[英]Spring @EnableResourceServer vs @EnableOAuth2Sso
Most of the tutorials I've read so far uses @EnableOAuth2Sso
instead of @EnableResourceServer
on the API gateway. 到目前为止,我读过的大多数教程都在API网关上使用
@EnableOAuth2Sso
而不是@EnableResourceServer
。 What are the differences? 有什么区别? What the
OAuth2Sso
does in contrast? 相比之下,
OAuth2Sso
作用是什么?
Details: I'm implementing a security/infra architecture for spring-based microservices and single page apps. 详细信息:我正在为基于Spring的微服务和单页应用程序实现安全/基础架构。 For some time, while we didn't have security requirements, the SPAs talked directly to open microservices, on different hosts (CORS party).
有一段时间,虽然我们没有安全要求,但是在不同的主机(CORS方)上,SPA直接与开放式微服务进行了对话。
Now I'm adding a layer of security and the gateway pattern using spring-oauth
and spring-zuul
. 现在我使用
spring-oauth
和spring-zuul
添加一层安全性和网关模式。 So I have a service (uaa-service) with @EnableAuthorizationServer
and a gateway with @EnableZuulProxy
& @EnableResourceServer
. 所以我有一个服务(UAA服务)与
@EnableAuthorizationServer
并与网关@EnableZuulProxy
& @EnableResourceServer
。 I only need the password grant type, so each SPA has it's own login form and authenticates with uaa-service token endpoint, trough the gateway, and then proceeds to use that token for further requests. 我只需要密码授权类型,因此每个SPA都有自己的登录表单,并通过网关对uaa-service令牌端点进行身份验证,然后继续使用该令牌进行进一步的请求。
Is there anything wrong with this approach? 这种方法有什么问题吗? Should I be using
@EnableOAuth2Sso
? 我应该使用
@EnableOAuth2Sso
吗?
These annotations mark your services with different OAuth 2.0 roles . 这些注释使用不同的OAuth 2.0角色标记您的服务。
@EnableResourceServer annotation means that your service (in terms of OAuth 2.0 - Resource Server) expects an access token in order to process the request. @EnableResourceServer注释意味着您的服务(就OAuth 2.0而言 - 资源服务器)需要访问令牌才能处理请求。 Access token should be obtained from Authorization Server by OAuth 2.0 Client before calling the Resource Server.
在调用资源服务器之前,应通过OAuth 2.0客户端从授权服务器获取访问令牌。
@EnableOAuth2Sso: marks your service as an OAuth 2.0 Client. @ EnableOAuth2Sso:将您的服务标记为OAuth 2.0客户端。 This means that it will be responsible for redirecting Resource Owner (end user) to the Authorization Server where the user has to enter their credentials.
这意味着它将负责将资源所有者(最终用户)重定向到用户必须输入其凭据的授权服务器。 After it's done the user is redirected back to the Client with Authorization Code (don't confuse with Access Code).
完成后,用户将被重定向回具有授权码的客户端(不要与访问代码混淆)。 Then the Client takes the Authorization Code and exchanges it for an Access Token by calling Authorization Server.
然后客户端通过调用授权服务器获取授权代码并将其交换为访问令牌。 Only after that, the Client can make a call to a Resource Server with Access Token.
只有在此之后,客户端才能使用访问令牌调用资源服务器。
Also, if you take a look into the source code of @EnableOAuth2Sso
annotation you will see two interesting things: 另外,如果您查看
@EnableOAuth2Sso
注释的源代码,您将看到两件有趣的事情:
@EnableOAuth2Client
. @EnableOAuth2Client
。 This is where your service becomes OAuth 2.0 Client. OAuth2RestTemplate
. OAuth2RestTemplate
调用这些服务,则可以将访问令牌(在交换授权代码之后)转发到下游服务。 @EnableConfigurationProperties(OAuth2SsoProperties.class)
. @EnableConfigurationProperties(OAuth2SsoProperties.class)
。 OAuth2SsoProperties has only one property String loginPath
which is /login
by default. String loginPath
,默认为/login
。 This will intercept browser requests to the /login
by OAuth2ClientAuthenticationProcessingFilter
and will redirect the user to the Authorization Server. OAuth2ClientAuthenticationProcessingFilter
对/login
的浏览器请求,并将用户重定向到授权服务器。 Should I be using @EnableOAuth2Sso?
我应该使用@ EnableOAuth2Sso吗?
It depends: 这取决于:
@EnableOAuth2Sso
supports Resource Owner Password Credentials Flow very well. @EnableOAuth2Sso
支持资源所有者密码凭证流程。 Anyway, I would suggest you moving with Authorization Code Flow unless you have really (like really!) good reasons not to do so. @EnableResourceServer
. @EnableResourceServer
。 Then the API Gateway will be OAuth 2.0 Client, and your microservices will be OAuth 2.0 Resource Servers which seems logical to me.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.