Spring 云 oauth2 启用撤销令牌端点
[英]Spring cloud oauth2 enable revoke token endpoint
问题描述
I need revoke token endpoint.
我需要撤销令牌端点。 It seems absent in spring framework, so I've added custom one. spring 框架中似乎没有它,所以我添加了自定义一个。 There are added two methods ( GET , DELETE ) with the same functionality (to play with that):添加了两种具有相同功能的方法( GET , DELETE )(使用它):
@FrameworkEndpoint
@RequestMapping(
value = {"oauth"},
produces = MediaType.APPLICATION_JSON_VALUE
)
@Validated
public class RevokeTokenEndpoint {
@Autowired
private DefaultTokenServices tokenServices;
@ResponseStatus(HttpStatus.NO_CONTENT)
@GetMapping(value = "revoke")
public void revokeToken(HttpServletRequest request) {
String authorization = request.getHeader("Authorization");
if (authorization != null && authorization.contains("Bearer")) {
String tokenId = authorization.substring("Bearer".length() + 1);
tokenServices.revokeToken(tokenId);
}
}
@ResponseStatus(HttpStatus.ACCEPTED)
@DeleteMapping(value = "revoke")
public void revokeToken(Authentication authentication) {
tokenServices.revokeToken(((OAuth2AuthenticationDetails) authentication
.getDetails()).getTokenValue());
}
}
If I try GET method, token is revoked successfully:如果我尝试GET方法,令牌被成功撤销:
curl -X GET -H "Authorization: Bearer e7683428-d06b-429a-9e76-91df9521c897" "http://localhost:8082/oauth/revoke"
2019-08-22 14:26:37.814 DEBUG o.s.w.s.DispatcherServlet - Completed 204 NO_CONTENT
in DELETE method case - no:在DELETE method的情况下 - 否:
2019-08-22 14:28:53.551 DEBUG o.s.b.a.a.l.AuditListener - AuditEvent [timestamp=2019-08-22T11:28:53.550Z, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A8B4925366067778DC83CDE4066F1A62, type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
Question问题
Is there any recommendations how to make working oauth/revoke endpoint for the DELETE method (resolve AUTHORIZATION_FAILURE issue)?是否有任何建议如何为DELETE method制作有效的oauth/revoke端点(解决AUTHORIZATION_FAILURE问题)?
More Details更多细节
Please be informed, I tried similar functionality to GET for DELETE method also.请注意,我也尝试了与GET for DELETE method类似的功能。
My security restrictions are:我的安全限制是:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/actuator/**", "/oauth/revoke")
.permitAll()
.anyRequest()
.authenticated();
}
1 个解决方案
解决方案1
0 2022-08-18 17:35:21
Try using as path /oauth/token instead, eg:尝试使用路径/oauth/token代替,例如:
@ResponseStatus(HttpStatus.ACCEPTED)
@DeleteMapping(value = "token")
public void revokeToken(Authentication authentication) {
tokenServices.revokeToken(((OAuth2AuthenticationDetails) authentication
.getDetails()).getTokenValue());
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.