CODEWITHSUNDEEP
javasingle-sign-onspring-security-oauth2spring-cloud
prptn
prptn

Reputation: 299

How to Logout from Oauth2 SSO Server

I found tutorial about SSO https://github.com/dsyer/spring-security-angular/tree/master/oauth2 with configuration

oauth2-authserver

@Configuration
@Order(-10)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
            .formLogin().loginPage("/login").permitAll()
        .and()
            .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
        .and()
            .authorizeRequests().anyRequest().authenticated()
            .and().sessionManagement();
        // @formatter:on
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.parentAuthenticationManager(authenticationManager);
    }
}

oauth2-ui

@Override
    public void configure(HttpSecurity http) throws Exception {
        http.logout().and().antMatcher("/**").authorizeRequests()
                .antMatchers("/index.html", "/home.html", "/", "/login").permitAll()
                .anyRequest().authenticated().and().csrf()
                .csrfTokenRepository(csrfTokenRepository()).and()
                .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
    }

I need my authserver only one time login verification, so when user already authenticated and redirect to oauth2-ui application, the authentication login in the server expired. So when user in the oauth2-ui logout and try to login again user must input username and password again, because authentication in the server has expired.

Sorry my bad english, thanks in advance!

Upvotes: 4

Views: 10100

Answers (1)

Saurav Kumar
Saurav Kumar

Reputation: 36

If you read the blog https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v which actually explains the way of implementing the same type of security as you are doing (Actually you are just implementing the jwt version of almost the same thing. If you want the actual code of the blog the use oauth2-vanilla version of the same repo)... towards the end, It is clearly stated that "and it’s a notoriously tricky problem" (as written in the blog). There is actually a new release to the same series of blogs which solves your problem https://github.com/dsyer/spring-security-angular/tree/master/double. In this you can see how logout can be implemented with help of spring-session and a redis server which actually stores your session. All the best! Incase of any clarification, please feel free to contact

Upvotes: 2

Related Questions