Spring Security OAuth 2 Social Logout

In this short tutorial, you will learn how to configure the /logout functionality in your Spring Boot Web application that uses OAuth2 Social Login. To learn how to implement the OAuth2 Social login feature, please check the following tutorial: Spring Security OAuth 2 Social Login.

For video lessons on how to secure your Spring Boot application with OAuth 2.0. and Spring Security 5, please checkout my complete video course OAuth 2.0. in Spring Boot applications.

Configure HttpSecurity

Applications that use Spring Security and OAuth2 Social login will have a Java class that extends the WebSecurityConfigurerAdapter. Most likely your application does also have this class. Open it and add the below configuration to enable the logout functionality.

    @Override
    protected void configure(HttpSecurity http) throws Exception {
              ...
                .and()
                .logout()
                .logoutSuccessHandler(oidcLogoutSuccessHandler())
                .invalidateHttpSession(true)
                .clearAuthentication(true)
                .deleteCookies("JSESSIONID")
....
    }

Below is an example of a working HttpSecurity configuration from one of my projects.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/").permitAll()
            .anyRequest().authenticated()
            .and()
            .logout()
            .logoutSuccessHandler(oidcLogoutSuccessHandler())
            .invalidateHttpSession(true)
            .clearAuthentication(true)
            .deleteCookies("JSESSIONID")
            .and()
            .oauth2Login();
}

Notice that the above configuration uses the oidcLogoutSuccessHandler() function. This is to make the Spring Framework send a logout request to an OAuth2 authentication provider that supports the OpenID Connect and the “end_session_endpoint“. An example of an OAuth2 authentication provider that supports OpenID Connect and the “end_session_endpoint” is Okta or Keycloak. So a call to oidcLogoutSuccessHandler() function will also log the user out of their Okta or Keycloak account.

To learn if the OpenID Connect provider that you use supports the “end_session_endpoint“, check it’s OpenID Connect provider’s discovery document by opening the .well-known/openid-configuration URL in the browser window and by checking if it contains the “end_session_endpoint“. For example, if you use Okta, then the discovery document URL will have the following format:

https://{YOUR-OKTA-APP-BASE-URL}/.well-known/openid-configuration

Below is implementation of the oidcLogoutSuccessHandler() function.

private OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler() { 
    OidcClientInitiatedLogoutSuccessHandler successHandler = new OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository);
    successHandler.setPostLogoutRedirectUri("http://localhost:8080/");
    return successHandler;
}

If your application uses an Authorization server that supports the end_session_endpoint, then if you inspect HTTP traffic, you will see an additional call to perform an OIDC client-initiated logout with the following request parameters:

/logout?id_token_hint={id-token-value}&post_logout_redirect_uri=http://localhost:8080/

Below is an example of WebSecurity class that extends WebSecurityConfigurerAdapter and implements the OAuth Social login and logout.

package com.appsdeveloperblog.tutorials.oauth2.Oauth2SocialLogin;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;

@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {

    @Autowired
    ClientRegistrationRepository clientRegistrationRepository;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/").permitAll()
                .anyRequest().authenticated()
                .and()
                .logout()
                .logoutSuccessHandler(oidcLogoutSuccessHandler())
                //.logoutSuccessUrl("/")
                .invalidateHttpSession(true)
                .clearAuthentication(true)
                .deleteCookies("JSESSIONID")
                .and()
                .oauth2Login();
    }

    private OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler() { 
        OidcClientInitiatedLogoutSuccessHandler successHandler = new OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository);
        successHandler.setPostLogoutRedirectUri("http://localhost:8080/");
        return successHandler;
    }

}

I hope this tutorial was of some value to you.

For video lessons on how to secure your Spring Boot application with OAuth 2.0. and Spring Security 5, please checkout my complete video course OAuth 2.0. in Spring Boot applications.

Leave a Reply

Your email address will not be published. Required fields are marked *

Free Video Lessons

Enter your email and stay on top of things,

Subscribe!