admin管理员组文章数量:1279018
I'm having issues understanding the client side of the oauth2 authorization code flow when there are multiple instances of the service.
As far as I understand the OAuath2AuthorizationRequest is a statefull request since it uses the state parameter which is passed to authorization server. Before sending it, spring security stores this state in memory on the pod that initiated the call. After the user authenticates, the authentication server responds with the same state parameter which reaches spring security and is checked against what was previously stored in memory. If there is no match an authorization_request_not_found exception is thrown and the flow is aborted. If there is a match the flow is successfull.
What I'm trying is to store some extra information in the state parameter such that when the flow is finished successfully I can use the information in my app. If the request is state full, is it safe to store the extra information in spring security http session instead of sending it in the state parameter?
How is this flow working if there are multiple pods? Is the initial http connection kept alive and reused until the flow finishes?
I'm having issues understanding the client side of the oauth2 authorization code flow when there are multiple instances of the service.
As far as I understand the OAuath2AuthorizationRequest is a statefull request since it uses the state parameter which is passed to authorization server. Before sending it, spring security stores this state in memory on the pod that initiated the call. After the user authenticates, the authentication server responds with the same state parameter which reaches spring security and is checked against what was previously stored in memory. If there is no match an authorization_request_not_found exception is thrown and the flow is aborted. If there is a match the flow is successfull.
What I'm trying is to store some extra information in the state parameter such that when the flow is finished successfully I can use the information in my app. If the request is state full, is it safe to store the extra information in spring security http session instead of sending it in the state parameter?
How is this flow working if there are multiple pods? Is the initial http connection kept alive and reused until the flow finishes?
Share Improve this question asked Feb 25 at 10:56 user1934513user1934513 7258 silver badges28 bronze badges2 Answers
Reset to default 1When using multiple instances of a stateful Spring application, you should share the session between these instances (applications using formLogin or oauth2Login are stateful). Spring Session serves this purpose and stores session data in Redis by default. Be aware that Back-Channel Logout won't work unless you write your own OidcSessionRegistry.
Seems that there is a sticky session configuration done on the ALB on the JSESSIONID cookie name.
本文标签: kubernetesSpring Outh2 client authorization code flow for multiple instancespodsStack Overflow
版权声明:本文标题:kubernetes - Spring Outh2 client authorization code flow for multiple instancespods - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741208876a2358701.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论