基本信息:
我创建了一个测试应用程序来测试SSO(单点登录)是否有效。我使用Auth0作为SSO提供程序。Symfony 4.4作为应用程序框架。我使用了来自Auth0的这篇文章来创建基础。到目前为止,我可以登录/注销。问题:
当我登录一次(凭据),注销后,然后再次登录,我立即登录与我之前使用的相同的帐户。无需再次填写凭证。它似乎记住了会话,或者以某种方式没有完全注销用户。我希望用户必须再次登录凭据后,它登出。由于我的一些用户将使用一台计算机来运行应用程序(因此需要切换用户)。
可能的修复/额外信息:
根据那里的文档/社区,我应该看看这个。但这似乎意味着我需要API调用来添加?federated。设置示例没有使用(可能库为我做了)。此外,我在由make:auth(或make:user)生成的SecurityController中的注销功能不再执行代码。即使我更改了函数名,它仍然会将我注销。直到我删除/更改路由名称,它才停止。这可能非常糟糕,但如果我有机会在注销时执行API调用,我可以执行这个API调用。
我能想到的最好的事情是更改symfony中的一些设置或添加一段代码以使其正确注销。但我不知道怎么做。
我的代码:
SecurityController.php
<?php
namespace AppController;
use SymfonyBundleFrameworkBundleControllerAbstractController;
use SymfonyComponentHttpFoundationResponse;
use SymfonyComponentRoutingAnnotationRoute;
use SymfonyComponentSecurityHttpAuthenticationAuthenticationUtils;
class SecurityController extends AbstractController
{
/**
* @Route("/login", name="app_login")
*/
public function login(AuthenticationUtils $authenticationUtils): Response
{
// get the login error if there is one
$error = $authenticationUtils->getLastAuthenticationError();
// last username entered by the user
$lastUsername = $authenticationUtils->getLastUsername();
return $this->render('security/login.html.twig', ['last_username' => $lastUsername, 'error' => $error]);
}
/**
* @Route("/logout", name="app_logout")
*/
public function logout()
{
// Does not trigger at all. It does not stop the page but just continues to redirect and logout.
dump($this->get('session'));
dump($session);
dump("test");
exit();
throw new Exception('This method can be blank - it will be intercepted by the logout key on your firewall');
}
}
Auth0ResourceOwner.php
<?php
namespace App;
use HWIBundleOAuthBundleOAuthResourceOwnerGenericOAuth2ResourceOwner;
use SymfonyComponentOptionsResolverOptions;
use SymfonyComponentOptionsResolverOptionsResolver;
class Auth0ResourceOwner extends GenericOAuth2ResourceOwner
{
protected $paths = array(
'identifier' => 'user_id',
'nickname' => 'nickname',
'realname' => 'name',
'email' => 'email',
'profilepicture' => 'picture',
);
public function getAuthorizationUrl($redirectUri, array $extraParameters = array())
{
return parent::getAuthorizationUrl($redirectUri, array_merge(array(
'audience' => $this->options['audience'],
), $extraParameters));
}
protected function configureOptions(OptionsResolver $resolver)
{
parent::configureOptions($resolver);
$resolver->setDefaults(array(
'authorization_url' => '{base_url}/authorize',
'access_token_url' => '{base_url}/oauth/token',
'infos_url' => '{base_url}/userinfo',
'audience' => '{base_url}/userinfo',
));
$resolver->setRequired(array(
'base_url',
));
$normalizer = function (Options $options, $value) {
return str_replace('{base_url}', $options['base_url'], $value);
};
$resolver->setNormalizer('authorization_url', $normalizer);
$resolver->setNormalizer('access_token_url', $normalizer);
$resolver->setNormalizer('infos_url', $normalizer);
$resolver->setNormalizer('audience', $normalizer);
}
}
routes.yaml
hwi_oauth_redirect:
resource: "@HWIOAuthBundle/Resources/config/routing/redirect.xml"
prefix: /connect
hwi_oauth_connect:
resource: "@HWIOAuthBundle/Resources/config/routing/connect.xml"
prefix: /connect
hwi_oauth_login:
resource: "@HWIOAuthBundle/Resources/config/routing/login.xml"
prefix: /login
auth0_login:
path: /auth0/callback
auth0_logout:
path: /auth0/logout
# controller: App/Controller/SecurityController::logout
hwi_oauth.yaml
hwi_oauth:
firewall_names: [main]
# https://github.com/hwi/HWIOAuthBundle/blob/master/Resources/doc/2-configuring_resource_owners.md
resource_owners:
auth0:
type: oauth2
class: 'AppAuth0ResourceOwner'
client_id: "%env(AUTH0_CLIENT_ID)%"
client_secret: "%env(AUTH0_CLIENT_SECRET)%"
base_url: "https://%env(AUTH0_DOMAIN)%"
scope: "openid profile email"
security.yaml
security:
encoders:
AppEntityUsers:
algorithm: auto
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
# used to reload user from session & other features (e.g. switch_user)
app_user_provider:
entity:
class: AppEntityUsers
property: username
oauth_hwi:
id: hwi_oauth.user.provider
# used to reload user from session & other features (e.g. switch_user)
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: ~
provider: oauth_hwi
oauth:
resource_owners:
auth0: "/auth0/callback"
login_path: /login
failure_path: /login
default_target_path: /testPage
oauth_user_provider:
service: hwi_oauth.user.provider
guard:
authenticators:
- AppSecurityLoginFormAuthenticator
logout:
path: /logout
# target: /login
access_control:
- { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
# Everyone that logged in can go to /
- { path: '^/testPage', roles: [IS_AUTHENTICATED_FULLY] }
.env
AUTH0_CLIENT_ID=not-so-secret-but-secret
AUTH0_CLIENT_SECRET=secret
AUTH0_DOMAIN=dev-...
用户转储:
TestPageController.php on line 17:
HWIBundleOAuthBundleSecurityCoreUserOAuthUser {#3742 ▼
#username: "testUser"
}
看起来您必须从您正在使用的oauth服务注销,这是一个类似的问题。
代码:
src/安全/CustomLogoutSuccessHandler.php
<?php
namespace AppSecurity;
use SymfonyComponentHttpFoundationRequest;
use SymfonyComponentHttpFoundationRedirectResponse;
use SymfonyComponentSecurityHttpLogoutLogoutSuccessHandlerInterface;
class CustomLogoutSuccessHandler implements LogoutSuccessHandlerInterface
{
private $target;
public function __construct(string $target)
{
$this->target = $target;
}
public function onLogoutSuccess(Request $request)
{
return new RedirectResponse($this->target);
}
}
security.yaml
logout:
path: /logout
success_handler: AppSecurityCustomLogoutSuccessHandler
services.yaml
services:
AppSecurityCustomLogoutSuccessHandler:
arguments: ['%env(resolve:LOGOUT_TARGET_URL)%']
.env
LOGOUT_TARGET_URL=https://{yourAuth0AppDomain}.auth0.com/v2/logout?returnTo={yourRedirectURL}&client_id={secret}
使用代码从Github问题重定向你4次。注销→→路线(.env) Auth0→路线。
使用上面显示的代码重定向您3次。注销→Auth0→路线。只是一个小小的改进。
这篇文章的代码