英文:
OAUTH logout and Oauth Token Validation
问题
-
注销: 我在规范中没有找到可以调用以注销/使令牌无效的URL。我唯一找到的选项是编写自己的注销实现,并从该方法中删除令牌存储中的令牌。但是否有其他注销/使令牌无效的方式,就像我们检索令牌一样?
-
令牌验证: 是否有任何URL,我可以将我的令牌传递给它以验证令牌是否有效。一种方式是编写自己的方法来验证令牌。如果自己的方法返回200,则表示令牌有效,否则为无效令牌(401)。但我想知道,Spring OAuth是否提供了类似的URL。
英文:
I am using Spring oath to secure my RESP API's and successfully generated the oauth token. Now I am stuck in 2 place mentioned below.
-
Logout: I didn't find any URL in specification which I can call to logout/invalidate the token. One option I got is to write own implementation of logout and delete the token from the token store from that method. But is there any other way to logout/invalidate the token like we retrieve the token.
-
Validation of Token: Is there any url where I can pass my token and can validate that the token is valid or not. One way is to write a own method from which I will validate token. If own method returns 200 then valid token else invalid token(401). But like to know that , is Spring OAUth provide any such url.
答案1
得分: 1
最常见的用法是将Spring Security与基于标准的云授权服务器集成,此时您可以使用以下选项:
但请注意,并非所有授权服务器都以标准方式实现这些端点。
在注销时删除令牌是最标准的选项之一,同时保持令牌的寿命较短,以便它们很快过期也是常见的做法。
英文:
The most common usage is to integrate Spring security with a standards based cloud authorization server, in which case you can use these options:
- Logout occurs when a UI calls the End Session Endpoint
- Tokens can be validated by APIs either in memory or via an Introspection Endpoint
Note however that not all Authorization Servers implement these endpoints in a standard way.
Deleting tokens on logout is the most standard option, along with keeping tokens short lived so that they expire soon anyway.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论