Trying to configure the logout to remove any session data that might exist between Okta and the user. I can logout the user from my application, but when I go back to a protected route, the user does not have to log back in through Okta.
@Configuration
@Profile({"heroku", "secured"})
@EnableOAuth2Sso
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/api/programs/*", "/api/programs").permitAll()
.antMatchers(HttpMethod.POST, "/api/users").permitAll()
.antMatchers("/api/**", "/login", "/patron/**").authenticated()
.antMatchers("/**").permitAll()
.anyRequest().authenticated()
.and()
.logout().deleteCookies().invalidateHttpSession(true).logoutSuccessUrl("/").permitAll();
}
}
Is there a specific call that needs to be made from my end? Do I need to customize the logout handler?
I’m using OAuth2 Auth Code flow, and I’m not using the okta-spring-boot dependency.