在不使用基本身份验证的情况下撤销 Oauth2 令牌
我正在尝试实现书中的示例 OAuth-2.0-Cookbook 使用 Spring Cloud OAuth2.
I'm trying to implement the example from the book OAuth-2.0-Cookbook using Spring cloud OAuth2.
我设法实现了他的功能,但不幸的是我遇到了一个问题:为了成功调用,我必须提供基本的身份验证凭据(Authorization: Basic YWRtaW46cXdlcnR5
):
I managed to implement his functionality but unfortunately I'm facing a problem: In order to make successful call I have to provide basic authentication credentials(Authorization: Basic YWRtaW46cXdlcnR5
):
@PostMapping("/oauth/revoke")
public ResponseEntity<String> revoke(@RequestParam Map<String, String> params) {
RevocationService revocationService = revocationServiceFactory
.create(params.get("token_type_hint"));
revocationService.revoke(params.get("token"));
return ResponseEntity.ok().build();
}
Github 来源
我喜欢在发出 POST 请求以撤销令牌时进行某种身份验证的想法,但我不认为 Angular SPA 应用程序应该一直保留用户名和密码以成功调用 /oauth/revoke.
I like the idea to have some kind of authentication when POST request is made to revoke a token but I don't think that Angular SPA app should hold the username and password all the time in order to make a successful call to /oauth/revoke
.
通常,Google 上的解决方案只有一个仅接受令牌的端点.对于这种情况,我不知道什么解决方案是合适的.
In general the solution on Google have the just a endpoint which accept only token. For that cases I don't know what solution can be appropriate.
如何将基本身份验证功能移除到 Spring Cloud OAuth2 中?我使用这个安全配置:
How I can remove the basic authentication functionality into Spring Cloud OAuth2? I use this security config:
http
.csrf()
.disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
// Configure token authentication permissions
.requestMatchers().antMatchers(HttpMethod.POST,"/oauth/token")
.and()
// Configure token revoke permissions
.requestMatchers().antMatchers(HttpMethod.POST,"/oauth/revoke")
.and()
.httpBasic()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
Github 来源:
您可以像这样禁用撤销端点的身份验证
you can disable the authetication for revoke endpoint like this
http
...
.authorizeRequests()
.antMatchers("/oauth/revoke").permitAll()
...