Delete access_token after logout

2019-05-30 06:40发布

i have a little question.

At the moment my Spring configuration uses the DefaultTokenServices (provided by the spring-security-oauth2-2.0.0.M3.jar). It generates correctly the access_token.

Now what i will do is to cancel/delete/remove/revoke this token when i do a logout.

In the security.xml i configured the logout in the http tag:

<sec:logout logout-url="/logout" logout-success-url="/auth" invalidate-session="true" delete-cookies="true" />

and the redirection is successfully. But if i write a test doing a login, logout and after i try to access a restricted path with this access_token i can get a successful request, but i expect a Not authorized Error. Why?

How can i configure the logout that the access_token are automatically deleted to force an new login?

2条回答
霸刀☆藐视天下
2楼-- · 2019-05-30 07:31

At the end I followed this link

And in the LogoutHandlerFilter i call the TokenService.revokeToken() method.

查看更多
我命由我不由天
3楼-- · 2019-05-30 07:43

The lifetime of the access_token is independent of the login session of a user who grants access to a client. OAuth2 has no concept of a user login or logout, or a session, so the fact that you expect a logout to revoke a token, would seem to indicate that you're misunderstanding how OAuth2 works. You should probably clarify in your question why you want things to work this way and why you need OAuth.

If you really want this behaviour, then you would have to code it yourself (in a custom Spring Security LogoutHandler, for example), but the lifetime of a token is normally governed by its expiry time. Token revocation would usually be a separate interface provided to the user, allowing them to prematurely revoke access to their resources for one or more clients - something like Twitter's third-party applications access.

查看更多
登录 后发表回答