DEVHIDE
Login Or Sign up

Spring Security 5 OAuth 2 Social Logout

1.2k Views Asked by At

I have added to my Spring Boot MVC Web Application Social login feature. It allows users to login to my application with GitHub, Facebook, or Google account. But I am struggling to get the /logout feature work. Even though the /logout is called and the logoutSuccessUrl is loaded, if user clicks on the login link again, the user is not being asked to provide their username or password again. It looks like the user is still authenticated.

How do you guys implement /logout using the new Spring Security 5 OAuth 2 client support?

I have used the new OAuth 2 Client support.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

spring.security.oauth2.client.registration.facebook.client-id =  
spring.security.oauth2.client.registration.facebook.client-secret =

And here is how my HTTPSecurity configuration looks like:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers("/").permitAll()
        .anyRequest().authenticated()
        .and()
        .oauth2Login()
        .and()
        .logout().logoutSuccessUrl("/");
}

I have tried this way as well:

@Override protected void configure(HttpSecurity http) throws Exception { http

        .authorizeRequests()
        .antMatchers("/").permitAll()
        .antMatchers(HttpMethod.POST,"/logout").permitAll()
        .anyRequest().authenticated()
        .and()
        .oauth2Login()
        .and()
        .logout()
        .invalidateHttpSession(true)
        .clearAuthentication(true)
        .deleteCookies("JSESSIONID")
        .logoutSuccessUrl("/").permitAll()
        .and()
            .csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

}

How do you guys log out users who are authenticated using one of the Social OAuth 2 Login Providers using the new Spring Security OAuth 2 client support?

spring-security oauth-2.0 oauth spring-security-oauth2 spring-oauth2
Original Q&A
1

There are 1 best solutions below

3
On

I am currently logged into google on my chrome browser and can view my gmail etc, so I have an active session with google. If I was to access your spring app, and use google sign-in, your spring app will redirect me to googles auth server which detects that I am already logged into google so it knows who I am, hence it just needs to ask me to consent the scopes your application is requesting and if I agree to issue your application the access token. Now if I want to log out of your app, spring security will invalidate the session on your application, but it has no control over the session I have open with google, in fact I don't want to also be logged out of google. Hence if you want the login screen of the 3rd party again, you need to go to their page and logout.

Related Questions in SPRING-SECURITY

Related Questions in OAUTH-2.0

Related Questions in OAUTH

Related Questions in SPRING-SECURITY-OAUTH2

Related Questions in SPRING-OAUTH2

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.