注销后删除access_token [英] Delete access_token after logout

问题描述

我有一个小问题。

目前，我的Spring配置使用DefaultTokenServices（由spring-security-oauth2-2.0.0.M3.jar提供） ）。
它会正确生成access_token。

At the moment my Spring configuration uses the DefaultTokenServices (provided by the spring-security-oauth2-2.0.0.M3.jar). It generates correctly the access_token.

现在我要做的是注销时取消/删除/删除/撤消此令牌。

Now what i will do is to cancel/delete/remove/revoke this token when i do a logout.

在security.xml中，我在http标记中配置了注销：

In the security.xml i configured the logout in the http tag:

< sec ：logout logout-url = / logout logout-success-url = / auth invalidate-session = true delete-cookies = true />

并且重定向成功。但是，如果我编写一个登录，注销的测试，然后尝试使用此access_token访问受限路径，则可以收到成功的请求，但我希望看到未授权的错误。
为什么？

and the redirection is successfully. But if i write a test doing a login, logout and after i try to access a restricted path with this access_token i can get a successful request, but i expect a Not authorized Error. Why?

我如何配置注销，即自动删除access_token以强制重新登录？

How can i configure the logout that the access_token are automatically deleted to force an new login?

推荐答案

access_token的生存期与授予对客户端访问权限的用户的登录会话无关。 OAuth2没有用户登录，注销或会话的概念，因此您期望注销会撤消令牌这一事实似乎表明您误解了OAuth2的工作方式。您可能应该在问题中弄清楚为什么想要这种方式工作以及为什么需要OAuth。

The lifetime of the access_token is independent of the login session of a user who grants access to a client. OAuth2 has no concept of a user login or logout, or a session, so the fact that you expect a logout to revoke a token, would seem to indicate that you're misunderstanding how OAuth2 works. You should probably clarify in your question why you want things to work this way and why you need OAuth.

如果您确实想要这种行为，则必须对其进行编码自己（例如，在自定义的Spring Security LogoutHandler 中），但是令牌的生存期通常由其到期时间决定。令牌吊销通常是提供给用户的单独界面，允许他们过早吊销一个或多个客户端对其资源的访问权限-例如Twitter的第三方应用程序访问。

If you really want this behaviour, then you would have to code it yourself (in a custom Spring Security LogoutHandler, for example), but the lifetime of a token is normally governed by its expiry time. Token revocation would usually be a separate interface provided to the user, allowing them to prematurely revoke access to their resources for one or more clients - something like Twitter's third-party applications access.

这篇关于注销后删除access_token的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！