CODEWITHSUNDEEP
oauth-2.0oktaokta-api
d-man
d-man

Reputation: 58083

Okta IE oidc sso logout reset cache issue

I am using java 8 with spring security 5, spring mvc based okta ie authentication used spring specialty oAuth libraries.

maven oauth2 dependencies:

. spring-security-oauth2-client
. spring-security-oauth2-core
. spring-security-oauth2-jose
. spring-security-web

my web app app is configured as oidc client in okta admin console.

here is how do I get my registration

scopes: "openId","profile"

public static ClientRegistration getRegistration(String regisrationsId, String issuerUri, String clientId, String client secret, List<String> scopes){
  return ClientRegirstation.fromOidcIssuerLocation(isserUri)
.regisrationId(regisrationsId)
.clientId(clientId)
.clientSecret(clientSecret)
.scope(scopes)
.build();
}

I have setup token/usb based authentication for okta. when I try to login to my application it redirects me to okta hosted login page where I am promoted to choose my token cert and enter my password and I am able to login to my app. when I hit logout it redirects me to okta page where okta clears cookies and cache and then redirects back to my app logout page which is all good.

here is the issue

if I try to login again browser some how remember my token cert choice and log me back in without asking for token password. I am assuming browser caching user input which should have been clear when okta ie redirect occur but seems like it's not.

if I manually delete last 24 hour cookies and files then next time I try to login browser will work as I expect asking for token selection and password for the token.

I would like okta ie to prompt for token selection and password every time I try to login after logout. any suggestion is appreciated.

@Configuration
@EnableGlobalMethodSEcurity(prePostEnabled=true)
public class SecurityConfig{

@Autowired
private LogoutSuccessHandler logoutSuccessHandler;


  void configure(HttpSecurity http){
   ...
   .logout(logoutSuccessHandler)
   .logoutSuccessHandler(logoutSuccessHandler)
   .invalidateHttpSession(true)
   .clearAuthentication(true)
   .deleteCookies("JSESSIONID")
   ...
  }
}

// my logout success handler defined as following

@Bean
public OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler(ClientRegistrationRepository repository){
 OidcClientInitiatedLogoutSuccessHandler handler = new OidcClientInitiatedLogoutSuccessHandler(repository);
handler.setPostLogoutRedirectUri("https://localhost:8080/myapp/logout.html");
return handler;
}

Upvotes: 0

Views: 39

Answers (0)

Related Questions