使用@FrameworkEndpoint退出Spring Security Oauth2
我正在尝试通过撤消 access_token 这样的方式注销:
I am trying to logout by revoking access_token like this :
@FrameworkEndpoint
public class SecurityLogoutController {
@Autowired
private ConsumerTokenServices consumerTokenServices;
@DeleteMapping( "/oauth/token" )
public ResponseEntity<Void> logout( WebRequest request ) {
String bearer = "bearer";
String authorizationHeader = request.getHeader( HttpHeaders.AUTHORIZATION );
log.info( "authorization header: {}", authorizationHeader );
if ( authorizationHeader != null && StringUtils.containsIgnoreCase( authorizationHeader, bearer ) ) {
String accessTokenID = authorizationHeader.substring( bearer.length() + 1 );
log.info( "access_token: {}", accessTokenID );
consumerTokenServices.revokeToken( accessTokenID );
}
return ...;
}
}
但是每次我向邮递员发送此删除请求时,都会收到以下响应:
But every time I send this delete request with Postman I got this response:
{
"timestamp": "2018-05-30T01:09:11.710+0000",
"status": 401,
"error": "Unauthorized",
"message": "Unauthorized",
"path": "/oauth/token"
}
端点在幕后受到 Spring Security 的保护,我不知道该端点是如何以及在哪里受到保护的.我不明白的是:为什么客户端必须重新进行身份验证才能获得已被身份验证的 access_token ?对我来说似乎很奇怪.
The endpoint is protected by Spring Security behind the scene and I don't know how and where this endpoint is protected. What I don't understand is: why the client should authenticate again since to get the access_token it had been authenticated? It seems strange for me.
现在,当我对客户端进行身份验证时,Postman会自动替换 Authorization 标头值,并使用基本身份验证进行设置.像这样的东西:基本Y2hpY293YS11aXNlcnZpY2U6Y2aXNlcnZpY2U =
Now when I authenticate the client, Postman automatically replace the Authorization header value and set it with basic authentication. Something like: Basic Y2hpY293YS11aXNlcnZpY2U6Y2aXNlcnZpY2U=
需要一些帮助...谢谢
Need some helps... Thanks
这实际上很有意义,因为已经登录的人可以使用提供的令牌注销.浏览器应用程序肯定会具有client_id和通过的秘密.
It actually makes sense because a logout can be done with the provided token by the one who already is logged in. The browser app will for sure have the client_id and secret to pass.
即使我有相同的问题,并在SO上发布了相同的内容.嗯..一种解决方法是,您使用client_id和secret进行基本身份验证,并且重要的是将要删除的实际令牌的值传递给另一个名为AUTH-TOKEN(或其他名称)的标头.这是代码
Even I have same problem and have posted the same on SO. Well.. one way out is that you do basic authentication with client_id and secret and importantly pass another header called AUTH-TOKEN (or something else) with the value of the actual token that you want to delete. Here is the code
@RequestMapping(method = RequestMethod.DELETE, value = "/oauth/token")
@ResponseBody
public void revokeToken(HttpServletRequest request) {
String authorization = request.getHeader("AUTH-TOKEN");
if (authorization != null && authorization.contains("Bearer")) {
String tokenId = authorization.substring("Bearer".length() + 1);
System.out.println("tokenId : " + tokenId);
tokenServices.revokeToken(tokenId);
//tokenStore.removeRefreshToken(token);
}
}