如何关闭用户会话/身份验证。 在 Spring OAuth2 中为用户/客户端发送访问令牌后的上下文
[英]How to close user session/auth. context after access token is sent for a user/client in Spring OAuth2
问题描述
I am implementing an app, let's call it OAuth2Client , whose authentication/authorization layer is managed with the spring OAuth2 protocol implementation on a different server, OAuth2Server .
我正在实现一个应用程序,我们称之为OAuth2Client ,其身份验证/授权层由不同服务器OAuth2Server上的 spring OAuth2 协议实现管理。 Everything is working great so far, I just want to divert a little bit from the "normal" OAuth2 flow.到目前为止一切都很好,我只是想从“正常”的 OAuth2 流程中转移一点。
So for example, in my third party app OAuth2Client , when users wants to log in, they have to authenticate via OAuth2Server .例如,在我的第三方应用OAuth2Client 中,当用户想要登录时,他们必须通过OAuth2Server进行身份验证。 We then have the familiar OAuth2 flow where the user is redirected to the authentication page of the OAuth2Server , enters credentials, is asked for the permission to access his/her data etc.然后我们有熟悉的 OAuth2 流程,其中用户被重定向到OAuth2Server的身份验证页面,输入凭据,被要求访问他/她的数据等。
If authentication is successful, he is redirected to the 'redirect_uri' registered with the OAuth2Client app, with the auth.如果身份验证成功,他将被重定向到在OAuth2Client应用程序中注册的“redirect_uri”,并带有 auth. 'code' included in the request.请求中包含“代码”。 OAuth2Client then exchanges this 'code' with an 'access token' via an api call to the access token endpoint on the OAuth2Server . OAuth2Client然后通过对OAuth2Server上的访问令牌端点的 api 调用将此“代码”与“访问令牌”交换。
What I want to do is close the user session/authentication context immediately after the user has successfully authenticated and has been provided with an access token.我想要做的是在用户成功通过身份验证并获得访问令牌后立即关闭用户会话/身份验证上下文。
I thought of using a filter to do that but I am not sure whether that's the best solution.我想过使用过滤器来做到这一点,但我不确定这是否是最好的解决方案。
Any help would be appreciated thanks in advance...任何帮助将不胜感激提前感谢...
2 个解决方案
解决方案1
2 2015-04-21 20:11:47
I don't think you can attach the session event to the /token endpoint, but the session is actually not needed any more after the user has approved the grant and the authorization code is issued.我不认为您可以将会话事件附加到 /token 端点,但是在用户批准授权并发出授权代码后,实际上不再需要会话。 So this would work:所以这会起作用:
@Controller
@SessionAttributes("authorizationRequest")
public class ApprovalEndpoint {
@RequestMapping("/oauth/confirm_access")
public ModelAndView getAccessConfirmation(Map<String, Object> model, HttpServletRequest request, SessionStatus status) throws Exception {
String template = createTemplate(model, request);
if (request.getAttribute("_csrf") != null) {
model.put("_csrf", request.getAttribute("_csrf"));
}
status.setComplete();
return new ModelAndView(new SpelView(template), model);
}
}
Or you could use a Filter as you suggest, but since you probably want to customize the user experience for approval anyway, you might as well do it via this endpoint.或者您可以按照您的建议使用Filter ,但由于您可能希望自定义用户体验以供批准,您不妨通过此端点来完成。
解决方案2
1 2020-03-11 17:29:17
My oauth clients are set to autoApprove(true) , so I cannot do as Dave says.我的 oauth 客户端设置为 autoApprove(true) ,所以我不能像戴夫说的那样做。 My solution is mapping /oauth/authorize to another endpoint ,and inject the origin AuthorizationEndpoint, after origin Endpoint finish his work, call request.getSession().invalidate();我的解决方案是将 /oauth/authorize 映射到另一个端点,并注入源 AuthorizationEndpoint,在源端点完成工作后,调用 request.getSession().invalidate();
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.SessionAttributes;
import org.springframework.web.bind.support.SessionStatus;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.View;
import javax.servlet.http.HttpServletRequest;
import java.security.Principal;
import java.util.Map;
@Controller
@RequestMapping
@SessionAttributes({SessionClosedAuthorizationEndpoint.AUTHORIZATION_REQUEST_ATTR_NAME, SessionClosedAuthorizationEndpoint.ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME})
public class SessionClosedAuthorizationEndpoint {
private AuthorizationEndpoint authorizationEndpoint;
@Autowired
public void setAuthorizationEndpoint(AuthorizationEndpoint authorizationEndpoint) {
this.authorizationEndpoint = authorizationEndpoint;
}
static final String AUTHORIZATION_REQUEST_ATTR_NAME = "authorizationRequest";
static final String ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME = "org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.ORIGINAL_AUTHORIZATION_REQUEST";
@RequestMapping(value = "/oauth/authorize/custom")
public ModelAndView authorize(HttpServletRequest request, Map<String, Object> model, @RequestParam Map<String, String> parameters, SessionStatus sessionStatus, Principal principal) {
ModelAndView authorize = authorizationEndpoint.authorize(model, parameters, sessionStatus, principal);
request.getSession().invalidate();
return authorize;
}
@RequestMapping(value = "/oauth/authorize/custom", method = RequestMethod.POST, params = OAuth2Utils.USER_OAUTH_APPROVAL)
public View approveOrDeny(@RequestParam Map<String, String> approvalParameters, Map<String, ?> model,
SessionStatus sessionStatus, Principal principal){
return authorizationEndpoint.approveOrDeny(approvalParameters,model,sessionStatus,principal);
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.