Spring Security OAuth2 Social Logout is not working

I have added to my Spring Boot MVC Web Application Social login feature. It allows users to login to my application with Facebook or Google account. But I am struggling to get the /logout feature to work. Even though the /logout is called and the logoutSuccessUrl is loaded, if user clicks on the login link again, the user is not being asked to provide their username or password again. It looks like the user is still authenticated. If after clicking on the logout link, I open a new browser tab, then I see that I am still logged in into a Social account(either Google or Facebook).

It does work perfect with Okta though. After the /logout is called, I do get logged out of Okta account as well. And I see that when Okta is being used there is an additional request set to

https://{okta-base-url}/oauth2/default/v1/logout?id_toeek_hint={id-token-value}&post_logout_redirect_uri=http://localhost:8080/

I do not see this request being sent when using Facebook or Google.

How do I get the /logout to work for Facebook or Google as well?

I am using the new OAuth 2 Client support.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

spring.security.oauth2.client.registration.facebook.client-id =  
spring.security.oauth2.client.registration.facebook.client-secret = 

And here is how my HTTPSecurity configuration looks like:

   @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers(HttpMethod.POST, "/logout").permitAll()
                .anyRequest().authenticated()
                .and()
                .logout()
                .logoutSuccessHandler(oidcLogoutSuccessHandler())
                //.logoutSuccessUrl("/")
                .invalidateHttpSession(true)
                .clearAuthentication(true)
                .deleteCookies("JSESSIONID", "XSRF-TOKEN")
                .and()
                .oauth2Login();
}

    private OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler() { 
        OidcClientInitiatedLogoutSuccessHandler successHandler = new OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository);
        successHandler.setPostLogoutRedirectUri("http://localhost:8080/");
        return successHandler;
    }

Thank you very much!

Comment From: jgrandja

@interested-developer It's possible that Google and Facebook don't support the end_session_endpoint provided in OpenID Provider Configuration Response. This would be the reason why OidcClientInitiatedLogoutSuccessHandler is not logging out the user at the provider.

As an FYI, questions are better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it).

Comment From: arunvc

So there is no work around?