Logout from OAuth2 Client Server - Local Logout and OIDC Provider Logout

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everyone welcome to javaras let's continue our discussion of securing single P applications with Spring Security in this video we are going to see how to implement log out when using o two authentication and authorization protocol till now we have created authorization server client server and resource server and we are able to log in to the client server using authorization server and we are able to access resources from resource server with the same access token now I made a little change here what I did is instead of using our own authorization server I'm using authorization server of OCTA so on OCTA developer platform I went ahead and created a web application in the resource server I changed the is U to the URI which is available on OCTA so when I created application I got this is your Ur So I'm using that here similarly in the client server application as well in the application. properties I changed the client ID to the client ID which I received from octav when I created an application and this here will be client secret so these are just Place holder I will pause the video and I will replace these with actual client ID and client secret so I went ahead and replaced those placeholder with actual client ID and client secret and I started the client application here using mbnw spring boot run command and I started resource server as well using gdel W boot run since we are using gdel for resource server and now I should be able to use the application so I will open new private window Here Local Host 8081 so this is the port for client server 8 081 now you can see since we are not logged in so we are redirected to the authorization server OA in this case to enter username and password I have already created a user in Octa platform so the email is john. Smith at new user.com and I have created a password Here click on sign in so we are able to log in and we can see the client application here and these two buttons as you already know they send request to the resource server so let's test them out I will open network tab here so we can see actual request we'll click on post hello so this should send a post request to Res Source ser and it go to the response back and the get request is also working now we need to we need to add a login button here so let's do that let's go to app. component. HTML and here copy this now in order to log out we just need to redirect the user to the log out endpoint so let's say after it if I say log out and then the user will see this log out page so we just need to redirect the user to log out so here I will create a link instead of button I will create a link here so Li and a h will be log out and this is the default endpoint provided by Spring security and I will say log out I will save it and I will restart the client application I have restarted the client server now I will again go to Local Host 081 now we can see the log out link here so let's try everything is working fine so the post request is working get request is working let's click on log out so now the user is redirected to are you sure you want to log out now let's click on log out so let's open inspect here click on log out here now we can see we are getting an error called invalid csrf token now in order to solve this issue we need to go to authorization config in client server o to application and here instead of using XO server csrf token request attribute Handler we just need to use server server csrf token request attribute Handler and it will work fine so now let's restart the application the application has restarted now let's refresh the page so we are logged in now let's test whether the post and get request working or not so these are working so it's very important to test all the post request when we modify the csrf configuration because all the post requests need csrf token so let's say we fix the logout issue but we don't want to introduce any other issue which prevents our post requests so we need to test everything let's click on log out and click on log out here so you can see we we are logged out of the application now let's click on login with OCTA again so whenever we click on this link so it it's not asking us for username and password again why because we are just logged out of the client application but we are still logged into the authorization server or OA in this case so it won't ask for username and password again now let's say what want is whenever the user loggs out of the client application you want him to be logged out of the authorization server as well so you can do that so if you go to this documentation so you can search for Spring Security oid oidc log out and you will get this reference documentation and here if I read it once an end user is able to log to your application it's important to consider how they will log out now generally speaking there are three use cases for you to consider the first is if you want to perform local log out local log out means log out from the client server only the second is I want to log out both my application and the IDC provider so you want the user to be logged out from your application as well as from authorization server and this log out will be initiated by the application the third use case is similar to The Second Use case but the log out will be initiated by the oidc provider so we have already seen the local log out we just need to send a get request to the/ logout endpoint and user needs to click on uh log out button but let's say you want to log out the user from authorization server as well so for that we need to make some changes so first of all we need to enable wave flux security here so let's do that so I will go to authorizations config in client server and here enable web flux security and then we need to create a server log out success Handler so let's create this one copy it paste it here and we need to create One auto wide instance variable so here the type is reactive client registration repository and the variable name is client registration repository so in the application. properties file we Define all the parameters for the authorization server so from those parameters the reactive client registration depository is automatically binded to our application and then we can use this Repository so what we are doing is we are creating a oidc client initiated server logout success Handler using this client repository and um we are logging out the user and after log out we will redirected redirect the user to the base URL which is the base URL of our client application now we need to add this to the logout success Handler so here we can go ahead and click HTTP do log out and log out spec and what we want to do is log out success Handler so we want to make this as log out success Handler so we can just call this method YC log out success Handler so after successful log out this method will be called and this method will log out the user from the authorization server okay so let's save the changes and restart the application the application has been restarted let's restart let's refresh the page here so let's try sending some request first so I will send post request to the resource server and it's working fine now I will say get request to the resource server it's also working let's click on log out and log out so the user is logged out and the user is logged out from the client application as well as from the authorization server that's why we can see this login form here so we need to login again so if I go to Local Host 8081 now you can see we are not logged into the authorization server we need to provide username and password password again in order to log to the client application so that's how we perform the log out so either you can just have local log out or you can have local log out with log out from IDC provider and that can be initiated by your client as well as from IDC provider and how to how to initiate the log out from IDC provider you can reference that here I won't cover that here that's it for this video thank you for watching I I will meet you in the next video Until then keep learning bye
Info
Channel: Java Rush
Views: 225
Rating: undefined out of 5
Keywords: java, spring, spring-boot, oauth2, openid, spring security, resource server, jwt, access token, authorization server, client server, logout, oidc logout
Id: 3ucYJaMAgzQ
Channel Id: undefined
Length: 11min 33sec (693 seconds)
Published: Tue Jan 16 2024
Related Videos
Replying to some comments related to Spring Security, Angular, OAuth2, Logout, CSRF Token, Session
Java Rush
76
Spring Tips: The Spring Authorization Server
SpringDeveloper
15K
Building a Public OAuth2 Client - Single Page Application using Javascript and Keycloak
Java Rush
116
Enable CORS in Authorization Server for Secure Access Tokens by Public Clients
Java Rush
52
What Is Single Sign-on (SSO)? How It Works
ByteByteGo
561K
OAuth2 & Spring boot 3 & Social login | never been easier
Bouali Ali
60K
Elon Musk JUST Revealed The Last And Most TERRIFYING Secret We Are NOT Supposed To Know
Star Investing
20K
Watch Me Code an OAuth2 Google Login Client with Java Spring
Tech Tutor
33K
OAuth 2.0 and OpenID Connect (in plain English)
OktaDev
1.7M
How to Logout from Spring Security - JWT
Bouali Ali
41K
Proxy vs Reverse Proxy Server Explained
Hussein Nasser
130K
Spring Boot 3.1.0 - Authorization Server 1.1.0 - Spring OAuth Client - Custom Login & Logout
Spring Boot TUTORIAL.
3.3K
Removing Duplicate Files
Java Rush
12
Why Does Scrum Make Programmers HATE Coding?
Thriving Technologist
505K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.