如何在Spring中使用OAuth2和JWT令牌代表特定用户调用受保护的资源?
[英]How to call a protected resource on behalf of a specific user using OAuth2 and JWT token in Spring?
问题描述
So we have an authentication server where the UI application gets the access token and then it communicate with API server, it's all good. 
因此,我们有一个身份验证服务器,UI应用程序在其中获取访问令牌,然后与API服务器通信,这一切都很好。 Now we are building a third application which needs SSO to authenticate the same user and that is fine too. 现在,我们正在构建第三个需要SSO来验证同一用户的应用程序,这也很好。
However, there are scenarios where this third application needs to use some resources on the API server which, from my understanding, we need to get a token from auth server using client-id/secret and then send the request with the access token. 但是,在某些情况下,第三个应用程序需要使用API服务器上的一些资源,据我所知,我们需要使用client-id / secret从auth服务器获取令牌,然后发送带有访问令牌的请求。 This seems ok too, however I am not sure how API server is going to authorise that token ( a hint on this would be great ). 这似乎也可以,但是我不确定API服务器将如何授权该令牌( 对此的提示会很棒 )。
But the main problem is we want this request to be sent on behalf of the user. 但是主要的问题是我们希望该请求代表用户发送。 This is because API server needs to audit all user's activities. 这是因为API服务器需要审核所有用户的活动。 How can we achieve this using Spring Boot/OAuth2 and JWT Token? 我们如何使用Spring Boot / OAuth2和JWT Token实现这一目标?
I went through documentation and I know about @EnableOauth2Sso @EnableAuthorisationServer etc. but this scenario is not clear and I'm not even sure it's been implemented in Spring or not. 我浏览了文档,并且了解@ EnableOauth2Sso @EnableAuthorisationServer等。但是这种情况尚不清楚,我甚至不确定它是否在Spring中实现。
If there is no implementation for this scenario, what do you recommend? 如果没有针对此方案的实现,那么您建议什么? Any experience you have had on this, can you please share? 您对此有任何经验,可以分享一下吗?
1 个解决方案
解决方案1
0 已采纳 2017-07-29 03:39:49
Your API server plays the role of a Resource Server. 您的API服务器扮演资源服务器的角色。 There is an annotation designed for that purpose: @EnableResourceServer . 为此目的设计了一个注释: @EnableResourceServer 。 Your client app then will consume this resource using the handy OAuth2RestTemplate . 然后,您的客户端应用程序将使用方便的OAuth2RestTemplate消耗此资源。
There are two approaches to properly configure the Resource Server and get this working: 有两种方法可以正确配置资源服务器并使之正常工作:
- Have the public key directly in your resource server app: this way when the client app try to use a token provided by the authorization server to get a resource from the Resource Server, this will verify if the token is valid by itself. 直接在您的资源服务器应用程序中拥有公钥:以这种方式,当客户端应用程序尝试使用授权服务器提供的令牌从资源服务器获取资源时,这将验证令牌本身是否有效。
- Configure the resource server to ask the authorization server if a given access token is valid and depending of the response it will allow or decline to get the resource. 配置资源服务器以询问授权服务器给定的访问令牌是否有效,并取决于响应将允许还是拒绝获取资源。
I have posted a sample app on github using the first approach. 我使用第一种方法在github上发布了一个示例应用程序 。 There you can see the interaction between the Authorization Server, the Client and the Resource Server, as well as all the configurations you need for this implementation. 在这里,您可以看到授权服务器,客户端和资源服务器之间的交互,以及此实现所需的所有配置。 Hope it helps you. 希望对您有帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.