Spring Boot/Security is not redirecting to Okta logout URL - OpenID Connect Logout Options with Spring Boot

Question

Description: I tried Logout sample application as given in blog: https://developer.okta.com/blog/2020/03/27/spring-oidc-logout-options, it is working as expected.

But with the same configurations, we are unable to logout from Okta in our main/ organizations’ Application.

Expected Flow:

1. On logout button click, UI calls ‘…/testbootapp/logout’ → Spring Security by default handles logout Spring Boot logout
2. ‘OidcClientInitiatedLogoutSuccessHandler’ is configured in SpringBoot application, this should redirect to enter link description here

--- Here, in our application Spring Security is not redirecting to Okta logout URL

Implementation Details:

• Spring boot dependency version: 2.7.0
• application.properties is same as defined in blog
• Attached SecurityConfiguration class as used in our application: SecurityConfiguration.java

---

After enabling spring security logs in our application, we saw that ‘o.s.s.web.DefaultRedirectStrategy’ does not generate Okta logout URL, instead redirects to root URL

Extracted Logs from our Application: Jul 21 2022 12:47:16 PM IST DEBUG o.s.s.w.a.l.SecurityContextLogoutHandler -Invalidated session 280BDF27CFF81149D6C829EF2ADAC9DF Jul 21 2022 12:47:16 PM IST DEBUG o.s.s.web.DefaultRedirectStrategy -Redirecting to /testbootapp/

Extracted Logs from Sample application given in blog: 2022-07-21 11:25:20.230 DEBUG 7382 — [nio-8080-exec-5] o.s.s.w.a.l.SecurityContextLogoutHandler : Invalidating session: C54C40030C14B14F9F03250B769D2E99 2022-07-21 11:25:20.231 DEBUG 7382 — [nio-8080-exec-5] o.s.s.web.DefaultRedirectStrategy : Redirecting to ‘https://dev-.oktapreview.com/oauth2/default/v1/logout?id_token_hint=&post_logout_redirect_uri=https://twitter.com/’

Answer 1

Add the the below attribute in the ClientRegistration :

.providerConfigurationMetadata(Map.of("end_session_endpoint","{idc url}/oauth2/v1/logout"))

That would hit server and do the complete logout.