Logout from OIDC web app

spring
java

#1

I am trying to implement logout feature in my spring-boot - oidc based web app. When I look at okta forum, I was able to see two recommendations (from below links) to delete the token from the okta server and other one is to delete the session.

below is the code which i am using in my spring app…

@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated().antMatchers(“logOutSuccessful”).permitAll()
.and()
.oauth2Login().loginPage("/customOAuth2Login_Okta").permitAll()
.and()
.logout()
.deleteCookies()
.invalidateHttpSession(true)
.logoutSuccessUrl("/logOutSuccessful")
.logoutRequestMatcher(new AntPathRequestMatcher("/logoutMe")).permitAll();
}

when I am using the above code, my cookies are not getting deleted and even when i implement custom logoutHandler to delete the session by making Delete call on https://domainName/api/v1/sessions/me, its not even working…
its redirecting me to the /logOutSucccessful url and still I can see the cookies in my browser…

ref urls: https://developer.okta.com/docs/api/resources/oidc#logout
https://developer.okta.com/docs/api/resources/sessions

Need help on the correct way to implement the logout for an oidc based web app in spring…
thanks for ur help…


#2

This is what Spring Security does out of the box:

  • Invalidating the HTTP Session
  • Cleaning up any RememberMe authentication that was configured
  • Clearing the SecurityContextHolder
  • Redirect to /login?logout

You will likely end up with a cookie at the end of this, but it should be a different session.

Can you confirm your Spring Session is removed?


#3

thanks for your reply…
I see like even after logout, for the next request, its not taking me to okta screen for authentication


#4

Assuming you are redirecting to an Okta domain to login (and you already have an SSO session with Okta) you may get bounced back into your application without realizing it.

The easiest way to see if this is happening is to turn on developer tools and make sure “Preserve log” is enable.

Another way to tell is if your application has a different session id


#5

i was tracing the network log and came to that conclusion that the I still have the session, even though i log out…
but when I implemented the following code, with our explicitly defining .deleteCookies() and invalidateHttpSession(true), I was able to see the call is going to okta for oAuth login again…

@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login().loginPage("/customOAuth2Login_Okta").permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/perfomLogOut")).permitAll()
.logoutSuccessUrl(“https://mydomain/login/default”);
//.addLogoutHandler(openIdLogoutHandler)
}

thanks for looking into it