[英]Revoke Oauth2 token without using Basic Auth
I'm trying to implement the example from the book OAuth-2.0-Cookbook using Spring cloud OAuth2.我正在尝试使用 Spring 云 OAuth2 实现OAuth-2.0-Cookbook书中的示例。
I managed to implement his functionality but unfortunately I'm facing a problem: In order to make successful call I have to provide basic authentication credentials( Authorization: Basic YWRtaW46cXdlcnR5
):我设法实现了他的功能,但不幸的是我遇到了一个问题:为了成功调用,我必须提供基本的身份验证凭据( Authorization: Basic YWRtaW46cXdlcnR5
):
@PostMapping("/oauth/revoke")
public ResponseEntity<String> revoke(@RequestParam Map<String, String> params) {
RevocationService revocationService = revocationServiceFactory
.create(params.get("token_type_hint"));
revocationService.revoke(params.get("token"));
return ResponseEntity.ok().build();
}
I like the idea to have some kind of authentication when POST request is made to revoke a token but I don't think that Angular SPA app should hold the username and password all the time in order to make a successful call to /oauth/revoke
.我喜欢在发出 POST 请求以撤销令牌时进行某种身份验证的想法,但我不认为 Angular SPA 应用程序应该一直保存用户名和密码才能成功调用/oauth/revoke
.
In general the solution on Google have the just a endpoint which accept only token.一般来说,谷歌上的解决方案只有一个只接受令牌的端点。 For that cases I don't know what solution can be appropriate.对于那种情况,我不知道什么解决方案是合适的。
How I can remove the basic authentication functionality into Spring Cloud OAuth2?如何将基本身份验证功能删除到 Spring Cloud OAuth2 中? I use this security config:我使用这个安全配置:
http
.csrf()
.disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
// Configure token authentication permissions
.requestMatchers().antMatchers(HttpMethod.POST,"/oauth/token")
.and()
// Configure token revoke permissions
.requestMatchers().antMatchers(HttpMethod.POST,"/oauth/revoke")
.and()
.httpBasic()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
you can disable the authetication for revoke endpoint like this您可以像这样禁用撤销端点的身份验证
http
...
.authorizeRequests()
.antMatchers("/oauth/revoke").permitAll()
...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.