We have a Spring Boot application that utilizes okta-spring-boot-starter. After a user logs out of the system, they are redirected to our company’s home page (www.mycompany.com).
However, when the user navigates back to the sign-in screen after logging out, they are “automatically” signed in. How can I force the Okta sign-in screen to be shown and not use any credentials or cookies stored in the browser? I suspect I’m missing something in my securityWebFilterChain(ServerHttpSecurity http) configuration, but I’m not sure what that would be.
Great question! First a little background. By default logging out of an application only removes the local session. The easiest explanation for this is more obvious with “social login”. For example, if I configure an app to “Login with GitHub”, my application doesn’t have the ability to log out of GitHub, just my app.
For cases when you only have a single application, or for a set of apps that your company control, you probably want to let the user end the SSO session for everything.
There are two ways to do this.
Replace your LogoutSuccessHandler with a Bean of type org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler
Something like this (forgive any copy/paste errors):
Edit: I should note this solved my issue where the Okta sign-in screen was not displayed after a log out (it would just log the previous user back in).