2

I have added to my Spring Boot MVC Web Application Social login feature. It allows users to login to my application with GitHub, Facebook, or Google account. But I am struggling to get the /logout feature work. Even though the /logout is called and the logoutSuccessUrl is loaded, if user clicks on the login link again, the user is not being asked to provide their username or password again. It looks like the user is still authenticated.

How do you guys implement /logout using the new Spring Security 5 OAuth 2 client support?

I have used the new OAuth 2 Client support.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

spring.security.oauth2.client.registration.facebook.client-id =  
spring.security.oauth2.client.registration.facebook.client-secret =

And here is how my HTTPSecurity configuration looks like:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
        .antMatchers("/").permitAll()
        .anyRequest().authenticated()
        .and()
        .oauth2Login()
        .and()
        .logout().logoutSuccessUrl("/");
}

I have tried this way as well:

@Override protected void configure(HttpSecurity http) throws Exception { http

        .authorizeRequests()
        .antMatchers("/").permitAll()
        .antMatchers(HttpMethod.POST,"/logout").permitAll()
        .anyRequest().authenticated()
        .and()
        .oauth2Login()
        .and()
        .logout()
        .invalidateHttpSession(true)
        .clearAuthentication(true)
        .deleteCookies("JSESSIONID")
        .logoutSuccessUrl("/").permitAll()
        .and()
            .csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

}

How do you guys log out users who are authenticated using one of the Social OAuth 2 Login Providers using the new Spring Security OAuth 2 client support?

interested-dev
  • 123
  • 9

1 Answers1

3

I am currently logged into google on my chrome browser and can view my gmail etc, so I have an active session with google. If I was to access your spring app, and use google sign-in, your spring app will redirect me to googles auth server which detects that I am already logged into google so it knows who I am, hence it just needs to ask me to consent the scopes your application is requesting and if I agree to issue your application the access token. Now if I want to log out of your app, spring security will invalidate the session on your application, but it has no control over the session I have open with google, in fact I don't want to also be logged out of google. Hence if you want the login screen of the 3rd party again, you need to go to their page and logout.

Wojciech Lesniak
  • 294
  • 2
  • 6
  • That's right... But what if someone uses my app on a public computer, loges in with their Google account, and when done, clicks on the logout link. They leave under impression that they have signed out. In 5 minutes another user comes, opens google.com, and notice that they are already signed-in with someone else's account... This is what I am trying to avoid. – interested-dev Oct 07 '20 at 20:55
  • 4
    Ah, well there is no standard way in Oauth yet, It really boils down to the social sign-in provider, unfortunately you don't really have much control. There is a prompt=login parameter in OIDC which instructs the auth server to re-authenticate the user each time, but it's not supported everywhere, I believe google doesn't support it. But it has it's it's own way of disconnecting a user for your application, check out the developer API documentation on sign-out. Basically you need to additionally call the providers logout api, perhaps in the logout success handler. – Wojciech Lesniak Oct 07 '20 at 22:41
  • Thank you, @Wojciech Lesniak! – interested-dev Oct 10 '20 at 23:40