Spring Boot OAuth2单点注销（注销） [英] Spring Boot OAuth2 Single Sign Off (Logout)

问题描述

我正在考虑将OAuth2用于我的应用程序。我正在尝试实现的体系结构如下：

I'm considering to use OAuth2 for my application. The architecture I'm trying to implement is as follows:

• 我将拥有自己的（仅限于此）授权服务器


• 使用授权服务器验证对其资源的访问权限的某些资源应用程序


• 某些客户端应用程序（Web，移动）将用户重定向到授权服务器进行身份验证，成功将消耗资源应用程序上的api。

到目前为止，我已设法在3个基本应用程序之间实现这种交互（1个身份验证服务器，1个资源服务器和1个客户端）。我没有工作的是注销功能。我已阅读臭名昭着的棘手问题，但在这种情况下，我确实需要用户在注销后重新登录。我已经尝试给访问令牌和刷新令牌提供几秒钟，但是当到期时，我没有被提示再次登录，而是在客户端应用程序上获得NPE。我也尝试了这个发布以从令牌存储中删除令牌，但它不起作用。单点注销对我来说是这种实现的理想行为。如何使用Spring Boot Oauth2实现此目的。如果由于某种原因不可能，我可以使用哪些替代方法来实现使用Spring Boot的集中安全性？

So far I have managed to implement this interaction between 3 basic apps (1 auth server, 1 resource server and 1 client). The thing I don't get working is the logout functionality. I have read of the "notoriously tricky problem" that Dave Syer describes in his tutorial, but in this case I really need the user to re-login after loging out. I have tried giving few seconds to the access token and the refresh token, but instead of being prompted to login again when the expiration arrives, I'm getting a NPE on the client app. I have also tried the solutions proposed in this post to remove the token from the token store, but it doesn't work. The single sign off is for me the desirable behaviour for this implementation. How can I achieve this using Spring Boot Oauth2. If it is not possible for some reason, which alternatives I could use to implement a centralized security using Spring Boot?

提前致谢。

推荐答案

经过大量测试后，我意识到这可以通过重定向到AuthServer并以编程方式进行注销来解决：

After a lot of tests I have realized that this can be solved just with a redirect to the AuthServer and doing logout programmatically like this:

• 在客户端应用程序（WebSecurityConfigurerAdapter）中：

• In the client app (WebSecurityConfigurerAdapter):

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .logout()
            .logoutSuccessUrl("http://your-auth-server/exit");
}

在授权服务器中：

In the authorization server:

@Controller
public class LogoutController {

    @RequestMapping("/exit")
    public void exit(HttpServletRequest request, HttpServletResponse response) {
        // token can be revoked here if needed
        new SecurityContextLogoutHandler().logout(request, null, null);
        try {
            //sending back to client app
            response.sendRedirect(request.getHeader("referer"));
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

我在github上发布了一个示例应用程序这个实现的例子。

I have posted a sample app on github with a full example of this implementation.

这篇关于Spring Boot OAuth2单点注销（注销）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！