Logout flow in OAuth2
ksambhav opened this issue · comments
Referring to the logout flow in oauth2 project, once the the user has authenticated using user/password for the first time, the credentials are not asked next time after logout.
How can I ensure that username/password are asked every time after a logout.
This is what I am trying to implement:-
-
OAuth2 server using JWT token using "authorization_code" grant type with auto approval. This has html/angularjs form to collect username/password.
-
UI/Webfront - Uses @EnableSSO. ALL its endpoints are authenticated i.e it does not have any unauthorized landing page/ui/link that user clicks to go to /uaa server. So hitting http://localhost:8080 instantly redirects you to http://localhost:9999/uaa and presents custom form to collect username/password.
-
Resource serve - Uses @EnableResourceServer. Plain & simple REST api.
With the above approach I am not able to workout the logout flow. HTTP POST /logout to the UI application clears the session/auth in UI application but the users gets logged in again automatically ( as I have opted for auto approval for all scopes) without being asked for username password again.
Looking at logs and networks calls, it looks like that all the "oauth dance" happens all over again successfully without user being asked for username/password again and seems like the auth server remembers last auth token issued for a client ( using org.springframework.security.oauth2.provider.code.InMemoryAuthorizationCodeServices?? ).
How can I tell auth server to ask for username/password every time request for code/token. Or what is the best way to implement logout in my given scenario.
( To recreate somewhat near to my requirements, remove permitAll() part from the UiApplication and configure auto approval in auth server. )
Thanks.
