问题
I'm trying to implement the example from the book OAuth-2.0-Cookbook using Spring cloud OAuth2.
I managed to implement his functionality but unfortunately I'm facing a problem: In order to make successful call I have to provide basic authentication credentials(Authorization: Basic YWRtaW46cXdlcnR5):
@PostMapping("/oauth/revoke")
public ResponseEntity<String> revoke(@RequestParam Map<String, String> params) {
RevocationService revocationService = revocationServiceFactory
.create(params.get("token_type_hint"));
revocationService.revoke(params.get("token"));
return ResponseEntity.ok().build();
}
Github source
I like the idea to have some kind of authentication when POST request is made to revoke a token but I don't think that Angular SPA app should hold the username and password all the time in order to make a successful call to /oauth/revoke.
In general the solution on Google have the just a endpoint which accept only token. For that cases I don't know what solution can be appropriate.
How I can remove the basic authentication functionality into Spring Cloud OAuth2? I use this security config:
http
.csrf()
.disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
// Configure token authentication permissions
.requestMatchers().antMatchers(HttpMethod.POST,"/oauth/token")
.and()
// Configure token revoke permissions
.requestMatchers().antMatchers(HttpMethod.POST,"/oauth/revoke")
.and()
.httpBasic()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
Github source:
回答1:
you can disable the authetication for revoke endpoint like this
http
...
.authorizeRequests()
.antMatchers("/oauth/revoke").permitAll()
...
来源:https://stackoverflow.com/questions/63103742/revoke-oauth2-token-without-using-basic-auth