使用@FrameworkEndpoint退出Spring Security Oauth2 [英] Spring Security Oauth2 logout using @FrameworkEndpoint

问题描述

我正在尝试通过撤消 access_token 这样的方式注销:

I am trying to logout by revoking access_token like this :

@FrameworkEndpoint
public class SecurityLogoutController {
  @Autowired
  private ConsumerTokenServices                 consumerTokenServices;

  @DeleteMapping( "/oauth/token" )
  public ResponseEntity<Void> logout( WebRequest request ) {
    String bearer = "bearer";
    String authorizationHeader = request.getHeader( HttpHeaders.AUTHORIZATION );
    log.info( "authorization header: {}", authorizationHeader );
    if ( authorizationHeader != null && StringUtils.containsIgnoreCase( authorizationHeader, bearer ) ) {
        String accessTokenID = authorizationHeader.substring( bearer.length() + 1 );
        log.info( "access_token: {}", accessTokenID );
        consumerTokenServices.revokeToken( accessTokenID );
    }
    return ...;
  }
}

但是每次我向邮递员发送此删除请求时，都会收到以下响应:

But every time I send this delete request with Postman I got this response:

{
 "timestamp": "2018-05-30T01:09:11.710+0000",
 "status": 401,
 "error": "Unauthorized",
 "message": "Unauthorized",
 "path": "/oauth/token"
}

端点在幕后受到 Spring Security 的保护，我不知道该端点是如何以及在哪里受到保护的.我不明白的是:为什么客户端必须重新进行身份验证才能获得已被身份验证的 access_token ?对我来说似乎很奇怪.

The endpoint is protected by Spring Security behind the scene and I don't know how and where this endpoint is protected. What I don't understand is: why the client should authenticate again since to get the access_token it had been authenticated? It seems strange for me.

现在，当我对客户端进行身份验证时，Postman会自动替换 Authorization 标头值，并使用基本身份验证进行设置.像这样的东西:基本Y2hpY293YS11aXNlcnZpY2U6Y2aXNlcnZpY2U =

Now when I authenticate the client, Postman automatically replace the Authorization header value and set it with basic authentication. Something like: Basic Y2hpY293YS11aXNlcnZpY2U6Y2aXNlcnZpY2U=

需要一些帮助...谢谢

Need some helps... Thanks

推荐答案

这实际上很有意义，因为已经登录的人可以使用提供的令牌注销.浏览器应用程序肯定会具有client_id和通过的秘密.

It actually makes sense because a logout can be done with the provided token by the one who already is logged in. The browser app will for sure have the client_id and secret to pass.

即使我有相同的问题，并在SO上发布了相同的内容.嗯..一种解决方法是，您使用client_id和secret进行基本身份验证，并且重要的是将要删除的实际令牌的值传递给另一个名为AUTH-TOKEN(或其他名称)的标头.这是代码

Even I have same problem and have posted the same on SO. Well.. one way out is that you do basic authentication with client_id and secret and importantly pass another header called AUTH-TOKEN (or something else) with the value of the actual token that you want to delete. Here is the code

@RequestMapping(method = RequestMethod.DELETE, value = "/oauth/token")
@ResponseBody
public void revokeToken(HttpServletRequest request) {
    String authorization = request.getHeader("AUTH-TOKEN");
    if (authorization != null && authorization.contains("Bearer")) {
                String tokenId = authorization.substring("Bearer".length() + 1);
                System.out.println("tokenId : " + tokenId);
                tokenServices.revokeToken(tokenId);
                //tokenStore.removeRefreshToken(token);   
     }
} 

这篇关于使用@FrameworkEndpoint退出Spring Security Oauth2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！