spring-security Spring Cloud oauth2启用撤销令牌端点

iqih9akk  于 2022-11-11  发布在  Spring
关注(0)|答案(1)|浏览(203)

我需要撤销令牌端点。它似乎在spring framework中没有,所以我添加了一个自定义的端点。添加了两个具有相同功能的方法(GETDELETE)(为了发挥作用):

@FrameworkEndpoint
@RequestMapping(
    value = {"oauth"},
    produces = MediaType.APPLICATION_JSON_VALUE
)
@Validated
public class RevokeTokenEndpoint {

  @Autowired
  private DefaultTokenServices tokenServices;

  @ResponseStatus(HttpStatus.NO_CONTENT)
  @GetMapping(value = "revoke")
  public void revokeToken(HttpServletRequest request) {
    String authorization = request.getHeader("Authorization");
    if (authorization != null && authorization.contains("Bearer")) {
      String tokenId = authorization.substring("Bearer".length() + 1);
      tokenServices.revokeToken(tokenId);
    }
  }

  @ResponseStatus(HttpStatus.ACCEPTED)
  @DeleteMapping(value = "revoke")
  public void revokeToken(Authentication authentication) {
    tokenServices.revokeToken(((OAuth2AuthenticationDetails) authentication
        .getDetails()).getTokenValue());
  }
}

如果我尝试GET方法,令牌被成功撤销:

curl -X GET -H "Authorization: Bearer e7683428-d06b-429a-9e76-91df9521c897" "http://localhost:8082/oauth/revoke"

2019-08-22 14:26:37.814 DEBUG o.s.w.s.DispatcherServlet - Completed 204 NO_CONTENT

DELETEmethod情况下-编号:

2019-08-22 14:28:53.551 DEBUG o.s.b.a.a.l.AuditListener - AuditEvent [timestamp=2019-08-22T11:28:53.550Z, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A8B4925366067778DC83CDE4066F1A62, type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]

问题

对于如何为DELETEmethod创建有效的oauth/revoke端点(解决AUTHORIZATION_FAILURE问题),是否有任何建议?

更多详细信息

请注意,我也尝试了DELETEmethodGET类似功能。
我的安全限制是:

@Override
protected void configure(HttpSecurity http) throws Exception {
  http
      .authorizeRequests()
      .antMatchers("/actuator/**", "/oauth/revoke")
      .permitAll()
      .anyRequest()
      .authenticated();
}
ahy6op9u

ahy6op9u1#

请尝试使用作为路径/oauth/token,例如:

@ResponseStatus(HttpStatus.ACCEPTED)
@DeleteMapping(value = "token")
public void revokeToken(Authentication authentication) {
  tokenServices.revokeToken(((OAuth2AuthenticationDetails) authentication
      .getDetails()).getTokenValue());
}

相关问题