[英]How to call a protected resource on behalf of a specific user using OAuth2 and JWT token in Spring?
So we have an authentication server where the UI application gets the access token and then it communicate with API server, it's all good. 因此,我们有一个身份验证服务器,UI应用程序在其中获取访问令牌,然后与API服务器通信,这一切都很好。 Now we are building a third application which needs SSO to authenticate the same user and that is fine too. 现在,我们正在构建第三个需要SSO来验证同一用户的应用程序,这也很好。
However, there are scenarios where this third application needs to use some resources on the API server which, from my understanding, we need to get a token from auth server using client-id/secret and then send the request with the access token. 但是,在某些情况下,第三个应用程序需要使用API服务器上的一些资源,据我所知,我们需要使用client-id / secret从auth服务器获取令牌,然后发送带有访问令牌的请求。 This seems ok too, however I am not sure how API server is going to authorise that token ( a hint on this would be great ). 这似乎也可以,但是我不确定API服务器将如何授权该令牌( 对此的提示会很棒 )。
But the main problem is we want this request to be sent on behalf of the user. 但是主要的问题是我们希望该请求代表用户发送。 This is because API server needs to audit all user's activities. 这是因为API服务器需要审核所有用户的活动。 How can we achieve this using Spring Boot/OAuth2 and JWT Token? 我们如何使用Spring Boot / OAuth2和JWT Token实现这一目标?
I went through documentation and I know about @EnableOauth2Sso @EnableAuthorisationServer etc. but this scenario is not clear and I'm not even sure it's been implemented in Spring or not. 我浏览了文档,并且了解@ EnableOauth2Sso @EnableAuthorisationServer等。但是这种情况尚不清楚,我甚至不确定它是否在Spring中实现。
If there is no implementation for this scenario, what do you recommend? 如果没有针对此方案的实现,那么您建议什么? Any experience you have had on this, can you please share? 您对此有任何经验,可以分享一下吗?
Your API server plays the role of a Resource Server. 您的API服务器扮演资源服务器的角色。 There is an annotation designed for that purpose: @EnableResourceServer
. 为此目的设计了一个注释: @EnableResourceServer
。 Your client app then will consume this resource using the handy OAuth2RestTemplate
. 然后,您的客户端应用程序将使用方便的OAuth2RestTemplate
消耗此资源。
There are two approaches to properly configure the Resource Server and get this working: 有两种方法可以正确配置资源服务器并使之正常工作:
I have posted a sample app on github using the first approach. 我使用第一种方法在github上发布了一个示例应用程序 。 There you can see the interaction between the Authorization Server, the Client and the Resource Server, as well as all the configurations you need for this implementation. 在这里,您可以看到授权服务器,客户端和资源服务器之间的交互,以及此实现所需的所有配置。 Hope it helps you. 希望对您有帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.