[英]Is there a way to validate oauth token sent by approuter in plain java application ( micro service in cloud foundry ) without using spring
I have an approuter written in node.js which sends a jwt token to the java application after user authentication. 我有一个用node.js编写的approuter,它在用户认证后将jwt令牌发送到java应用程序。
I need to verify this token and scope in spring application before executing the REST API, but is there a way to do the same thing without using any spring feature? 我需要在执行REST API之前在spring应用程序中验证此令牌和作用域,但是有没有办法在不使用任何spring功能的情况下做同样的事情?
One option is to use the /check_token
endpoint of UAA. 一种选择是使用UAA的
/check_token
端点。 The nice thing about this approach is that it's pretty easy to do this without the help of external libraries since it's just a matter of sending an HTTP request. 这种方法的优点在于,无需外部库就可以很容易地做到这一点,因为这只是发送HTTP请求的问题。 There's also no crypto (other than TLS) required, UAA handles all that for you.
另外,也不需要加密(TLS除外),UAA可以为您处理所有这一切。 However, it does require client credentials so that you can identify the application checking the token with UAA and it has the overhead of sending an HTTP request.
但是,它确实需要客户端凭据,以便您可以标识使用UAA检查令牌的应用程序,并且它具有发送HTTP请求的开销。
Ex: 例如:
curl 'http://uaa.example.com/check_token' -i -u 'app:appclientsecret' -X POST \
-d 'token=53dbe3e05dcf4ff38d350bc74a7fc97bscopes=password.write%2Cscim.userids'
Where app
and appclientsecret
are your app's client credentials & the scopes
attribute is optional, but if you do include it, UAA will also validate that the scopes you indicate are present on the token. 其中
app
和appclientsecret
是您的应用程序的客户端凭据,而scopes
属性是可选的,但是如果您将其包括在内,UAA还将验证您指示的范围是否存在于令牌中。
More at the following links: 以下链接提供了更多信息:
The other option would be to validate the token yourself. 另一种选择是自己验证令牌。 This requires a signed token and it requires you to have a shared secret between your server and in the case of Cloud Foundry, UAA.
这需要一个已签名的令牌,并且要求您在服务器与Cloud Foundry(UAA)之间拥有一个共享机密。
I don't have instructions to walk you through this without Spring, but Spring Security is open source so you can take a look at their code and see how it's done. 在没有Spring的情况下,我没有指导您进行操作,但是Spring Security是开源的,因此您可以看一下他们的代码,看看它是如何完成的。
It looks like the decodeAndVerify
method of JwtHelper is a good place to start. 它看起来像
decodeAndVerify
的方法JwtHelper是一个良好的开端。 There's also an example of how JwtHelper is used here . 还有的JwtHelper是如何使用的例子在这里 。
Hope that helps! 希望有帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.