You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 31, 2022. It is now read-only.
How to authenticate user every time? I want user open /oauth/authorize then show login page every time instead of use last session to auto login.
I am set the client's auto approval to true, I am not have a approval page right now.
Actual Behavior
I want to build a stateless user authentication server, require user authorize every time, that is to say, I am going to show login page every time when user call /oauth/authorize?xxxxxxx.
I realize that when user open '/oauth/authorize' at first, spring-security's FilterChainProxy will invoke FilterSecurityInterceptor to open login page, after successfully authentication, SavedRequestAwareAuthenticationSuccessHandler will redirect to /oauth/authorize again, what is different from last time is, now SecurityContextPersistenceFilter can get the current login user context. Finally, AuthorizationEndpoint can be invoked,and redirect to the right redirect_url.
Expected Behavior
I wonder that why after user authentication success, AuthenticationSuccess will redirect request to 'oath/authorize' again instead of invoke AuthorizationEndpoint by an another way? When I set session mamgerment to stateless I will lost the right redirect_url, or set FilterSecurityInterceptor's alwaysReauthenticate to true, I am require to visit login page every time even if when i submit my right username and password.
The problem is, there are two times to call 'oauth/authorize', the first time is to open login page and the second time is generate authorize_code and redirect to right redirect_url. But they are invoked by the same filter chain and do same things. If i trun off session, the second call will failed, and i cannot find a way to stop first call to show login page every time because the second call will do the same thing.
So, In order to do realize my requirement, I had to overwrite the AuthorizationEndpoint and add some code to clear user context afetr the authorize_code generate success like below.
// Validation is all done, so we can check for auto approval...if (authorizationRequest.isApproved()) {
if (responseTypes.contains("token")) {
ModelAndViewmodelAndView = getImplicitGrantResponse(authorizationRequest);
clearSessionAfterApprovalSuccess();
returnmodelAndView;
}
if (responseTypes.contains("code")) {
ViewcodeView = getAuthorizationCodeResponse(authorizationRequest,
(Authentication) principal);
clearSessionAfterApprovalSuccess();
returnnewModelAndView(codeView);
}
}
I know this way is not a good idea, but is there a better way to do that?
Configuration
auth-service marked with @EnableAuthorizationServer
Version
spring-seciruty-starter & spring-boot 2.0.5
The text was updated successfully, but these errors were encountered:
Summary
How to authenticate user every time? I want user open /oauth/authorize then show login page every time instead of use last session to auto login.
I am set the client's auto approval to true, I am not have a approval page right now.
Actual Behavior
I want to build a stateless user authentication server, require user authorize every time, that is to say, I am going to show login page every time when user call
/oauth/authorize?xxxxxxx
.I realize that when user open '/oauth/authorize' at first, spring-security's
FilterChainProxy
will invokeFilterSecurityInterceptor
to open login page, after successfully authentication,SavedRequestAwareAuthenticationSuccessHandler
will redirect to/oauth/authorize
again, what is different from last time is, nowSecurityContextPersistenceFilter
can get the current login user context. Finally,AuthorizationEndpoint
can be invoked,and redirect to the rightredirect_url
.Expected Behavior
I wonder that why after user authentication success,
AuthenticationSuccess
will redirect request to 'oath/authorize' again instead of invoke AuthorizationEndpoint by an another way? When I set session mamgerment to stateless I will lost the rightredirect_url
, or set FilterSecurityInterceptor'salwaysReauthenticate
totrue
, I am require to visit login page every time even if when i submit my right username and password.The problem is, there are two times to call 'oauth/authorize', the first time is to open login page and the second time is generate authorize_code and redirect to right redirect_url. But they are invoked by the same filter chain and do same things. If i trun off session, the second call will failed, and i cannot find a way to stop first call to show login page every time because the second call will do the same thing.
So, In order to do realize my requirement, I had to overwrite the
AuthorizationEndpoint
and add some code to clear user context afetr the authorize_code generate success like below.I know this way is not a good idea, but is there a better way to do that?
Configuration
auth-service marked with @EnableAuthorizationServer
Version
spring-seciruty-starter & spring-boot 2.0.5
The text was updated successfully, but these errors were encountered: