Spring Download OAuth2 Single Sign Off (Exit)

I plan to use OAuth2 for my application. The architecture I'm trying to implement is as follows:

  • I will have my (and only this) authorization server
  • Some resource applications that check access to their resources using the authorization server
  • Some client applications (web, mobile) that redirect the user to the authorization server for authentication and success will consume api in resource applications.

So far, I have managed to implement this interaction between 3 main applications (1 auth server, 1 resource server and 1 client). What I am not getting is the logout function. I read the “notorious difficult problem” that Dave Sier describes in his tutorial, but in this case I really need the user to re-enter after logging out. I tried to provide an access token and an update token for a few seconds, but instead of requesting a login again when the expiration date, I get NPE in the client application. I also tried the solutions suggested in this postto remove the token from the token store, but it does not work. The only sign for me is the desired behavior for this implementation. How can I achieve this using Spring Boot Oauth2. If for some reason this is not possible, what alternatives could I use to implement centralized security with Spring Boot?

Thanks in advance.

+6
source share
1 answer

After many tests, I realized that this can only be solved by redirecting to AuthServer and logging out programmatically as follows:

  • In the client application (WebSecurityConfigurerAdapter):

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .logout()
                .logoutSuccessUrl("http://your-auth-server/exit");
    }
    
  • On the authorization server:

    @Controller
    public class LogoutController {
    
        @RequestMapping("/exit")
        public void exit(HttpServletRequest request, HttpServletResponse response) {
            // token can be revoked here if needed
            new SecurityContextLogoutHandler().logout(request, null, null);
            try {
                //sending back to client app
                response.sendRedirect(request.getHeader("referer"));
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
    }
    

github .

+7

Source: https://habr.com/ru/post/1016113/


All Articles