通过进行注销不适用于Security、OIDC和Keycloak
通过进行注销不适用于Security、OIDC和Keycloak
提问于 2022-02-24 11:14:14
我正在运行一个Spring,它使用Keycloak处理OAuth2身份验证。来自单个页面应用程序(SPA)的登录部分工作正常,但现在我在注销时遇到了问题。
以下是我的想法:
- SPA在网关上给
/logout发了个帖子。 - 网关使会话及其
SESSIONcookie无效。 - 网关联系密钥披风的
end_session_endpoint,即http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout。 - 用户被重定向到SPA。
这是我目前使用网络流量进行的安全配置。该守则的基础是下面提到的例子和信息:
@Configuration
@EnableWebFluxSecurity
public class SecurityConfiguration {
private static final String FRONTEND_URL = "http://localhost:8093"
@Autowired
private final ReactiveClientRegistrationRepository clientRegistrationRepository;
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity httpSecurity) {
httpSecurity
.csrf().disable()
.authorizeExchange()
.anyExchange().authenticated()
.and()
.oauth2Login()
.authenticationSuccessHandler(new RedirectServerAuthenticationSuccessHandler(FRONTEND_URL))
.and()
.exceptionHandling().authenticationEntryPoint(new HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED))
.and()
.logout()
.logoutHandler(logoutHandler())
.logoutSuccessHandler(oidcLogoutSuccessHandler());
return httpSecurity.build();
}
private ServerLogoutHandler logoutHandler() {
return new DelegatingServerLogoutHandler(new WebSessionServerLogoutHandler(), new SecurityContextServerLogoutHandler());
}
private ServerLogoutSuccessHandler oidcLogoutSuccessHandler() {
OidcClientInitiatedServerLogoutSuccessHandler logoutSuccessHandler = new OidcClientInitiatedServerLogoutSuccessHandler(clientRegistrationRepository);
logoutSuccessHandler.setPostLogoutRedirectUri(FRONTEND_URL);
return logoutSuccessHandler;
}
}当向/logout发送帖子时,调试日志显示以下内容:
athPatternParserServerWebExchangeMatcher : Request 'POST /logout' doesn't match 'null /oauth2/authorization/{registrationId}'
athPatternParserServerWebExchangeMatcher : Request 'POST /logout' doesn't match 'null /login/oauth2/code/{registrationId}'
o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=POST}
athPatternParserServerWebExchangeMatcher : Checking match of request : '/logout'; against '/logout'
o.s.s.w.s.u.m.OrServerWebExchangeMatcher : matched
ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [foo], Granted Authorities: [[ROLE_USER, SCOPE_email, SCOPE_profile]], User Attributes: [{sub=a8375794-3dae-4d4f-ae11-2b17bfb03992, email_verified=false, realm_access={roles=[DEFAULT_USER]}, name=foo bar, preferred_username=foo, given_name=foo, family_name=bar, email=foo@example.com}], Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[ROLE_USER, SCOPE_email, SCOPE_profile]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@560ddd31'
o.s.s.w.s.a.logout.LogoutWebFilter : Logging out user 'OAuth2AuthenticationToken [Principal=Name: [foo], Granted Authorities: [[ROLE_USER, SCOPE_email, SCOPE_profile]], User Attributes: [{sub=a8375794-3dae-4d4f-ae11-2b17bfb03992, email_verified=false, realm_access={roles=[DEFAULT_USER]}, name=Foo Bar, preferred_username=foo, given_name=foo, family_name=bar, email=foo@example.com}], Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[ROLE_USER, SCOPE_email, SCOPE_profile]]' and transferring to logout destination
ebSessionServerSecurityContextRepository : Removed SecurityContext stored in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@560ddd31'
o.s.s.w.s.DefaultServerRedirectStrategy : Redirecting to '/login?logout'
athPatternParserServerWebExchangeMatcher : Request 'GET /login' doesn't match 'null /oauth2/authorization/{registrationId}'
athPatternParserServerWebExchangeMatcher : Request 'GET /login' doesn't match 'null /login/oauth2/code/{registrationId}'
o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=POST}
athPatternParserServerWebExchangeMatcher : Request 'GET /login' doesn't match 'POST /logout'
o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
a.DelegatingReactiveAuthorizationManager : Checking authorization on '/login' using org.springframework.security.authorization.AuthenticatedReactiveAuthorizationManager@1b45f1c
ebSessionServerSecurityContextRepository : No SecurityContext found in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@790f8540'
o.s.s.w.s.a.AuthorizationWebFilter : Authorization failed: Access Denied
ebSessionServerSecurityContextRepository : No SecurityContext found in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@790f8540'因此,网关似乎成功地使会话无效。但这里有两个我不明白的观察:
- Keycloak似乎仍有此用户的会话。Keycloak cookie仍然存在,SPA的重新加载将根据这些cookie直接创建一个新会话。
- 发送到
/logout的帖子重定向到/login?logout,后者被401拒绝。我的理解是,重定向应该发生在FRONTEND_URL = "http://localhost:8093"上。
回答 1
Stack Overflow用户
回答已采纳
发布于 2022-02-24 11:53:35
也许您是在写ajax帖子,而不是表单文章?服务器无法在ajax调用中将浏览器重定向到keycloak。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/71251098
复制相关文章
相似问题
腾讯云开发者
