I have a Spring boot based web app. Spring boot ver: 6.x Spring Security version 3.x.
I have implemented the SecurityFilterChain customization as follows:
...
http.logout().deleteCookies("JSESSIONID").logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/");
...
The app lets me log out successfully in Firefox, but not in Google Chrome. When I invoke the /logout [GET] endpoint, then Chrome navigates to the login.microsoftonline.com and logs me in again automatically, even without asking me, in which user's name I would like to log in.
I've cleared the browser cache, and I made sure I did not allow the "remember me" function of AAD, or anything similar, but the app keeps letting me in after I log in once. I will burn my laptop soon. Please, advise something.
The above code snippet in the question logged me out from the Spring app, but did not log me out from the Microsoft session. The end result of it was that after the successful logout, I was forwarded to the login page again, and the Azure login page logged me in again automatically into the Spring app due to my valid Azure AD session.
To implement a proper logout, you need to add logoutSuccessHandler to the SecurityFilterChain, as below:
http.logout(logout -> logout
.logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET"))
.logoutSuccessUrl("/")
.logoutSuccessHandler(new OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository))
.deleteCookies("JSESSIONID")
);
I used the org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler class as a logoutSuccessHandler.
The type of it's constructor parameter is ClientRegistrationRepository, which can be injected by Spring without any problems.