我已经针对gitlab存储库设置了jhipster(3.9.0)的基于oauth2的安装(spring-security-oauth2-core 5.2.4)。主要遵循https://www.jhipster.tech/security/#oauth2 但是使用gitlab而不是KeyClope。
这是application.yml的摘录:
spring: ...
security:
oauth2:
client:
provider:
oidc:
issuer-uri: https://gitlab.mysite.com
registration:
oidc:
client-id: 1234123412322312312312312312321312321312
client-secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX实际上,oauth2身份验证工作正常,直到会话在内部过期。当客户端返回jsession id cookie时,底层底层底层底层基础结构抛出 java.lang.IllegalStateException: UT000010: Session is invalid .
看来 org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizationRequestRepository.saveAuthorizationRequest 将authorizationrequest存储在用户会话中,而不关心会话管理配置:(参见下面的最后一行)
@Override
public void saveAuthorizationRequest(OAuth2AuthorizationRequest authorizationRequest, HttpServletRequest request,
HttpServletResponse response) {
Assert.notNull(request, "request cannot be null");
Assert.notNull(response, "response cannot be null");
if (authorizationRequest == null) {
this.removeAuthorizationRequest(request, response);
return;
}
String state = authorizationRequest.getState();
Assert.hasText(state, "authorizationRequest.state cannot be empty");
Map<String, OAuth2AuthorizationRequest> authorizationRequests = this.getAuthorizationRequests(request);
authorizationRequests.put(state, authorizationRequest);
request.getSession().setAttribute(this.sessionAttributeName, authorizationRequests);
}这种方法似乎与jhipster基于jwt的无状态身份验证方法相矛盾(参见。https://github.com/jhipster/generator-jhipster/issues/8627). 无论如何,spring2 oauth2管理似乎伪造了经典的负载平衡方法。
有没有办法在spring中配置oauth2管理,使其在gitlab中无状态工作?
暂无答案!
目前还没有任何答案,快来回答吧!