那些遇到过的问题

Unable to make the oauth2Login as stateless

Raj*_*eev 6 spring spring-security spring-security-oauth2 spring-oauth2

I have provided the cookie based authorization request repository to oauth2Login() dsl to make it as stateless. but when I add the session creation policy as STATELESS , the oauth2 login is not working and returning "too many callbacks" error in UI page.

I have used the following oauth2Login config. for login with google oauth2 provider.

    @Autowired
    private HttpCookieOAuth2AuthorizationRequestRepository httpCookieOAuth2AuthorizationRequestRepository;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().csrfTokenRepository(new CookieCsrfTokenRepository())
                .ignoringAntMatchers("/oauth2/authorization/google")
                .and()
                .sessionManagement(sessionMgmtConfig -> sessionMgmtConfig.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests(authorize -> authorize
                        .anyRequest().authenticated())
                .oauth2Login(oauth2Config -> oauth2Config
                        .authorizationEndpoint(config -> config.authorizationRequestRepository(httpCookieOAuth2AuthorizationRequestRepository))
                        .userInfoEndpoint(config -> config.oidcUserService(oidcUserOAuth2UserService()))
                        .successHandler(authenticationSuccessHandler())
                )
                ;//.logout(logoutConfig -> logoutConfig.addLogoutHandler(logoutHandler()))
    }

    public AuthenticationSuccessHandler authenticationSuccessHandler() {
        SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
        successHandler.setRequestCache(new CookieRequestCache());

        return successHandler;
    }
Run Code Online (Sandbox Code Playgroud)

If I comment out the session management line, it is working as expected and creating the JSESSION but when not working if I uncomment this part. Am I missing something?

Paw*_*ski 3

拥有oauth2Login无状态 sessionManagement并不是那么容易。问题是Spring需要存储有关OAuth 2.0state参数的信息。通常它存储在会话中,但是当你禁用它时,Spring 会变得疯狂(“回调太多”),因为它找不到它。

为了解决这个问题,你可以使用自己的cookie来存储state参数。这可以通过提供 的自定义实现来完成AuthorizationRequestRepository<OAuth2AuthorizationRequest>

有一篇很好的博客文章更详细地描述了所有内容。

https://www.jessym.com/articles/stateless-oauth2-social-logins-with-spring-boot

OAuth 授权请求中“state”参数的用途是什么

归档时间:

查看次数:

3224 次

最近记录:

3 年,9 月 前
OAuth授权请求中"state"参数的用途是什么 12
更多相关链接
相关归档
在Spring安全性中使用intercept-url 16
Jersey:找不到媒体类型= application/json的MessageBodyWriter,类型= class org.codehaus.jackson.node.ObjectNode? 15
在Spring Cloud Config服务器中包含多个应用程序的通用配置 8
Spring 3带注释的配置获取@Configuration和@Component,但不是@Controller 7
Spring Security 3.0 Google Apps使用OpenID4Java登录ID 7
Spring xml问题 7
如何使用@WebMvcTest并添加我自己的自定义过滤器? 7
Spring Boot JSR-303/349配置 7
如何在Spring-security登录页面中启用LocaleInterceptor来更改语言环境? 6
如何使用Spring及其JdbcTokenStore类从我们的数据库中自动删除过期的Oauth访问令牌? 6
难疑归档
var functionName = function(){} vs function functionName(){} 6645
什么是Python中的元类? 5409
将现有的,未提交的工作移动到Git中的新分支 2982
jQuery是否存在"存在"功能? 2669
如何在Python中延迟时间? 2638
为什么我的JavaScript在所请求的资源上出现"No'Access-Control-Allow-Origin'标头"错误,当Postman没有? 2320
我怎样才能存储特定文件? 1422
你怎么读斯坦丁? 1389
Markdown中的评论 1277
Pythonic方式创建一个长多行字符串 1160