如何在用户注销oauth 2.0时删除refreshtoken和访问令牌？

Question

我试图....

<sec:logout invalidate-session="true" logout-success-url="/logoutsuccess" logouturl="/logout/> 

，但它不能正常工作.... 我想清楚一切都像刷新令牌和访问令牌会话，饼干当用户注销....

我的安全servlet.xml中看起来像这样

<!-- Protected resources --> 
<sec:http create-session="never" entry-point-ref="oauthAuthenticationEntryPoint" 
    access-decision-manager-ref="accessDecisionManager" 
    xmlns="http://www.springframework.org/schema/security"> 
    <sec:anonymous enabled="false" /> 
    <sec:intercept-url pattern="/data/user/*" 
     access="IS_AUTHENTICATED_FULLY" /> 
    <sec:logout delete-cookies="JSESSIONID" invalidate-session="true" /> 
    <sec:custom-filter ref="resourceServerFilter" 
     before="PRE_AUTH_FILTER" /> 
    <sec:access-denied-handler ref="oauthAccessDeniedHandler" /> 
</sec:http> 

Answer 1

你可以做这些事sessionDestroyedListener ......几乎是这样的.. 在这段代码我更新lastLogout日期..你可以做w ^帽子你想

@Component("sessionDestroyedEventListener") 
 
public class SessionDestroyedEventListener implements ApplicationListener<SessionDestroyedEvent>{ 
 

 

 
// \t private static Logger logger = BaseLogger.getLogger(AuthenticationEventListener.class); 
 
\t @Autowired 
 
\t private AuthenticationService authenticationService; 
 
\t 
 
\t public void setAuthenticationService(AuthenticationService authenticationService) { 
 
\t \t this.authenticationService = authenticationService; 
 
\t } 
 
\t /** 
 
\t * Capture sessionDestroyed event and update lastLogout date after session destroyed of particular user. 
 
\t */ 
 
\t @Override 
 
\t public void onApplicationEvent(SessionDestroyedEvent appEvent) { 
 
\t \t SessionDestroyedEvent event = (SessionDestroyedEvent) appEvent; 
 
\t \t Object obj = null; 
 
\t \t UserInfo userInfo = null; 
 
\t \t ArrayList<SecurityContext> sc = (ArrayList<SecurityContext>) event.getSecurityContexts(); 
 
\t \t Iterator<SecurityContext> itr = sc.iterator(); 
 

 
\t \t while (itr.hasNext()) { 
 
\t \t \t obj = itr.next().getAuthentication().getPrincipal(); 
 

 
\t \t \t if (obj instanceof UserInfo) { 
 
\t \t \t \t userInfo = (UserInfo) obj; 
 
\t \t \t } else { 
 
\t \t \t \t String userCode = (String) obj; 
 
\t \t \t \t if (userCode == null || "".equals(userCode)) { 
 
\t \t \t \t \t userCode = "UnDefinedUser"; 
 
\t \t \t \t } 
 
\t \t \t \t userInfo = new UserInfo(userCode); 
 

 
\t \t \t } 
 

 
    \t \t \t //authenticationService.updateLastLogoutDate(userInfo.getUsername()); 
 
\t \t } 
 

 
\t } 
 
}

Answer 2

在春季启动应用程序，我会： 1.获得OAuth2AccessToken 2.使用它会删除OAuth2RefreshToken 3.然后删除自身

@Component 
public class CustomLogoutSuccessHandler 
     extends AbstractAuthenticationTargetUrlRequestHandler 
     implements LogoutSuccessHandler { 


    private static final String BEARER_AUTHENTICATION = "Bearer "; 
    private static final String HEADER_AUTHORIZATION = "authorization"; 

    @Autowired 
    private TokenStore tokenStore; 

    @Override 
    public void onLogoutSuccess(HttpServletRequest httpServletRequest, 
           HttpServletResponse httpServletResponse, 
           Authentication authentication) throws IOException, ServletException { 

     String token = httpServletRequest.getHeader(HEADER_AUTHORIZATION); 

     if (token != null && token.startsWith(BEARER_AUTHENTICATION)) { 
      String accessTokenValue = token.split(" ")[1]; 

      OAuth2AccessToken oAuth2AccessToken = tokenStore.readAccessToken(accessTokenValue); 
      if (oAuth2AccessToken != null) { 
       OAuth2RefreshToken oAuth2RefreshToken = oAuth2AccessToken.getRefreshToken(); 
       if (oAuth2RefreshToken != null) 
        tokenStore.removeRefreshToken(oAuth2RefreshToken); 

       tokenStore.removeAccessToken(oAuth2AccessToken); 
      } 
     } 

     httpServletResponse.setStatus(HttpServletResponse.SC_OK); 
    } 

}