Spring Boot OAuth2 Single Sign Off (Logout)

Juan Carlos Mendoza picture Juan Carlos Mendoza · Mar 28, 2017 · Viewed 14.4k times · Source

I'm considering to use OAuth2 for my application. The architecture I'm trying to implement is as follows:

  • I will have my own (and only this) Authorization Server
  • Some Resource Apps validating access to their resources using the Authorization Server
  • Some client apps (web, mobile) which will redirect the user to the Authorization Server for authentication and on success will consume the api's on the Resource Apps.

So far I have managed to implement this interaction between 3 basic apps (1 auth server, 1 resource server and 1 client). The thing I don't get working is the logout functionality. I have read of the "notoriously tricky problem" that Dave Syer describes in his tutorial, but in this case I really need the user to re-login after loging out. I have tried giving few seconds to the access token and the refresh token, but instead of being prompted to login again when the expiration arrives, I'm getting a NPE on the client app. I have also tried the solutions proposed in this post to remove the token from the token store, but it doesn't work. The single sign off is for me the desirable behaviour for this implementation. How can I achieve this using Spring Boot Oauth2. If it is not possible for some reason, which alternatives I could use to implement a centralized security using Spring Boot?

Thanks in advance.

Answer

Juan Carlos Mendoza picture Juan Carlos Mendoza · Mar 31, 2017

After a lot of tests I have realized that this can be solved just with a redirect to the AuthServer and doing logout programmatically like this:

  • In the client app (WebSecurityConfigurerAdapter):

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .logout()
                .logoutSuccessUrl("http://your-auth-server/exit");
    }
    
  • In the authorization server:

    @Controller
    public class LogoutController {
    
        @RequestMapping("/exit")
        public void exit(HttpServletRequest request, HttpServletResponse response) {
            // token can be revoked here if needed
            new SecurityContextLogoutHandler().logout(request, null, null);
            try {
                //sending back to client app
                response.sendRedirect(request.getHeader("referer"));
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
    }
    

I have posted a sample app on github with a full example of this implementation.