Spring OAuth2Sso can still login user when authorization server has no access or refresh token

Refresh

April 2019

Views

170 time

1

I'm trying to logout users using spring OAuth2. I have a server with the @EnableOAuth2Sso annotation and a different server with the @EnableAuthorizationServer annotation.

The Sso server uses the authorization_code flow to sign the user in and has a logout endpoint, which in turn contacts the authorization server to get rid of the users' access and refresh token.

When called, these tokens are removed, as they no longer appear in mongodb, but as soon as I refresh my page (connected to the Sso server) I get automatically logged in again, as the authorization server creates a new access and refresh token.

I suspect my Sso server still has a valid authorization code, allowing it to request new tokens from the authorization server, but I can't find where the authorization server manages these authorization codes. Does anybody know where these are stored and how I can invalidate these authorization codes? Or am I on the wrong track entirely?

update: I figured out the problem is indeed related to sessions as dur suggested. When I delete the session cookie of the Sso server in the browser I have to re-authenticate with the authorization server. I cannot get the Sso server to destroy my cookie though. I've tried manually looping through the cookies and expiring them in the following way (Mind I'm using Kotlin):

@RequestMapping("/logout",
        method = [RequestMethod.GET]
)
@ResponseBody
fun redirectToLogout(request: HttpServletRequest) : RedirectView{
    ...
    val uri = authServerInstance.uri.normalize()
    val redirectView = RedirectView()
    redirectView.url = "$uri/auth/logout"

    request.cookies.forEach {
        it.maxAge = 0
    }
    ...
    return redirectView
}

I also tried to invalidate the session via the following way:

@RequestMapping("/logout",
        method = [RequestMethod.GET]
)
@ResponseBody
fun redirectToLogout(request: HttpServletRequest) : RedirectView{
    ...
    val uri = authServerInstance.uri.normalize()
    val redirectView = RedirectView()
    redirectView.url = "$uri/auth/logout"

    request.session.invalidate()
    ...
    return redirectView
}

In both instances the Sso tries to invalidate the session and then sends a request to the authorization server to invalidate the users' access and refresh tokens, but somehow the session cookies are not invalidated.

1 answers

0

The Sso server could delete its session cookie just fine. I was redirecting to the logout endpoint of the authorization server through Netflix Zuul in the examples in the question, which basically meant that the session cookie of the Sso server was still used when on the authorization server, which means that the authorization server couldn't destroy its session cookie, made when originally redirected from the authentication page on the authorization server.

So to solve the issue I'm now redirecting to the authorization server directly, such that it can destroy its session cookie.