Logout with oauth2 when using google

Question

In a spring boot 2 web site , user can decide to log via email/password (after created a account) or use facebook/google logi (oauth2)

Actually

user x connect via google... log out

user y try to connect via google but use user x session..

Logout is not done via google...

I would like logout support this use case

User x connect via google, logout.

User y, click to connect to google, need to enter user/password (don't want to connect via precedant user)

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers("/oauth_login", "/loginFailure", "/", "/logout")
            .permitAll()
            .anyRequest()
            .authenticated()
            .and()
            .oauth2Login()
            .loginPage("/oauth_login")
            .authorizationEndpoint()
            .baseUri("/oauth2/authorize-client")
            .authorizationRequestRepository(authorizationRequestRepository())
            .and()
            .tokenEndpoint()
            .accessTokenResponseClient(accessTokenResponseClient())
            .and()
            .defaultSuccessUrl("/loginSuccess")
            .failureUrl("/loginFailure")
            .and()
            .logout()
            .logoutSuccessUrl("/")
            .invalidateHttpSession(true);
    }

If I remove .csrf().disable(), I get a 403 error. Don't understand why html log out

 <a href="#" onclick="document.getElementById('logoutForm').submit();">Logout</a>
 <form id="logoutForm" action="/logout" method="post">
    <input hidden type="submit" value="Sign Out"/>
 </form>

Edit

seem to have a lot of thread with this kind of error...

like this one...

google account logout and redirect

seem like a token issue.

so just dangerous to use oauth on a public computer...

After logiut your session should be invalidated. Are sure that user y send the same session cookie and gets the same session? Add request and response with header for user y to your question. — dur, Jun 11 '19 at 20:03
invalidation don't have any impact to the facebook/google connection. — robert trudel, Jun 11 '19 at 20:07
I doubt that Google doesn't invalidate its session, hence I was thinking that your session isn't invalidated. If you post the request and response with header I could see what really happens. Use your dev tool in your browser (F12) to see the requests and responses. — dur, Jun 11 '19 at 20:13
User x's request and response isn't helpful. you have to post user y's request and response. — dur, Jun 12 '19 at 12:42

Logout with oauth2 when using google

0 Answers0