使用 OAuth2 和 OpenID Connect 的会话 management/revocation
Session management/revocation with OAuth2 and OpenID Connect
假设我有一个场景,其中用户使用 OAuth2/OpenID 连接流程通过身份提供者登录客户端应用程序,我如何管理决定撤销客户端对其配置文件的访问权限的用户?即,如何确保客户端应用程序自动终止本地会话?
如上文所述,使用外部提供商登录时,是否有推荐的方法在客户端应用程序级别实施会话管理?
TL;DR:如何使用 OAuth2/OpenID 连接流程实现单点退出?
您可以查看 OpenID Session management draft:
This specification complements the OpenID Connect Core 1.0
[OpenID.Core] specification by defining how to monitor the End-User's
login status at the OpenID Provider on an ongoing basis so that the
Relying Party can log out an End-User who has logged out of the OpenID
Provider.
互联网上也有一些关于这个主题的文档:
- https://medium.com/@technospace/managing-sessions-with-openid-connect-d3b6fb4f552b
- https://oa.dnc.global/web/-OpenID-Connect-SSO-management-de-session-etc-.html#draftmanagementdesessionopenidconnect
- https://connect2id.com/products/server/docs/api/check-session
您还可以查看 django-oidc-provider 如何管理它:
https://django-oidc-provider.readthedocs.io/en/latest/sections/sessionmanagement.html
假设我有一个场景,其中用户使用 OAuth2/OpenID 连接流程通过身份提供者登录客户端应用程序,我如何管理决定撤销客户端对其配置文件的访问权限的用户?即,如何确保客户端应用程序自动终止本地会话?
如上文所述,使用外部提供商登录时,是否有推荐的方法在客户端应用程序级别实施会话管理?
TL;DR:如何使用 OAuth2/OpenID 连接流程实现单点退出?
您可以查看 OpenID Session management draft:
This specification complements the OpenID Connect Core 1.0 [OpenID.Core] specification by defining how to monitor the End-User's login status at the OpenID Provider on an ongoing basis so that the Relying Party can log out an End-User who has logged out of the OpenID Provider.
互联网上也有一些关于这个主题的文档:
- https://medium.com/@technospace/managing-sessions-with-openid-connect-d3b6fb4f552b
- https://oa.dnc.global/web/-OpenID-Connect-SSO-management-de-session-etc-.html#draftmanagementdesessionopenidconnect
- https://connect2id.com/products/server/docs/api/check-session
您还可以查看 django-oidc-provider 如何管理它: https://django-oidc-provider.readthedocs.io/en/latest/sections/sessionmanagement.html