0

I am using spring-security-oauth2 client for oauth2 client and my front end is angular application.

I am trying to implement auto logout in case , there is a session timeout. so far I am unsuccessful.

this is my bean code. I am setting invalidSessionUrl("auth server logout url") in the httpSecurity DSL. This is the code reference I am having https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html#clearing-session-cookie-on-logout

@Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

http
    .headers(headersConfig ->
        headersConfig
            .frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin)
    )
    .sessionManagement(sessionConfig -> sessionConfig.invalidSessionUrl("http://localhost:8080/authserver/logout?redirect_uri=http://localhost:8080/test&client_id=test"))
    .authorizeHttpRequests(authorize -> authorize
        .anyRequest().authenticated()
    )
    .oauth2Login(oauth2Config -> oauth2Config
        .authorizationEndpoint(authorizationEndpointConfig -> authorizationEndpointConfig
            .authorizationRequestResolver(
                authorizationRequestResolver(clientRegistrationRepository)
            )
        )
    )
    .csrf(csrfConfig ->
        csrfConfig.disable()
    );

return http.build();

} on invalidsession, I am redirecting to the authserver logout page. But when the request is made, on session expiry it is not trying to parse the json request. Instead it show show the logout page. Is it possible?

enter image description here

Improve this question

1 Answer 1

Reset to default
1

I understand that you are trying to logout the user from Keycloak when his session on Spring OAuth2 client expires. Why that? Why do you let it expire? Why don't you try to re-activate the session on the client instead? The user might still have an active session on the authorization server, and if he doesn't, then there's no need to logout from it.

In a similar setup, I have the user details endpoint exposed by a resource server behind the Spring client. The payload returned by this endpoint include the expiration time of access token. In Angular app, I schedule a new call to this endpoint just before the access token expires. That way, the session in Spring client is kept alive, and the access token it contains are always valid.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks @ch4mp for the quick answer. I should not extend the active session instead I have to end the session and redirect him to the login page, just like in the netbanking websites.
The net-banking application do not rely on frontends to end sessions on the authorization servers. The sessions on the authorization servers are short lived. Maybe there is a confusion: users don't login on your Spring client, they login on the authorization server. What happens on the client is the authorization of that client to act on behalf of a user who logged in on an authorization server. So maybe, what you want is shorten the user session on the authorization server.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.