MobileFirst OAuth和Logout [英] MobileFirst OAuth and Logout
问题描述
我有一个访问两个Adapters的测试应用程序:
I have a test application that accesses two Adapters:
- 一个受引用领域的SecurityTest保护的JavaScript适配器
- 一个Java适配器,其方法受对应同一领域的OAuth范围的保护。
如果我遵循这个序列一切按预期工作:
If I follow this sequence everything works as expected:
- 尝试访问JS适配器,我受到挑战,验证,获取数据。
- WL.Client.isUserAuthenticated()和WL.Client.getUserInfo()现在按预期运行
- 使用WL.Client.logout() $ b注销$ b
- WL.Client.isUserAuthenticated()现在显示我未经过身份验证
- 第二次尝试访问JS适配器会导致另一个挑战,如前所述。
- Attempt to access the JS adapter, I get challenged, authenticate, get data.
- WL.Client.isUserAuthenticated() and WL.Client.getUserInfo() now behave as expected
- Logout using WL.Client.logout()
- WL.Client.isUserAuthenticated() now shows I'm not authenticated
- A second attempt to access the JS adapter causes another Challenge, as expeccted.
然而,使用Java Adapter logout()似乎没有按预期运行。
However, with the Java Adapter logout() seems not to behave as expected.
- 从没有会话开始,尝试访问Java适配器,挑战按预期发生d我到达我的数据
- 我现在可以在没有进一步挑战的情况下访问JS适配器,并且WL.Client.getUserInfo()调用给出了预期的结果。
- WL.Client.logout()似乎有效,因为WL.Client.isUserAuthenticated()现在显示我未经过身份验证
- 但是 a调用Java适配器仍然无需进一步的挑战
- 调用JS适配器确实会导致质询
- Starting with no session, attempt to access the Java adapter, the challenge happens as expected and I get to my data
- I can now access the JS adapter without further challenge and the WL.Client.getUserInfo() calls gives the expected results.
- WL.Client.logout() appears to work, in that WL.Client.isUserAuthenticated() now shows I'm not authenticated
- But a call to the Java adapter still works without further challenge
- A call to the JS adapter does result in a challenge
如果我在浏览器模拟器环境中运行,我可以使用以下命令销毁OAuth会话:
If I'm running in my browser simulator environment I can destroy the OAuth session by using this command:
localStorage.removeItem("com.worklight.oauth.idtoken")
问题是:
WL.Client.logout()方法是否已销毁OAuth会话?如果不是我应该使用什么API?
Should the WL.Client.logout() method have destroyed the OAuth session? If not what API should I be using?
推荐答案
使用OAuth,注销工作的方式不同。请参阅以下用户文档主题(搜索注销): http://www-01.ibm.com/support/knowledgecenter/SSHS8R_7.0.0/com.ibm.worklight.dev.doc/dev/c_oauth_security_model.html ?lang = en
With OAuth, logout 'works' differently. See the following user documentation topic (search for "logout"): http://www-01.ibm.com/support/knowledgecenter/SSHS8R_7.0.0/com.ibm.worklight.dev.doc/dev/c_oauth_security_model.html?lang=en
登录/注销API:
启用WLClient登录/注销API通过更新服务器端
安全状态,用户以
登录并注销特定域。但是,在新的基于OAuth的安全模型中,
安全凭证也保留在客户端
端的访问令牌中。结果是使用此API将导致不一致的
状态,例如,客户端在服务器端
的域中注销,但仍然在$ $上保留该域的有效令牌b $ b客户端。要解决这种不一致的问题,建议在
重新获取访问令牌后,使用
obtainAuthorizationHeaderForScope方法,成功登录后或
注销。
The login/logout API:
The WLClient login/logout API enables a user to log in to and log out of a specific realm, by updating the server side security state. However, in the new OAuth-based security model, security credentials are also kept in the access token on the client side. The result is that using this API will cause an inconsistent state, for example, in which the client is logged out of a realm on the server side but still holds a valid token for that realm on the client side. To solve this inconsistency, it is recommended to re-obtain the access token, by using the obtainAuthorizationHeaderForScope method, after successful login or logout.
例如,考虑一个客户端通过
Realm1和Realm2的安全检查,然后调用logout(Realm2)。在这种情况下,客户端上的
访问令牌仍将包含Realm1和Realm2的安全
凭证,客户端可以使用此
令牌来访问受保护资源。要刷新令牌,即
只获取Realm1的令牌,客户端调用
obtainAuthorizationHeaderForScope而不注销域Realm2。
For example, consider a client that passed the security checks for Realm1 and Realm2, and later calls logout(Realm2). In this case, the access token on the client would still contain the security credentials for both Realm1 and Realm2, and the client could use this token to access protected resources. To refresh the token, that is, to obtain a token for Realm1 only, the client calls obtainAuthorizationHeaderForScope without the logged out realm Realm2.
在JavaScript中,等效的调用是:
In JavaScript the equivalent call is:
WLAuthorizationManager.obtainAuthorizationHeader("SomeRealm")
这篇关于MobileFirst OAuth和Logout的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
