Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
815 views
in Technique[技术] by (71.8m points)

java - Spring Boot OAuth2 Single Sign Off (Logout)

I'm considering to use OAuth2 for my application. The architecture I'm trying to implement is as follows:

  • I will have my own (and only this) Authorization Server
  • Some Resource Apps validating access to their resources using the Authorization Server
  • Some client apps (web, mobile) which will redirect the user to the Authorization Server for authentication and on success will consume the api's on the Resource Apps.

So far I have managed to implement this interaction between 3 basic apps (1 auth server, 1 resource server and 1 client). The thing I don't get working is the logout functionality. I have read of the "notoriously tricky problem" that Dave Syer describes in his tutorial, but in this case I really need the user to re-login after loging out. I have tried giving few seconds to the access token and the refresh token, but instead of being prompted to login again when the expiration arrives, I'm getting a NPE on the client app. I have also tried the solutions proposed in this post to remove the token from the token store, but it doesn't work. The single sign off is for me the desirable behaviour for this implementation. How can I achieve this using Spring Boot Oauth2. If it is not possible for some reason, which alternatives I could use to implement a centralized security using Spring Boot?

Thanks in advance.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

After a lot of tests I have realized that this can be solved just with a redirect to the AuthServer and doing logout programmatically like this:

  • In the client app (WebSecurityConfigurerAdapter):

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .logout()
                .logoutSuccessUrl("http://your-auth-server/exit");
    }
    
  • In the authorization server:

    @Controller
    public class LogoutController {
    
        @RequestMapping("/exit")
        public void exit(HttpServletRequest request, HttpServletResponse response) {
            // token can be revoked here if needed
            new SecurityContextLogoutHandler().logout(request, null, null);
            try {
                //sending back to client app
                response.sendRedirect(request.getHeader("referer"));
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
    }
    

I have posted a sample app on github with a full example of this implementation.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...