OAuth 2 Logout not working even after upgrade to Spring Sec 5.2.0.M4

[vekdeq]

Hi Team,

I have been looking for this for some days now. We have spring boot based application(s) using Okta as IDP, using okta spring boot starter - which inject Spring Security 5.1.5. With some efforts, I was able to configure gradle script where in my WAR file now have Spring Security 5.2.0.M4 jars. I am still unable to clear / kill Okta Session - after hitting default logout url. It is configured as link (app/logout) on app's UI - so no XHR - just link. Am I missing anything ?

Vivek

[jzheaux]

Sorry that you are having difficulties, @vekdeq, happy to help.

So that I can understand the issue better, what leads you to believe it is an issue with the Spring Security code? For example, is the redirect to Okta not happening? Specific details will help.

Could you provide a sample that reproduces the issue?

[vekdeq]

Hi Josh,

This is in regards to : gh-5350 - OpenID Connect RP-Initiated Logout issue, which is included as part of this release. I may be doing something wrong - but here is my use case. I have Okta as IDP, Spring boot 2+, Okta - Spring - Boot Starter (which includes Spring Security). I have configured, one app in Okta and I have multiple WARs - representing different functional needs. WARs are deployed to Tomcat app server and Okta Login Page is used for login into app. Even though there are multiple WARs, from end user point of view - it represents separate section in User Portal. So user can log into any of the section - by hitting secure URLs - which is redirected to Okta Login Page - on successful authentication - user is redirected to the page he / she was trying to access. In application, we check if user is logged in or not - by checking Authentication object (SecurityContextHolder.getContext().getAuthentication()) is NOT NULL & the sub in Authentication is matching that of application user session object.

There is nothing specific in WebSecurityConfig - like below

  http
  	.csrf().disable()
  	.authorizeRequests().anyRequest().authenticated()
  	.and().logout().clearAuthentication(true)
	.deleteCookies().invalidateHttpSession(true).

Here are the needs / questions :

When I logout (I have a link to /logout URL which is default configuration) - its needs to do 2 things
a. Kill the Okta Session IDP session.
b. Clear Authentication object in my application Security Context.

Both these things are not happening and the issue raised with Okta Boot API - they pointed to Spring Security 5.2.0 release
okta/okta-spring-boot#126,
which I configured - but still did't work. Please advise.

Vivek

[jzheaux]

@vekdeq Thank you for detailing out some of your configuration - that may have cleared things up for me.

To use OIDC logout, you will need something like:

@Autowired
ClientRegistrationRepository clientRegistrationRepository;

protected void configure(HttpSecurity http) throws Exception {
    LogoutSuccessHandler logoutHandler =
            new OidcClientInitiatedLogoutSuccessHandler(this.clientRegistrationRepository);
    http
        // ... other configs
        .logout()
            .addLogoutHandler(logoutHandler);
}

We are a little behind on our docs, but you can see a sample in the unit tests.

If this doesn't address your issue, would you please post a sample application, for example to GitHub, that can reproduce the issue?

[vekdeq]

Thanks Josh !!

I was aware that I could do it through custom logoutHandler - but I was under impression that with Okta Boot Starter, Okta Java SDK & Okta Auth Java APIs, it will be inbuilt and hence I raised this issue in Okta Support group. Further, I was referring to this documentation, https://developer.okta.com/docs/guides/sign-users-out/springboot/sign-out-of-okta/

As per that, the Okta logout will be available with Spring Security 5.2.0.M release. Hence I was checking with this release. As still the challenge remains - how to get id_token_hint from Authentication object - for which I need to make Authorize api call - for which I need to know id/ pwd - which I don't have it once user is logged in.

Vivek

[jzheaux]

how to get id_token_hint from Authentication object

Have you already taken a look at how OidcClientInitiatedLogoutHandler does it?

https://github.com/spring-projects/spring-security/blob/master/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java#L86

for which I need to make Authorize api call - for which I need to know id/ pwd

I guess I'm not sure why you need to do those things as the token that was used during login is stored in the Authentication instance.

[vekdeq]

Hi Josh,

Sorry I was busy in few other things. I am going to check above details and will get back to you. Regarding id_token_hint, we don't use token to authenticate / rather - it is Okta hosted Login Page and then I have bearer token in my Authentication Object. I guess for logout, I need other token (may be JWT token). Please correct me if I am wrong.

Vivek

[jzheaux]

then I have bearer token

By bearer token, do you mean as an Authorization header? If so, then I think I'm lost regarding your setup. Would you be willing to problem a sample that demonstrates?

The reason I'm confused is that clients that have a need to logout would typically login using an OAuth 2.0 authorization flow for which Spring Security would preserve the id token in the Authentication for you. It's not as common for, say, a RESTful API that needs an Authorization header to also be the entity performing the logout.

[vekdeq]

Alright - here is our setup:
Spring boot based WAR applications deployed on Tomcat with Okta acting as IDP having authentication flow.

    api ("com.okta.spring:okta-spring-boot-starter:1.2.1")
api ("com.okta.spring:okta-spring-sdk")	
compileOnly apiElements ("com.okta.authn.sdk:okta-authn-sdk-api:1.0.0")
api ("com.okta.authn.sdk:okta-authn-sdk-impl:1.0.0")

---

Each app have WebSecurityConfig as below;

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@OverRide
protected void configure(final HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests().anyRequest().authenticated()
.and().logout().clearAuthentication(true)
.deleteCookies().invalidateHttpSession(true);
}
}

---

In application interceptor, we check the request is authenticated and retrieve login id for further processing :

Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

  LOGGER.debug("==== Authentication ===="+authentication);
  if (authentication instanceof OAuth2AuthenticationToken) {
 		String emailId = oktaClient.getUser(authentication.getName()).getProfile().getLogin();

OAuth2AccessToken accessToken = authorizedClientService.loadAuthorizedClient(
((OAuth2AuthenticationToken)authentication).getAuthorizedClientRegistrationId()
,authentication.getName()).getAccessToken();
----------------------------
This accessToken is of type bearer - which can't work for logout url. Okta support team told us that the id_token_hint value needs to be the one which is available through rest call as below;

https://azdeq.oktapreview.com/oauth2/v1/authorize?response_type=id_token&client_id=xxxx&redirect_url=xxxx&&scope=openid&nonce=abcd&state=authn

We are looking to configure our spring boot layer to take care of logout which will be simple /logout link from UI to kill Okta Session and App Session.

Vivek

[jzheaux]

Just to gather a bit more information, does the following work, @vekdeq, to get the id token:

OAuth2AuthenticationToken authentication = (OAuth2AuthenticationToken) authentication;
OAuth2User user = authentication.getPrincipal();
if (user instanceof OidcUser) { // this should be the case since you are using OIDC
    OidcIdToken idToken = ((OidcUser) user).getIdToken();
    // ... use token
}

Also, have you had any luck trying to use or borrow OidcClientInitiatedLogoutHandler?

[vekdeq]

Hi Josh,

I tried using OidcClientInitiatedLogoutHandler directly after making some changes to our gradle files to inject spring security 5.2.0.M4. For some reason, I overlooked your earlier post and was thinking to build my custom logout handler and use id_token_hint. But OidcClientInitiatedLogoutHandler should take care of our needs (at least at this time).

So after configuring websecurityconfig to have OidcClientInitiatedLogoutHandler as logoutsuccesshandler, I tested the flow - but it didn't work as expected. It's not killing Okta Session.

@configuration

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

private static final Logger LOGGER = LoggerFactory.getLogger(WebSecurityConfig.class);

@Autowired
private ClientRegistrationRepository clientRegistrationRepository;

@OverRide
protected void configure(final HttpSecurity http) throws Exception {
LogoutSuccessHandler logoutHandler = new OidcClientInitiatedLogoutSuccessHandler(this.clientRegistrationRepository);
http
.csrf().disable()
.authorizeRequests().anyRequest().authenticated()
.and()
.logout()
//.logoutSuccessUrl("xxxx");
.logoutSuccessHandler(logoutHandler);
}
}

My guess is ClientRegistrationRepository - may not be getting set as expected. Do I need set any additional properties currently ? While logoutSuccessUrl - works as expected and network tab shows /logout then xxx URL; but for logoutSuccessHandler - it goes like below;
-- /logout redirects to
----- https://xxx.com//
------ http://xxx.com//oauth2/authorization/okta redirects to
------- https://xxx.com//oauth2/authorization/okta goes to
-------- https://xxx.oktapreview.com/oauth2/v1/authorize?response_type=code&client_id=&scope=openid%20profile%20email&state=emjmYD_lNn4CdJej1Pg1CplQOi1C4QotAGjlQoeys7M%3D&redirect_uri=http://xxx.com//login/oauth2/code/okta
--------- http://xxx.com//login/oauth2/code/okta?code=5dsb7NuCeJBMqTnBkRYm&state=emjmYD_lNn4CdJej1Pg1CplQOi1C4QotAGjlQoeys7M%3D
------- https://xxx.com//login/oauth2/code/okta?code=5dsb7NuCeJBMqTnBkRYm&state=emjmYD_lNn4CdJej1Pg1CplQOi1C4QotAGjlQoeys7M%3D

Can you please help further ?

[jzheaux]

@vekdeq Will you please compare your setup to this test one: https://github.com/spring-projects/spring-security/blob/master/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java#L833

Since it is redirecting to / instead of the end_session_endpoint, I'm guessing that the handler cannot find what it needs in the ClientRegistrationRepository. We'd make progress more quickly if you produced a sample application (like a GitHub repo) that reproduces your issue.

[vekdeq]

Alright !! I figured out - the end_session_endpoint was NULL. It seems Okta starter boot (1.2.1) doesn't support Spring security 5.2.0.M4 yet, hence the ConfigurationMetadata of ProviderDetails of ClientRegistration object is Empty. I guess I need to inject that by some other way (like ur unit test ) or I need to have custom logoutsuccesshandler which will have it predefined. I don't know, if there is any other better way to do it that (like prop file entry). Let me know, if you know better way.

Coming to second issue : How can I configure Spring Security to check with IDP in each request / hit ? The need is as stated initially - we have multiple Apps (WARs) in Web Portals - representing unified user experience as per functional needs. If user navigates across different apps - it is seamless - if he is logged in - where in Authentication Object is available in across all Apps if user if logged in. Now if I logout from App 1 - my Okta & App 1 sessions are killed - but app 2 spring sec & http session is still active. - which is not expected security need. Please guide.

Thanks again !!

[jzheaux]

I'm glad to hear you've resolved your issue, @vekdeq! Nice work.

I'm going to close this issue at this point. Stack Overflow is our preferred platform for handling support requests, as mentioned in the guidelines for contributing.

If you have further questions (it sounds like you might), please ask them on StackOverflow - we as a team watch the spring-security tag, among others, and there are many community members who do the same. Asking your question on StackOverflow also makes it more easily searchable over time.

Of course, if you find a bug or want to make an enhancement request, always feel free to log another GitHub ticket!