How to Logout from Springboot App and Okta

Trying to configure the logout to remove any session data that might exist between Okta and the user. I can logout the user from my application, but when I go back to a protected route, the user does not have to log back in through Okta.

@Configuration
@Profile({"heroku", "secured"})
@EnableOAuth2Sso
public class SecurityConfig extends WebSecurityConfigurerAdapter {
	
	@Override
	public void configure(HttpSecurity http) throws Exception {
		http.csrf().disable()
		.authorizeRequests()
		.antMatchers(HttpMethod.GET, "/api/programs/*", "/api/programs").permitAll()
		.antMatchers(HttpMethod.POST, "/api/users").permitAll()
		.antMatchers("/api/**", "/login", "/patron/**").authenticated()
		.antMatchers("/**").permitAll()
		.anyRequest().authenticated()
		.and()
		.logout().deleteCookies().invalidateHttpSession(true).logoutSuccessUrl("/").permitAll();
	}
}

Is there a specific call that needs to be made from my end? Do I need to customize the logout handler?
I’m using OAuth2 Auth Code flow, and I’m not using the okta-spring-boot dependency.

Spring Security doesn’t log you out from Okta when you’re using EnableOAuth2Sso. There’s this answer on Stack Overflow that has an SSO Logout handler.

We had many discussions among the JHipster Team about this. Since Okta is designed to be SSO and keep you logged in, we decided the current behavior is the best. If you used Facebook to log in to an app, then logged out of that app, you would not want it to logout of Facebook for you.

1 Like

That makes complete sense and I will keep this the same as well then. Thanks Matt.