在 Spring 授权服务器中是否有 OIDC Session 管理和注销机制的实现,用于实现 Single Sing On?
[英]Is there any implementation of OIDC Session Management and Logout mechanism in Spring Authorization Server for implementing Single Sing On?
问题描述
I am trying to implement Single Sing On using Spring Authorization Server which is based on oAuth2 and OIDC for Authorization and Authentication respectively, but as per the Spring Authorization Server feature list OIDC support is not fully integrated.
我正在尝试使用 Spring 授权服务器实现 Single Sing On,该授权服务器分别基于 oAuth2 和 OIDC 进行授权和身份验证,但根据 Spring 授权服务器功能列表 OIDC 支持未完全集成。 Mainly the session management and logout part, I couldn't find.主要是session管理和注销部分,没找到。 Also if there's any workaround for implementing sso and logout?另外,是否有任何解决方法可以实现 sso 和注销?
Feature List URL: https://docs.spring.io/spring-authorization-server/docs/current/reference/html/overview.html Feature List URL: https://docs.spring.io/spring-authorization-server/docs/current/reference/html/overview.html
1 个解决方案
解决方案1
0 2022-09-02 15:21:15
These features are still on the backlog but are not scheduled yet (as of the time of this writing).这些功能仍在积压中,但尚未计划(截至撰写本文时)。 See #58 and #266 respectively to follow progress on these features.分别参见#58和#266以了解这些功能的进展。
Given that there are a number of pieces to the specifications for both of these features, I imagine it would be a bit of a hassle to attempt a fully spec-compliant implementation of them as extensions to SAS (though I'm sure it's possible).鉴于这两个功能的规范都有很多部分,我想尝试将它们完全符合规范的实现作为 SAS 的扩展会有点麻烦(尽管我确信这是可能的) . Instead, you might pick a minimal subset of the logout feature as a way to get started.相反,您可以选择注销功能的最小子集作为入门方式。
Using Spring Security configuration, you can configure a logout endpoint in a custom way.使用 Spring 安全配置,您可以以自定义方式配置注销端点。 Here's some pseudocode to get you started:这里有一些伪代码可以帮助您入门:
@Bean
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults())
.logout((logout) -> logout
.logoutRequestMatcher(new OrRequestMatcher(
new AntPathRequestMatcher("/logout", "GET"),
new AntPathRequestMatcher("/logout", "POST")
))
.addLogoutHandler((request, response, authentication) -> {
// Logic to validate an id_token_hint, client_id, etc.
// Throw exception in case of invalid request
})
.logoutSuccessHandler((request, response, authentication) -> {
// Get state and calculate redirect for logout success back to client
// http://127.0.0.1:8080/logout?success&state=...
// new SimpleUrlLogoutSuccessHandler()...
})
);
return http.build();
}
This assumes validation of some kind is implemented to prevent CSRF, denial of service, etc. You might also choose to add a logout confirmation page as a separate endpoint of the auth server that redirects to the logout endpoint when the user clicks a "Confirm" button, etc.这假设实施了某种验证以防止 CSRF、拒绝服务等。您还可以选择添加注销确认页面作为身份验证服务器的单独端点,当用户单击“确认”时重定向到注销端点按钮等
To use this, you simply redirect from your client application to the logout confirmation page, which redirects to the logout endpoint on confirm, which then redirects back to the client (which can then log out of the client automatically).要使用它,您只需从客户端应用程序重定向到注销确认页面,该页面在确认时重定向到注销端点,然后重定向回客户端(然后可以自动注销客户端)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.