'Spring Authorization Server - how do you implement a 'log' out user functionality?

I've been trying to log out a user by accessing the token/revoke endpoint from the authorization server, but I only get a 404.

At the moment, I can't even find the endpoint for revoking the token and I don't know what to do. How do you figure out what's the actual endpoint for revoking the token?

The only other topic I can find on the matter is this one:

Spring oauth2 authorization server: unable to logout users but after implementing this answer, I still get a 404.

Here's what I have:

    @Bean
    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests(authorizeRequests ->
                        authorizeRequests.anyRequest().authenticated()
                )
                .formLogin(withDefaults());
        http.logout()
                .clearAuthentication(true)
                .invalidateHttpSession(true)
                .deleteCookies("JSESSIONID");
        http.authenticationProvider(authenticationProvider());
        return http.build();
    }

How do I even begin revoking the token of an authenticated user?

springspring-bootspring-securityoauth-2.0


Solution 1:[1]

The token revocation endpoint on Spring Authorization Server is /oauth2/revoke, and it implements RFC 7009 (OAuth 2.0 Token Revocation Endpoint). You can always call /.well-known/openid-configuration or /.well-known/oauth-authorization-server to discover these values, which also allows clients to "self-configure" based on the provider.

As noted in this answer, logout is not connected to token revocation by default, because OAuth 2.1 is focused on authorization, not authentication. You would have to connect them through a customization, which is touched on in that answer. The situation may be improved in the future as we work through implementing additional pieces of the OpenID Connect 1.0 family of specifications.

However, if you're using Spring Security with the backend-for-frontend pattern (BFF) on the client and also using OpenID Connect to log in, you can configure logout. See OpenID Connect 1.0 Logout in the reference docs for more information.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Upload data file as byte array with Feign

Apache Camel: Set body from resource

How to configure log4j in a Spring Mvc application configured with Java Annotations and using a log4j.properties file

SonnarQube's issue: change code to not construct the URL from user-controlled data

How do I produce just one message using Spring Cloud Stream w/o deprecated @Output, or turn off polling?

Error creating bean with name 'entityManagerFactory'

Spel not supported on spring annotation @Scheduled.fixedDelayString

How to run gradle based spring boot application in background using command line in ubuntu?

AuthenticationSuccessEvent never fired

Spring @Value annotation always evaluating as null?

Spring MongoDB query sorting

Map JSON default tag to java variable

Spring Hibernate Jackson Hibernate5Module

Spring JUnit: How to Mock autowired component in autowired component

Flyway Found more than one migration with version