How to check if user still logged in via azure sso (oAuth2), while using my own webapp?

Question

I'm developing an web application with Spring Boot using Azure AD and OAuth2.0 for authentication to secure up the backend.

If I log-out via for example the Outlook Web App, my web application should register this process and logout as well (at least if I reload or reopen the page). How do i implement that? Now the Web-Application seems as still logged in. Unfortunately I did not find an approach to implement this behavior consistently. Only if I use the self-implemented log-out button, it shows the desired effect and the HttpSession gets invalidated and cookies where deleted.

I have already implemented a login and logout via Azure AD in my web application (see code). As soon as I log-out via the button of my own application, I am automatically logged out of other Azure applications (e.g. Outlook Web App) that require Azure SSO.

I already tried the @PreAuthorize Annotation discribed here Spring MVC - Checking if User is already logged in via Spring Security? but this seems not to be the solution.

 protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .oauth2Login()
                .userInfoEndpoint()
                .oidcUserService(oidcUserService);

        http.logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .invalidateHttpSession(true)
                .deleteCookies("JSESSIONID")
                .clearAuthentication(true)
                .logoutSuccessUrl("https://login.microsoftonline.com/common/oauth2/logout");
}

Redirect to main page:

    @GetMapping("login/oauth2/code/azure")
    public ModelAndView redirectToRoot(ModelMap modelMap) {
            return new ModelAndView("redirect:/", modelMap);
    }

score 0 · Accepted Answer · answered Jun 18 '19 at 11:21

0

I have never implemented this myself, but if I remember right, all OAuth2 providers have some kind of a SingleSignOut endpoint, if you call this in your logout method, it will log the user out from every app that is connected to this provider. After refreshing the page of your webapp, the security should recognize that the user is then no longer logged in and redirect him to the login page. Hope I could help you a bit. :)

Edit: I found this after a quick search: https://github.com/juanzero000/spring-boot-oauth2-sso .

answered Jun 18 '19 at 11:21

Max R.

1,574
2
12
27

Thank you for your answer. I tried this too, but as mentioned on https://stackoverflow.com/questions/43071370/spring-boot-oauth2-single-sign-off-logout logging out from one WebApp doesn't affect the other. – tomson Jun 18 '19 at 12:35
Are you using OpenID Connect on top of OAuth2? – Max R. Jun 18 '19 at 13:04
Then this might be the thing you need: http://docs.identityserver.io/en/latest/endpoints/endsession.html " All applications that the user has logged into via the browser during the user’s session can participate in the sign-out.", I hope this will help you :) – Max R. Jun 19 '19 at 06:12
Yes! You are right. I didn't realise that i had to change this on Azure AD and not with code... https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-a-sign-out-request – tomson Jul 02 '19 at 09:32

How to check if user still logged in via azure sso (oAuth2), while using my own webapp?

1 Answers1