在使用我自己的Web应用程序时，如何检查用户是否仍通过azure sso(oAuth2)登录? [英] How to check if user still logged in via azure sso (oAuth2), while using my own webapp?

问题描述

我正在使用Spring Boot开发一个Web应用程序，该应用程序使用Azure AD和OAuth2.0进行身份验证以保护后端.

I'm developing an web application with Spring Boot using Azure AD and OAuth2.0 for authentication to secure up the backend.

如果我通过例如Outlook Web App注销，则我的Web应用程序也应该注册该过程并注销(至少在我重新加载或重新打开页面时).我该如何实施?现在，Web应用程序似乎仍处于登录状态.不幸的是，我没有找到一种始终如一地实现此行为的方法.仅当我使用自我实现的注销按钮时，它才会显示出所需的效果，并且HttpSession无效，并且cookie在删除的地方.

If I log-out via for example the Outlook Web App, my web application should register this process and logout as well (at least if I reload or reopen the page). How do i implement that? Now the Web-Application seems as still logged in. Unfortunately I did not find an approach to implement this behavior consistently. Only if I use the self-implemented log-out button, it shows the desired effect and the HttpSession gets invalidated and cookies where deleted.

我已经在Web应用程序中通过Azure AD实现了登录和注销(请参见代码).通过我自己的应用程序的按钮注销后，我会自动从需要Azure SSO的其他Azure应用程序(例如Outlook Web App)中注销.

I have already implemented a login and logout via Azure AD in my web application (see code). As soon as I log-out via the button of my own application, I am automatically logged out of other Azure applications (e.g. Outlook Web App) that require Azure SSO.

我已经尝试过此处描述的@PreAuthorize注释

I already tried the @PreAuthorize Annotation discribed here Spring MVC - Checking if User is already logged in via Spring Security? but this seems not to be the solution.

 protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .oauth2Login()
                .userInfoEndpoint()
                .oidcUserService(oidcUserService);

        http.logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .invalidateHttpSession(true)
                .deleteCookies("JSESSIONID")
                .clearAuthentication(true)
                .logoutSuccessUrl("https://login.microsoftonline.com/common/oauth2/logout");
}

重定向到主页

    @GetMapping("login/oauth2/code/azure")
    public ModelAndView redirectToRoot(ModelMap modelMap) {
            return new ModelAndView("redirect:/", modelMap);
    }

推荐答案

我从未亲自实现此功能，但是如果我没记错的话，如果您在注销时调用此功能，则所有OAuth2提供程序都具有某种SingleSignOut终结点方法，它将使用户从与此提供商连接的每个应用程序中注销. 刷新Webapp页面后，安全性应识别出该用户不再登录，然后将其重定向到登录页面. 希望我能对您有所帮助. :)

I have never implemented this myself, but if I remember right, all OAuth2 providers have some kind of a SingleSignOut endpoint, if you call this in your logout method, it will log the user out from every app that is connected to this provider. After refreshing the page of your webapp, the security should recognize that the user is then no longer logged in and redirect him to the login page. Hope I could help you a bit. :)

经过快速搜索，我发现了这一点: https://github.com/juanzero000/spring-boot-oauth2-sso .

I found this after a quick search: https://github.com/juanzero000/spring-boot-oauth2-sso .

这篇关于在使用我自己的Web应用程序时，如何检查用户是否仍通过azure sso(oAuth2)登录?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！