Client, Auth Server and Logout

Question

So, i have a standalone OAuth2 auth server and client app (web-based), all using Spring OAuth2.

I have a login form host on the Auth server with redirection etc from the client app using Spring setup (via the login form).

All good so far.

I added a logout setup on the client:

.and()
  .logout()
  .addLogoutHandler(oauth2LogoutHandler())
  .logoutSuccessUrl("/")
  .clearAuthentication(true)
  .deleteCookies("JSESSIONID")
  .invalidateHttpSession(true)
  .permitAll()

That all 'seems' to be fine.

However, if i then hit the 'login' link on my client, when it redirects to the Authorisation app i dont get the login screen, but simply the redirection handshake occurs and i'm back in the client app.

So, the question is, what is it need to 'clear' in the Auth server when i logout on the client app? Somehow session info is persisting on the auth app but i cant find how that session is being picked up when i hit login? is there a clean way to propagate a 'logout' to the Auth Server?

Many Thanks

Martin

Answer 1

https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v#the-logout-experience describes essentially the same problem for a notoriously tricky problem.

The Logout Experience

If you click on the “logout” link you will see that the home page changes (the greeting is no longer displayed) so the user is no longer authenticated with the UI server. Click back on “login” though and you actually don’t need to go back through the authentication and approval cycle in the authorization server (because you haven’t logged out of that). Opinions will be divided as to whether that is a desirable user experience, and it’s a notoriously tricky problem (Single Sign Out: Science Direct article and Shibboleth docs). The ideal user experience might not be technically feasible, and you also have to be suspicious sometimes that users really want what they say they want. “I want ‘logout’ to log me out” sounds simple enough, but the obvious response is, “Logged out of what? Do you want to be logged out of all the systems controlled by this SSO server, or just the one that you clicked the ‘logout’ link in?” We don’t have room to discuss this topic more broadly here but it does deserve more attention. If you are interested then there is some discussion of the principles and some (fairly unappetising) ideas about implementations in the Open ID Connect specification.

Here's a PR I submitted on github for an Spring-based OpenID Connect (an extention of OAuth2) project to implement an "End Session Endpoint" on the Authorization Server: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/pull/972. It implements part of the https://openid.net/specs/openid-connect-session-1_0.html#RPLogout spec for RP-initiated (or client-initiated) logout.

I don't think Spring has a built-in mechanism for this. There are other specifications, other than the one I partially implemented, for logout. Whichever you chose, it's probably a good idea to follow a documented spec.

Answer 2

You should enable the logout extending the WebSecurityConfigurerAdapter and create a logout page that send a post to /logout in the Authorization App

Logout page: (resources/templates/logout.ftl)

<html>
<head>
  <title>Logout Page</title>
</head>
<body>
    <form role="form" action="logout" method="post">
        Logout
          <input type="hidden" id="csrf_token" name="${_csrf.parameterName}" value="${_csrf.token}"/>
          <input type="hidden" id="redirect" name="redirect" value="${RequestParameters['redirect']!'/login'}"/>
          <button type="submit">Logout</button>
    </form>
</html>

The redirect input hidden will redirect to the client application after logout