Spring Boot Oauth2 logout endpoint

Question

I have a Spring Boot REST application separated into Resource server and Auth server - protected by stateless Oauth2 security.

I am using spring security and Oauth2 starters:

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.security.oauth</groupId>
            <artifactId>spring-security-oauth2</artifactId>
        </dependency>

The resource server simply links to the auth server using this line in my application.properties:

security.oauth2.resource.userInfoUri: http://localhost:9000/my-auth-server/user

The auth server stores use credentials in a database and have the following configuration:

@Configuration
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {

    @Autowired
    @Qualifier("userDetailsService")
    private UserDetailsService userDetailsService;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Value("${gigsterous.oauth.tokenTimeout:3600}")
    private int expiration;

    // password encryptor
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer configurer) throws Exception {
        configurer.authenticationManager(authenticationManager);
        configurer.userDetailsService(userDetailsService);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory().withClient("gigsterous").secret("secret").accessTokenValiditySeconds(expiration)
                .scopes("read", "write").authorizedGrantTypes("password", "refresh_token").resourceIds("resource");
    }

}

and

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    /**
     * Constructor disables the default security settings
     */
    public WebSecurityConfig() {
        super(true);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/login");
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

}

Everything is working correctly and I can get an access token and use it to get a protected resource from my resource server:

curl -X POST --user 'my-client-id:my-client-secret' -d 'grant_type=password&username=peter@hotmail.com&password=password' http://localhost:9000/my-auth-server/oauth/token

However, I cannot figure out, how to handle logout (invalidate the token once the user decides to logout). I assumed that there would be some endpoint provided to invalidate the token or do I have to create my own endpoint to handle it? I did not need to specify any kind of TokenStore beans so I am not sure how I would invalidate the current token. I would be glad for any insight - most of the tutorials I have found explains how this is handled with sessions or JWT tokens.

Answer 1

I had this issue and have posted a solution for it on this post.

It's basically redirecting to an endpoint on the authorization server after signing out from the client app and then logout programmatically there.