Spring Oauth2 SSO - Unable to logout from the Auth server

Question

I am using @EnableOauth2Sso following an architecture similar as the one described in Spring's oauth2 tutorial: an auth server, a zuul proxy that enables the sso, a separated UI application etc.

Auth server   ----  Resource Server (Zuul app) ---- Angular UI App

The problem is that when the UI logs out against the resource server it successfully deletes the resource server JSESSIONID, then the user is redirected to a home page. When the user wants to login again, he's redirected to the auth server but instead of asking for the user+password, it considers he's still logged. The auth server JSESSIONID is still there and wasn't affected by the previous Resource Server lougout.

How could I also logout from the auth server?

Answer 1

Since there isn't an out of the box Spring OAuth2 Single Logout we had to work around this creating a /revoke endpoint that calls the Auth Server to logout from it:

UI:

    $http({
        method: 'POST',
        url: API + '/logout'
    }).then(function() {
        $http({
            method: 'GET',
            url: API + '/auth/oauth/session/revoke'
        }).then(function() {
            window.location = '/';
        });
    });

Zuul server:

zuul:
  ...
  routes:
      authServer:
        path: /auth/**
        url: ${authServer.url}/auth/
      ...

Auth Server:

@RestController
public class RevokeController {

    @RequestMapping(value = "/oauth/session/revoke", method = RequestMethod.GET)
    public void revoke(HttpServletRequest request) throws InvalidClientException {
        request.getSession().invalidate();
    }
}

Answer 2

This is correct the behavior, when you logout form Angular app, it will not logout from Auth server.

Example :- Suppose we want to login stackoverflow.com using google or facebook account, we need not to enter password again, ones we are login to Auth service.

If we need to show SSO login again and again , we need to logout Angular UI and OAuth server both.