I have Vaadin 24.6.1 application based on Spring Boot with OAuth2 security. I use OAuth2 backchannel logout method to logout from SSO session (see OIDC Logout :: Spring Security ): practically my OAuth Authorization server sends POST request to my vaadin backend to the backchannel logout url looks like http://host/context/logout/connect/back-channel/client-id, where client-id is my client registration in spring.security.oauth2.client.registration
For example, the user opens OAuth2 SSO session, Vaadin UI is active, I want to close the OAuth2 SSO session centrally in my OAuth2 Authorization Server. The server sends POST request to my vaadin backend to the OAuth2 backchannel logout url. My vaadin backend destroyes OAuth2 session, servlet session, UI and close push communication with client’s browser. I want to catch logout request and redirect client browse page to the login page after UI destroying. The problem that there is no UI to send redirect with push. How it can be done?
I think you need to map the VaadinSession to the client id on each login. When the OIDC logout is called you could invalidate the sessions. In my application this results into all pages connected to a session are reloaded (what routes to the login). Make sure that your Spring auth and user are resetted.
Map<String, List<VaadinSession>> sessionsByClientId;
/* or Map<String, VaadinSession> depending on your setup */
public void closeSession(String clientId) {
List<VaadinSession> sessions = getSessionsByClientId(clientId);
for (VaadinSession s : sessions) {
s.access(() => {
s.close(); // Vaadin
s.getSession().invalidate(); // Http
}
}
}
Skip Vaadin in your equation. You destroyed the session with Spring - therefore the easiest would be to use a LogoutSuccessHandler to send a redirect to your specific page.
