Spring Boot OAuth2 单点注销(注销) [英] Spring Boot OAuth2 Single Sign Off (Logout)

问题描述

我正在考虑将 OAuth2 用于我的应用程序.我正在尝试实现的架构如下:

I'm considering to use OAuth2 for my application. The architecture I'm trying to implement is as follows:

• 我将拥有自己的(并且只有这个)授权服务器
• 一些资源应用程序使用授权服务器验证对其资源的访问
• 某些客户端应用(网络、移动)会将用户重定向到授权服务器进行身份验证，并在成功后使用资源应用上的 API.

到目前为止，我已经设法在 3 个基本应用程序(1 个身份验证服务器、1 个资源服务器和 1 个客户端)之间实现了这种交互.我无法正常工作的是注销功能.我已经阅读了 臭名昭著的棘手问题" Dave Syer 在他的教程中描述的，但在这种情况下，我真的需要用户在注销后重新登录.我试过给访问令牌和刷新令牌几秒钟，但是当到期到达时我没有被提示再次登录，而是在客户端应用程序上获得了 NPE.我也尝试了这个 post 从令牌存储中删除令牌，但它不起作用.对我来说，单点注销是此实现的理想行为.如何使用 Spring Boot Oauth2 实现这一点.如果由于某种原因无法实现，我可以使用哪些替代方案来使用 Spring Boot 实现集中式安全?

So far I have managed to implement this interaction between 3 basic apps (1 auth server, 1 resource server and 1 client). The thing I don't get working is the logout functionality. I have read of the "notoriously tricky problem" that Dave Syer describes in his tutorial, but in this case I really need the user to re-login after loging out. I have tried giving few seconds to the access token and the refresh token, but instead of being prompted to login again when the expiration arrives, I'm getting a NPE on the client app. I have also tried the solutions proposed in this post to remove the token from the token store, but it doesn't work. The single sign off is for me the desirable behaviour for this implementation. How can I achieve this using Spring Boot Oauth2. If it is not possible for some reason, which alternatives I could use to implement a centralized security using Spring Boot?

提前致谢.

推荐答案

经过大量测试后，我意识到只需重定向到 AuthServer 并像这样以编程方式注销即可解决此问题:

After a lot of tests I have realized that this can be solved just with a redirect to the AuthServer and doing logout programmatically like this:

• 在客户端应用程序 (WebSecurityConfigurerAdapter) 中:

• In the client app (WebSecurityConfigurerAdapter):

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .logout()
            .logoutSuccessUrl("http://your-auth-server/exit");
}

在授权服务器中:

In the authorization server:

@Controller
public class LogoutController {

    @RequestMapping("/exit")
    public void exit(HttpServletRequest request, HttpServletResponse response) {
        // token can be revoked here if needed
        new SecurityContextLogoutHandler().logout(request, null, null);
        try {
            //sending back to client app
            response.sendRedirect(request.getHeader("referer"));
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

我在 github 上发布了一个 示例应用，并提供了一个完整的示例实施.

I have posted a sample app on github with a full example of this implementation.

这篇关于Spring Boot OAuth2 单点注销(注销)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！