Confused about logging out from the simple-web-app

[rhinmass]

I made the change to call logout from the inline form and send the CSRF via the post.

https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1340

The UI appears logged out, however, as soon as I click Login I am again logged in, without having to enter any credentials. Also, looking at the network calls in Developer Tools, I don't see that endsession is being called.

Is there more to be done to complete the logout.

[rhinmass]

I feel like I need to make a call to revoke and endSession but it's not clear if there are some methods in the framework (as there are for userInfo) or if I just have to build these post requests. For the latter, I think I am will need the accessToken for the endSession header. Any hints on how to get my hands on that from with the simple-web-apps controller?

[rhinmass]

I'm trying everything here, and could really use some pointers

• How to revoke the access token? I think I need to do 2 things: get the access token and call the revoke endpoint. I have several questions/problems 1 - How do you go about getting the serialized access token (this would be from the logout controller on the client webapp) ?
  2- Next, assuming I could get that token, would I pass it as the Authorization header, or the token query parameter or both? 3- I've tried doing the above with postman and I get errors 403 forbidden. So I'm not even sure it will work. 4 - Calling endsession. It goes to the logout page on the server, but does not redirect back to the client after logging out. I'm sending the post_logout_redirect_uri and it matches exactly what I have defined for the client's post_logout_redirect_uri on the server. 5 - Strange behavior is that in a new incognito browser, the first time I go to endsession, I get the screen where you can logout or change your mind. After logging out, every future call to endsession from the same browser skips the confirmation and goes right to logout. Until I close that browser and open a new one. Clearng the Jsession ID doesn't make any difference.

I'm sorry this question was long, but I wanted to make sure whoever was kind enough to try to answer it would know all the things I've already tried. In summary, I need to revoke the access token and end the client session. (I can end the client session now through spring logout, but the token is still active so the next time I click log in, it logs right back in without prompting for creds.)

[rhinmass]

Answering my own questions :

1) To get the access token:

        SecurityContext sc = SecurityContextHolder.getContext();
        OIDCAuthenticationToken auth = (OIDCAuthenticationToken) sc.getAuthentication();

        String accessToken = auth.getAccessTokenValue();
        String refreshToken = auth.getRefreshTokenValue();

2 & 3) We need to send the client-id and client secret in order to revoke the access token. The access token is not sent in the header.

4 & 5) Had a typo in the post_logout_redirect_uri that I had registered with the client. It's working now.