0

I am trying to logout from an application that is using OIDC for the authentication. Once Am logged in I can not logout when I head to /logout am not seeing the consent page that am used to see when logging out from the WSO2 Console application(I haven't disabled it so it should appear to confirm the logout). after that I am redirected to the /login page in which am not required to insert credentials and all I have to do is click allow on the consent.

Config security class

public class ConfigSecurity extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()
                .antMatchers("/login","/assets/**")
                .permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .oauth2Login().loginPage("/login")
                .and()
                .logout().logoutUrl("/logout")
                .logoutSuccessHandler(oidcLogoutSuccessHandler());

    }

    @Autowired
    private ClientRegistrationRepository clientRegistrationRepository;

    private LogoutSuccessHandler oidcLogoutSuccessHandler() {

        OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler =
                new OidcClientInitiatedLogoutSuccessHandler(
                        this.clientRegistrationRepository);
        oidcLogoutSuccessHandler.setPostLogoutRedirectUri(URI.create("http://localhost:8844/logout"));
        return oidcLogoutSuccessHandler;
    }
}

Callback URI :

regexp=(http://localhost:8844/login/oauth2/code/wso2|http://localhost:8844/logout)

BackChannel Logout URI : https://localhost:9443/oidc/logout

Application.properties :

server.port=8844
#########
spring.security.oauth2.client.registration.wso2.client-name=WSO2 Identity Server
spring.security.oauth2.client.registration.wso2.client-id=5YvGdwKZaS6pTS_uZhfu_X8sNVYa
spring.security.oauth2.client.registration.wso2.client-secret=hGPrgFnlbuS5N7_srxRenz998h8a
spring.security.oauth2.client.registration.wso2.redirect-uri={baseUrl}/login/oauth2/code/wso2
spring.security.oauth2.client.registration.wso2.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.wso2.scope=openid

# spring.security.oauth2.client.provider.wso2.issuer-uri=https://localhost:9443/oauth2/oidcdiscovery

#Identity Server Properties
spring.security.oauth2.client.provider.wso2.authorization-uri=https://localhost:9443/oauth2/authorize
spring.security.oauth2.client.provider.wso2.token-uri=https://localhost:9443/oauth2/token
spring.security.oauth2.client.provider.wso2.user-info-uri=https://localhost:9443/oauth2/userinfo
spring.security.oauth2.client.provider.wso2.jwk-set-uri=https://localhost:9443/oauth2/jwks

Can anyone help thanks in advance

Community
  • 1
  • 1
BA23AC
  • 38
  • 5
  • can you provide the properties file of the spring boot app? – Piraveena Paralogarajah Apr 30 '21 at 12:05
  • In IS side you have configured http://localhost:8084/logout as a callback URI, but in the application side you have configured http://localhost:8844/logout as the post logout redirect URI. See the port number difference? Is that intensional? Can you change that and see the behavior? – Maduranga Siriwardena Apr 30 '21 at 15:57
  • @MadurangaSiriwardena I have noticed that too and that's a mistake it isn't intentional I have changed it but nothing changes I still get the same thing – BA23AC May 03 '21 at 15:52
  • @PiraveenaParalogarajah I have included the application.properties file in the question – BA23AC May 03 '21 at 15:55
  • If you check the browser console, do you see the id_token_hint in the logout request as mentioned in https://is.docs.wso2.com/en/5.10.0/learn/openid-connect-logout-url-redirection – Maduranga Siriwardena May 04 '21 at 04:32

1 Answers1

1

Springboot oauth client derives OIDC logout endpoint of the IDP from the discovery endpoint. The issue is, from your application properities file, the application could not find the logout endpoint of the IDP. Token endpoint, authorization url, user-info-uri and jwk-set-uri can be configured separately. But there is no way to configure logout url in such a way. Since WSO2 supports OIDC discovery, all the endpoints token endpoint, authorization url, user-info-uri and jwk-set-uri urls, logout endpoint can be obtained from the issuer_uri property. So remove Token endpoint, authorization url, user-info-uri and jwk-set-uri configurations and add issue-uri config. Apply the below configuration to your properties file and see.

server.port=8844
#########
spring.security.oauth2.client.registration.wso2.client-name=WSO2 Identity Server
spring.security.oauth2.client.registration.wso2.client-id=5YvGdwKZaS6pTS_uZhfu_X8sNVYa
spring.security.oauth2.client.registration.wso2.client-secret=hGPrgFnlbuS5N7_srxRenz998h8a
spring.security.oauth2.client.registration.wso2.redirect-uri={baseUrl}/login/oauth2/code/wso2
spring.security.oauth2.client.registration.wso2.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.wso2.scope=openid

spring.security.oauth2.client.provider.wso2.issuer-uri=https://localhost:9443/oauth2/token

You can refer these docs:

https://docs.spring.io/spring-boot/docs/current/reference/html/spring-boot-features.html#boot-features-security-oauth2-client

https://www.baeldung.com/spring-security-openid-connect

Piraveena Paralogarajah
  • 1,475
  • 2
  • 9
  • 18