使用OAuth 2一次退出 [英] Single sign off using OAuth 2

问题描述

我们只是在讨论使用OAuth 2时的登录和注销行为.假设我们有两个使用一个OAuth提供程序O(使用spring-security-oauth2堆栈构建)的Webapps A和B.

We just have been discussing the login and logout behaviour when using OAuth 2. Let's say we have two webapps A and B using one OAuth provider O (built using the spring-security-oauth2 stack).

当您想登录到A时，将被重定向到O，输入凭据，在O上获得一个会话，使用访问令牌重定向回A，并在A也是如此.

When you want to login to A you get redirected to O, enter your credentials, get a session there on O, redirected back to A with an access token and a session is created on A as well.

现在，当您想登录到B时，您将被重定向到O，并通过令牌直接发送回B，因为您在O上仍然有有效的权限，并且在B上创建了会话(无需再次输入您的凭据).

Now when you want to login to B you get redirected to O, get directly sent back with a token to B because you still have a valid sesison on O and a session is created on B as well (without having to enter your credentials again).

这解决了我们的单点登录问题.

This solves our single sign on problem.

现在的要求是，从A 或 B注销时，您总是从两个/所有应用程序中注销(单次注销).

A requirement now is, that when logging out from A or B you are logged out always from both/all apps (single sign off).

我们的想法是:

• 使用当前会话ID增强访问令牌
• 如果应用A或B要注销用户，他们会将其重定向到O的注销页面
• 如果用户从O注销，则将删除属于O上当前会话的所有访问令牌，并将用户重定向回A或B
• A或B上的会话被破坏
• A和B在每个请求中检查其OAuth访问令牌的有效性，如果令牌不再有效，则销毁其会话

• Enhance the access token with the current session id
• If apps A or B want to logout a user, they redirect him to the logout page of O
• If the user gets logged out from O, all access tokens belonging to the current session on O are removed and the user gets redirected back to A or B
• The session on A or B gets destroyed
• A and B check for the validity of their OAuth access token on each request and destroy their session if the token is not valid any more

您认为这是OAuth 2的有效用例吗?您将如何以不同方式实施单点注销?

Do you think this is a valid use case for OAuth 2? How you would you implement single sign off differently?

推荐答案

此问题没有明确答案的原因在于，这全都取决于您对用户体验的偏爱，信任程度和/或或控制应用程序和服务器.

The reason there is no categorical answer to this question is that it all depends on your preference for the user experience, and on the extent to which you trust and/or have control of the apps and servers.

我认为您可以采用几种方法，您的建议肯定是可行的.我之所以会提出批评，是因为a)您正在使用OAuth令牌作为会话令牌，而它们并不是一回事，并且b)在每个请求中检查其OAuth访问令牌的有效性"部分是有点含糊，我怀疑UX可能会受苦.

I think there are several ways you might do it and your proposal is definitely workable. I would criticise it only because a) you are using an OAuth token as a session token, and they aren't really the same thing, and b) the "check for the validity of their OAuth access token on each request" part is a bit vague, and I suspect the UX might suffer.

通常，从OAuth2客户端应用程序系统中进行单次注销并不总是可取的-用户可能会认为它们已登录到单独的系统中，这恰好为他们方便地进行了身份验证，并且实际上并不需要单个退出体验(例如，如果我注销了一个Facebook用户提供的应用程序，则我不希望自己注销时间轴).

In general it is not always desirable to have single sign-off from a system of OAuth2 client apps - the users might believe that they are logged into separate systems, which happen to authenticate conveniently for them, and not actually want a single sign off experience (e.g. if I log out of one facebook user-provided app, I don't expect to be logged out of my timeline).

如果您要做需要单次注销，并且您所有的应用程序都在同一个域中，则可以让它们共享一个会话Cookie，该会话Cookie的范围仅限于它们共享的域.如果其他应用共享相同的域并且可能不想参与单点登录/关闭行为，或者如果您可能不信任它们来保持Cookie的机密，则这将很危险.

If you do need a single sign off and all your apps are in the same domain you can have them share a session cookie scoped to the domain they share. This is dangerous if other apps share the same domain and might not want to participate in the single-sign-on/off behaviour, or if you might not trust them to keep the cookies secret.

使用Spring Session，您可以变得更复杂，并且仅在您信任的应用程序之间共享会话令牌(因为仅向他们提供对会话存储的访问权限).那可能会非常有效率，如果我能控制所有活动部件，我可能会在您的位置上做到这一点.

With Spring Session you can be more sophisticated and share a session token only among apps that you trust (since you provide only them with access to the session store). That would probably be quite efficient, and I might do it that way in your position, if I had control of all the moving pieces.

查看 OpenID Connect会话管理规范可能有帮助，以查看是否有那里有任何想法.肯定有一个身份令牌的概念(与访问令牌不同).我认为他们建议使用iframe中的脚本在浏览器中进行验证检查，这看起来非常丑陋，但也许确实没有更好的方法.如果您喜欢这个主意，则可以使用正常的会话Cookie进行相同的操作(可能不需要完整的OIDC).

It might help to look at the OpenID Connect Session Management Spec to see if there are any ideas there. There is definitely the concept of an identity token (distinct from the access token). I think they suggest doing the validation checks in the browser with scripts in an iframe, which seems awfully ugly, but maybe there really isn't a better way. If you like that idea then you could maybe do the same thing with normal session cookies (no need for the full blown OIDC probably).

这篇关于使用OAuth 2一次退出的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！