauth2

I'm considering to use OAuth2 for my application. The architecture I'm trying to implement is as follows:

  • I will have my own (and only this) Authorization Server
  • Some Resource Apps validating access to their resources using the Authorization Server
  • Some client apps (web, mobile) which will redirect the user to the Authorization Server for authentication and on success will consume the api's on the Resource Apps.

So far I have managed to implement this interaction between 3 basic apps (1 auth server, 1 resource server and 1 client). The thing I don't get working is the logout functionality. I have read of the "notoriously tricky problem" that Dave Syer describes in his tutorial, but in this case I really need the user to re-login after loging out. I have tried giving few seconds to the access token and the refresh token, but instead of being prompted to login again when the expiration arrives, I'm getting a NPE on the client app. I have also tried the solutions proposed in this post to remove the token from the token store, but it doesn't work. The single sign off is for me the desirable behaviour for this implementation. How can I achieve this using Spring Boot Oauth2. If it is not possible for some reason, which alternatives I could use to implement a centralized security using Spring Boot?

Thanks in advance.


Solution 1:

After a lot of tests I have realized that this can be solved just with a redirect to the AuthServer and doing logout programmatically like this:

  • In the client app (WebSecurityConfigurerAdapter): 

    @Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .logout()
            .logoutSuccessUrl("http://your-auth-server/exit");
}

  • In the authorization server:

    @Controller
public class LogoutController {

    @RequestMapping("/exit")
    public void exit(HttpServletRequest request, HttpServletResponse response) {
        // token can be revoked here if needed
        new SecurityContextLogoutHandler().logout(request, null, null);
        try {
            //sending back to client app
            response.sendRedirect(request.getHeader("referer"));
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

I have posted a sample app on github with a full example of this implementation.

Related

A word to express 'currently active' [closed]
"Don't put your life on hold for anybody vs. nobody"
Word meaning academic or rational, when describing the style of an argument
"Maybe one of A or C cheated" — is this correct?
Shakespeare and Maths: Metre and Completeness
Can you send a signal to Windows Explorer to make it refresh the systray icons?
Is there a formal phrase for saying that the location of an event changes between two places?
single word to describe futuristic and modern building
How should 'beseech' be used in a sentence?
Would you tell me the difference between object and objective as a noun?
A more spiritual word for miss
What is the meaning of not in "as often as not" and "as likely as not"?