OAuth2 logout

OAuth安全环境中注销用户的访问令牌

• 定义一个@FrameworkEndpoint，以便它被FrameworkEndpointHandlerMapping取代而不是标准的RequestMappingHandlerMapping被拾取和解析.

  @FrameworkEndpoint
  public class RevokeTokenEndpoint {

  @Autowired@Qualifier("consumerTokenServices")ConsumerTokenServices consumerTokenServices;@RequestMapping(method = RequestMethod.DELETE, value = "/oauth/token")@ResponseBodypublic Msg<String> revokeToken(String access_token) {    if (consumerTokenServices.revokeToken(access_token)){        return new Msg(MessageType.MSG_TYPE_SUCCESS,null,"注销成功");    }else{        return new Msg(MessageType.MSG_TYPE_FAILURE,null,"注销失败");    }}

  }

• 上述方法从参数中获取access_token，网上还有一种方法是从request Header中获取access_token:

  public void revokeToken(HttpServletRequest request) {    String authorization = request.getHeader("Authorization");    if (authorization != null && authorization.contains("Bearer")){        String tokenId = authorization.substring("Bearer".length()+1);        tokenServices.revokeToken(tokenId);    }}

• 从服务器端删除cookie(针对前端页面的cookie操作)

  @Componentpublic class CustomPostZuulFilter extends ZuulFilter{    @Override    public Object run() {        final RequestContext ctx = RequestContext.getCurrentContext();        String requestURI = ctx.getRequest().getRequestURI();        String requestMethod = ctx.getRequest().getMethod();        if (requestURI.contains("oauth/token") && requestMethod.equals("DELETE")) {            Cookie cookie = new Cookie("refreshToken", "");            cookie.setMaxAge(0);            cookie.setPath(ctx.getRequest().getContextPath() + "/oauth/token");            ctx.getResponse().addCookie(cookie);        }        return null;    }    @Override    public boolean shouldFilter() {        return true;    }    @Override    public int filterOrder() {        return 10;    }    @Override    public String filterType() {        return "post";    }}

• 从AngularJS客户端删除访问令牌,除了从令牌存储中撤销访问令牌之外，还需要从客户端删除access_token cookie。

  $scope.logout = function() {    logout($scope.loginData);}function logout(params) {    var req = {    method: 'DELETE',    url: "oauth/token"    }    $http(req).then(        function(data){            $cookies.remove("access_token");            window.location.href="login";        },function(){            console.log("error");        }    );} //单击“ 注销”链接时将调用此功能：  <a class="btn btn-info" href="#" ng-click="logout()">Logout</a>