java Spring Boot OAuth2 单点注销(注销)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/43071370/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring Boot OAuth2 Single Sign Off (Logout)
提问by Juan Carlos Mendoza
I'm considering to use OAuth2 for my application. The architecture I'm trying to implement is as follows:
我正在考虑将 OAuth2 用于我的应用程序。我试图实现的架构如下:
- I will have my own (and only this) Authorization Server
- Some Resource Apps validating access to their resources using the Authorization Server
- Some client apps (web, mobile) which will redirect the user to the Authorization Server for authentication and on success will consume the api's on the Resource Apps.
- 我将拥有自己的(并且只有这个)授权服务器
- 一些资源应用程序使用授权服务器验证对其资源的访问
- 一些客户端应用程序(网络、移动)会将用户重定向到授权服务器进行身份验证,成功后将使用资源应用程序上的 api。
So far I have managed to implement this interaction between 3 basic apps (1 auth server, 1 resource server and 1 client). The thing I don't get working is the logout functionality. I have read of the "notoriously tricky problem"that Dave Syer describes in his tutorial, but in this case I really need the user to re-login after loging out. I have tried giving few seconds to the access token and the refresh token, but instead of being prompted to login again when the expiration arrives, I'm getting a NPE on the client app. I have also tried the solutions proposed in this postto remove the token from the token store, but it doesn't work. The single sign off is for me the desirable behaviour for this implementation. How can I achieve this using Spring Boot Oauth2. If it is not possible for some reason, which alternatives I could use to implement a centralized security using Spring Boot?
到目前为止,我已经设法在 3 个基本应用程序(1 个身份验证服务器、1 个资源服务器和 1 个客户端)之间实现了这种交互。我无法正常工作的是注销功能。我读过Dave Syer 在他的教程中描述的“臭名昭著的棘手问题”,但在这种情况下,我真的需要用户在注销后重新登录。我试过给访问令牌和刷新令牌几秒钟,但是当到期到达时,我没有被提示再次登录,而是在客户端应用程序上获得了 NPE。我也尝试了这篇文章中提出的解决方案从令牌存储中删除令牌,但它不起作用。对我来说,单点注销是此实现的理想行为。如何使用 Spring Boot Oauth2 实现这一点。如果由于某种原因不可能,我可以使用哪些替代方案来使用 Spring Boot 实现集中式安全?
Thanks in advance.
提前致谢。
回答by Juan Carlos Mendoza
After a lot of tests I have realized that this can be solved just with a redirect to the AuthServer and doing logout programmatically like this:
经过大量测试后,我意识到这可以通过重定向到 AuthServer 并像这样以编程方式注销来解决:
In the client app (WebSecurityConfigurerAdapter):
@Override protected void configure(HttpSecurity http) throws Exception { http .logout() .logoutSuccessUrl("http://your-auth-server/exit"); }In the authorization server:
@Controller public class LogoutController { @RequestMapping("/exit") public void exit(HttpServletRequest request, HttpServletResponse response) { // token can be revoked here if needed new SecurityContextLogoutHandler().logout(request, null, null); try { //sending back to client app response.sendRedirect(request.getHeader("referer")); } catch (IOException e) { e.printStackTrace(); } } }
在客户端应用程序 (WebSecurityConfigurerAdapter) 中:
@Override protected void configure(HttpSecurity http) throws Exception { http .logout() .logoutSuccessUrl("http://your-auth-server/exit"); }在授权服务器中:
@Controller public class LogoutController { @RequestMapping("/exit") public void exit(HttpServletRequest request, HttpServletResponse response) { // token can be revoked here if needed new SecurityContextLogoutHandler().logout(request, null, null); try { //sending back to client app response.sendRedirect(request.getHeader("referer")); } catch (IOException e) { e.printStackTrace(); } } }
I have posted a sample app on githubwith a full example of this implementation.
我已经在 github 上发布了一个示例应用程序,其中包含此实现的完整示例。
