1

I am using angular-oauth2-oidc library in my frontend application. The configuration is done the same way as shown in this project, using APP_INITIALIZER.

Following is the AuthConfig:

{
    "issuer": "http://auth.myapp-local.mycompany.com:8080",
    "redirectUri": window.location.origin + "/index.html",
    "clientId": "myapp-client",
    "scope": "openid profile myapp",
    "responseType": "code",
    "dummyClientSecret": "mysecret",
    "requireHttps": false
}

I have the following routes:

const routes: Routes = [
  {
    path: '',
    redirectTo: '/index.html',
    pathMatch: 'full'
  } as Route,
  {
    path: 'index.html',
    component: AutoLoginComponent
  } as Route,
  {
    path: 'protected',
    loadChildren: () => import('./protected/protected.module').then(m => m.ProtectedModule),
    canActivate: [AuthGuard]
  },
  {
    path: 'forbidden',
    component: ForbiddenComponent
  }
];

The AutoLogicComponent is the same as shown here.

For the OAuth2, I am using spring-authorization-server.

The .well-known/openid-configuration returns:

{
  "issuer": "http://auth.myapp-local.mycompany.com:8080",
  "authorization_endpoint": "http://auth.myapp-local.mycompany.com:8080/oauth2/authorize",
  "token_endpoint": "http://auth.myapp-local.mycompany.com:8080/oauth2/token",
  "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt"],
  "jwks_uri": "http://auth.myapp-local.mycompany.com:8080/oauth2/jwks",
  "userinfo_endpoint": "http://auth.myapp-local.mycompany.com:8080/userinfo",
  "response_types_supported": ["code"],
  "grant_types_supported": ["authorization_code", "client_credentials", "refresh_token"],
  "revocation_endpoint": "http://auth.myapp-local.mycompany.com:8080/oauth2/revoke",
  "revocation_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt"],
  "introspection_endpoint": "http://auth.myapp-local.mycompany.com:8080/oauth2/introspect",
  "introspection_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt"],
  "subject_types_supported": ["public"],
  "id_token_signing_alg_values_supported": ["RS256"],
  "scopes_supported": ["openid"]
}

When I am trying to revoke and logout by executing the following code in the action of the Logout button:

this._oAuthService.revokeTokenAndLogout({
  client_id: this._oAuthService.clientId,
  returnTo: this._oAuthService.redirectUri
}, true)

I can see it is hitting the revoke endpoint http://auth.myapp-local.mycompany.com:8080/oauth2/revoke. But it stays on the same page. And if I modify the above code and do this:

this._oAuthService.revokeTokenAndLogout({
  client_id: this._oAuthService.clientId,
  returnTo: this._oAuthService.redirectUri
}, true).then(() => this._router.navigateByUrl('/'));

Then it is routed to index.html (AutoLogicComponent) and stays there.

I would like to route the user to the login page, as well as on clicking the browser's back button after logout, it must not let the user access the protected resource.

What I am unable to figure out, is whether I am missing something or the backend Authorization server does not support the logout functionality yet.

Any pointers or advice would be much appreciated.

Tapas Bose
  • 28,796
  • 74
  • 215
  • 331
  • Not a direct answer to your question, but I personally prefer [`CanActivate` route guards](https://github.com/jeroenheijmans/sample-angular-oauth2-oidc-with-auth-guards/blob/master/src/app/core/auth-guard-with-forced-login.service.ts) (or [without redirection](https://github.com/jeroenheijmans/sample-angular-oauth2-oidc-with-auth-guards/blob/master/src/app/core/auth-guard.service.ts)) to protect pages, which should help with *"clicking the browser's back button"* part – Jeroen Mar 02 '23 at 09:02

0 Answers0