如何在jhipster中配置SpringOAuth2以针对gitlab进行无状态身份验证?

zvokhttg  于 2021-09-29  发布在  Java
关注(0)|答案(0)|浏览(286)

我已经针对gitlab存储库设置了jhipster(3.9.0)的基于oauth2的安装(spring-security-oauth2-core 5.2.4)。主要遵循https://www.jhipster.tech/security/#oauth2 但是使用gitlab而不是KeyClope。
这是application.yml的摘录:

spring: ...
     security:
      oauth2:
       client:
        provider:
          oidc:
            issuer-uri: https://gitlab.mysite.com
         registration:
          oidc:
            client-id: 1234123412322312312312312312321312321312
            client-secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

实际上,oauth2身份验证工作正常,直到会话在内部过期。当客户端返回jsession id cookie时,底层底层底层底层基础结构抛出 java.lang.IllegalStateException: UT000010: Session is invalid .
看来 org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizationRequestRepository.saveAuthorizationRequest 将authorizationrequest存储在用户会话中,而不关心会话管理配置:(参见下面的最后一行)

@Override
    public void saveAuthorizationRequest(OAuth2AuthorizationRequest authorizationRequest, HttpServletRequest request,
                                            HttpServletResponse response) {
        Assert.notNull(request, "request cannot be null");
        Assert.notNull(response, "response cannot be null");
        if (authorizationRequest == null) {
            this.removeAuthorizationRequest(request, response);
            return;
        }
        String state = authorizationRequest.getState();
        Assert.hasText(state, "authorizationRequest.state cannot be empty");
        Map<String, OAuth2AuthorizationRequest> authorizationRequests = this.getAuthorizationRequests(request);
        authorizationRequests.put(state, authorizationRequest);
        request.getSession().setAttribute(this.sessionAttributeName, authorizationRequests);
    }

这种方法似乎与jhipster基于jwt的无状态身份验证方法相矛盾(参见。https://github.com/jhipster/generator-jhipster/issues/8627). 无论如何,spring2 oauth2管理似乎伪造了经典的负载平衡方法。
有没有办法在spring中配置oauth2管理,使其在gitlab中无状态工作?

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题