Comments (3)
If you follow the tutorials strictly, the logout should work in all 3 applications (with CSRF).
Angular automatically adds an X-XSRF-TOKEN
header when a CSRF cookie is accessible to Javascript (http-only
flag set to false
in the cookie). So what you describe as workaround is actually what Angular does for us behind the scene. But Vue for instance don't do it and we have to do something like you propose. This is explained in section 7.4 Logout of the article.
Maybe did you miss the part with csrf: cookie-accessible-from-js
in spring-addons client properties for the BFF?
from spring-addons.
Hi, so it turned out Angular issue since I used absolute URL for ex:
this.http.post(`http://localhost:7080/bff/logout`, null, {
....
Angular didn't include the XSRF-TOKEN from Cookie because of this code here.
So the solution is to use relative URL like the one in your example:
this.http.post(`/bff/logout`, null, {
Thanks 👍
from spring-addons.
Yep, that limitation with absolute URLs and CSRF is something to keep in mind when working with Angular :/
from spring-addons.
Related Issues (20)
- After 7.3.0 authentication for web mvc client against keycloak ends in endless redirect HOT 8
- Exception thrown when `post-logout-redirect-path` configuration property is null HOT 1
- Post-login success & failure URI params and headers on authentication request are ignored in reactive applications HOT 1
- `authorization-request-params` ignored HOT 1
- POST /logout response Forbidden 403 HOT 9
- Support several JWT authentication converters (or converters with a `@Qualifier` which is not `jwtAuthenticationConverter`)
- Doubled path-prefix by `SpringAddonsServerOAuth2AuthorizationRequestResolver` HOT 1
- Allow anonymous CORS preflight requests (`OPTIONS` requests to a path configured with CORS) HOT 1
- Configuration properties to add parameters to token requests HOT 1
- Spring Starter OICD, Resource Server: Option to disable the default behavior for authorized/protected routes HOT 1
- BFF configuration token is not refreshed HOT 3
- Getting response 401 (Unauthorized) for permit-all requests after update HOT 2
- (Not a bug)Why the custom JwtDecoder bean is useless HOT 2
- `spring-security-oauth2-resource-server`, `spring-security-oauth2-client` and `spring-webflux` should be `optional` dependencies HOT 1
- Support for resource owner password credential flow (ROPC) HOT 1
- Handle CORS Requests with Keycloak's "allowed-origins" claim like the keycloak adapter (now deprecated) HOT 2
- Downstream services times out reading request body when csrf is set to cookie-accessible-from-js HOT 2
- Expand servlet-client tutorial to show calling servlet-resource-server with user that has NICE privileges. HOT 2
- Import keycloak realms with spring-addons-starters-rest HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-addons.