用户注销oauth 2.0时如何删除refreshtoken和访问令牌？

Question

我试过 ....

 <sec:logout invalidate-session="true" logout-success-url="/logoutsuccess" logouturl="/logout/>

但它不能正常工作.... 我想在用户注销时清除所有内容，例如刷新令牌和访问令牌会话、cookie....

我的 security-servlet.xml 看起来像这样

<!-- Protected resources -->
<sec:http create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
    access-decision-manager-ref="accessDecisionManager"
    xmlns="http://www.springframework.org/schema/security">
    <sec:anonymous enabled="false" />
    <sec:intercept-url pattern="/data/user/*"
        access="IS_AUTHENTICATED_FULLY" />
    <sec:logout delete-cookies="JSESSIONID" invalidate-session="true" />
    <sec:custom-filter ref="resourceServerFilter"
        before="PRE_AUTH_FILTER" />
    <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>

Answer 1

在 Spring-boot 应用程序中，我将： 1.获取OAuth2AccessToken 2.使用会删除OAuth2RefreshToken 3.然后自己删除

@Component
public class CustomLogoutSuccessHandler 
        extends AbstractAuthenticationTargetUrlRequestHandler
        implements LogoutSuccessHandler {


    private static final String BEARER_AUTHENTICATION = "Bearer ";
    private static final String HEADER_AUTHORIZATION = "authorization";

    @Autowired
    private TokenStore tokenStore;

    @Override
    public void onLogoutSuccess(HttpServletRequest httpServletRequest,
                                HttpServletResponse httpServletResponse,
                                Authentication authentication) throws IOException, ServletException {

        String token = httpServletRequest.getHeader(HEADER_AUTHORIZATION);

        if (token != null && token.startsWith(BEARER_AUTHENTICATION)) {
            String accessTokenValue = token.split(" ")[1];

            OAuth2AccessToken oAuth2AccessToken = tokenStore.readAccessToken(accessTokenValue);
            if (oAuth2AccessToken != null) {
                OAuth2RefreshToken oAuth2RefreshToken = oAuth2AccessToken.getRefreshToken();
                if (oAuth2RefreshToken != null)
                    tokenStore.removeRefreshToken(oAuth2RefreshToken);

                tokenStore.removeAccessToken(oAuth2AccessToken);
            }
        }

        httpServletResponse.setStatus(HttpServletResponse.SC_OK);
    }

}

Answer 2

你可以在 sessionDestroyedListener 中做这些事情......几乎看起来像这样...... 在这段代码中，我正在更新 lastLogout 日期..你可以做你想做的事

@Component("sessionDestroyedEventListener")
public class SessionDestroyedEventListener implements ApplicationListener<SessionDestroyedEvent>{


//	private static Logger logger = BaseLogger.getLogger(AuthenticationEventListener.class);
	@Autowired
	private AuthenticationService authenticationService;
	
	public void setAuthenticationService(AuthenticationService authenticationService) {
		this.authenticationService = authenticationService;
	}
	/**
	 * Capture sessionDestroyed event and update lastLogout date after session destroyed of particular user.
	 */
	@Override
	public void onApplicationEvent(SessionDestroyedEvent appEvent) {
		SessionDestroyedEvent event = (SessionDestroyedEvent) appEvent;
		Object obj = null;
		UserInfo userInfo = null;
		ArrayList<SecurityContext> sc = (ArrayList<SecurityContext>) event.getSecurityContexts();
		Iterator<SecurityContext> itr = sc.iterator();

		while (itr.hasNext()) {
			obj = itr.next().getAuthentication().getPrincipal();

			if (obj instanceof UserInfo) {
				userInfo = (UserInfo) obj;
			} else {
				String userCode = (String) obj;
				if (userCode == null || "".equals(userCode)) {
					userCode = "UnDefinedUser";
				}
				userInfo = new UserInfo(userCode);

			}

 			 //authenticationService.updateLastLogoutDate(userInfo.getUsername());
		}

	}
}