4

I have been following Dave Syer tutorial, SSO with OAuth2, Part 5 https://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/oauth2

It has UI/API gateway, resource server and Authorization server. When i click logout from UI/API gateway application i get the following,enter image description here Cors issue

What is currently happening from Dave Syer tutorial is that when a user click logout it changes the authentication flag to false, making it seem the user has logged out but they have only logged out from the UI/API gateway application.

When user click login, remember they haven’t logout from the Authentication server. Therefore, user doesn’t go through the authentication and approval cycle again.

What I want, when a user click logout and try to login again user must input username and password. In fact, they should start afresh, meaning system should invalidate the session and or token.

I've been banging my head against a wall trying to find a solution for this. Can anyone please point out how to resolve/ achieve this.

Dev Fh
  • 586
  • 7
  • 18

2 Answers2

0
@SuppressWarnings("null")
    @RequestMapping(value="/login")
    public String login(HttpServletRequest request){
         HttpSession session= request.getSession();
        SecurityContextHolder.clearContext();
        if(session == null) {
            session.invalidate();
        }
        return"login";
    }
isaDev
  • 1
0

I am currently facing the same problem. What I found out so far is that this seems to be a general SSO design problem since it is not really clear if the user wants to logout only from the (gateway) application or from the whole system (oauth2 server). You can find more information on this here in Dave Syers blog post under the caption The Logout Experience. Hope it helps.

gokumc
  • 138
  • 1
  • 9