Showing the Okta sign-in screen after a log out with Spring Security Reactive

jndietz · June 29, 2021, 8:39pm

Greetings all,

We have a Spring Boot application that utilizes okta-spring-boot-starter. After a user logs out of the system, they are redirected to our company’s home page (www.mycompany.com).

However, when the user navigates back to the sign-in screen after logging out, they are “automatically” signed in. How can I force the Okta sign-in screen to be shown and not use any credentials or cookies stored in the browser? I suspect I’m missing something in my securityWebFilterChain(ServerHttpSecurity http) configuration, but I’m not sure what that would be.

@Bean
SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
  http
    .httpBasic().disabled()
    .formLogin().disable()
    .oauth2Login().and()
    .logout(this.&configureLogout)
    .authorizeExchange()
    .pathMatchers("/**").authenticated()
    .and().build()
}

LogoutSpec configureLogout(LogoutSpec logoutSpec) {
  logoutSpec.logoutSuccessHandler(logoutSuccessHandler("https://www.mycompany.com")
  logoutSpec
}

ServerLogoutSuccessHandler logoutSuccessHandler(String uri) {
  RedirectServerLogoutSuccessHandler successHandler = new RedirectServerLogoutSuccessHandler()
  successHandler.setLogoutSuccessUrl(URI.create(uri))
  successHandler
}

bdemers · June 29, 2021, 9:00pm

Hey @jndietz!

Great question! First a little background. By default logging out of an application only removes the local session. The easiest explanation for this is more obvious with “social login”. For example, if I configure an app to “Login with GitHub”, my application doesn’t have the ability to log out of GitHub, just my app.

For cases when you only have a single application, or for a set of apps that your company control, you probably want to let the user end the SSO session for everything.

There are two ways to do this.

Replace your LogoutSuccessHandler with a Bean of type org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler

Something like this (forgive any copy/paste errors):

    @Bean
    OidcClientInitiatedLogoutSuccessHandler logoutSuccessHandler(ClientRegistrationRepository clientRegistrationRepository) {
        OidcClientInitiatedLogoutSuccessHandler successHandler = new OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository);
        successHandler.setPostLogoutRedirectUri(URI.create("https://www.mycompany.com"));
        return successHandler;
    }

Or if you are already using the okta-spring-boot-starter configuring the following property sets up that bean for you:

okta.oauth2.postLogoutRedirectUri=https://www.mycompany.com

Keep us posted!

jndietz · June 30, 2021, 3:17pm

Hey @bdemers , thanks for taking the time to respond. I swear I tried using this configuration, but it didn’t work.

I noticed that the kebab case in YAML doesn’t appear to work:

okta.oauth2.post-logout-redirect-uri doesn’t work, but okta.oauth2.postLogoutRedirectUri does work.

Thanks again for the help, @bdemers.

Edit: I should note this solved my issue where the Okta sign-in screen was not displayed after a log out (it would just log the previous user back in).

system · July 1, 2021, 3:17pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.