为 Oauth2 Spring Boot 创建自定义 OpenId 提供程序
[英]Creating Custom OpenId Provider for Oauth2 Spring Boot
问题描述
I have used Oauth2 framework for authorization and access control for protecting my spring boot microservice api's.
我已使用 Oauth2 框架进行授权和访问控制,以保护我的 Spring Boot 微服务 api。 Oauth2 framework is working fine but now my Client wants a dedicated OpenId Provider for authentication purpose on top of Oauth2 framework. Oauth2 框架运行良好,但现在我的客户想要一个专用的 OpenId 提供程序,用于在 Oauth2 框架之上进行身份验证。 I have done some round of searching across Google but couldn't find much resources for implementing Own OpenId Provider for Oauth2.我已经在 Google 上进行了一些搜索,但找不到很多资源来为 Oauth2 实现自己的 OpenId 提供程序。 I have gone through many blogs and could understood that OpenId is basically used when we want to delegate the authentication from Oauth2.我浏览了很多博客,可以理解 OpenId 基本上用于从 Oauth2 委派身份验证。 OpenId is created on top of Oauth2 but couldn't find much resource for activating or implementing it. OpenId 是在 Oauth2 之上创建的,但找不到太多资源来激活或实现它。
Can anyone please help me on this任何人都可以帮我解决这个问题吗
My complete source code which I have done using Oauth2 with Spring Framework is as given below我使用 Oauth2 和 Spring Framework 完成的完整源代码如下所示
2 个解决方案
解决方案1
2 2019-08-20 23:39:03
According to " OAuth 2.0 Features Matrix " in spring-projects/ spring-security , Spring Framework is not a good starting point for OpenID Connect.根据 spring-projects/ spring-security 中的“ OAuth 2.0 Features Matrix ”,Spring Framework 不是 OpenID Connect 的良好起点。 None of the new projects (Spring Security, Spring Cloud Security and Spring Boot OAuth2) supports Authorization Server.新项目(Spring Security、Spring Cloud Security 和 Spring Boot OAuth2)都不支持授权服务器。 On the other hand, the old project (Spring Security OAuth) has architectural problems that prevent OpenID Connect support.另一方面,旧项目(Spring Security OAuth)存在阻止 OpenID Connect 支持的架构问题。
The website of OpenID Connect says "OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol." OpenID Connect的网站说“OpenID Connect 1.0 是 OAuth 2.0 协议之上的一个简单的身份层。” This sentence may give an impression that OpenID Connect can be implemented on top of an existing OAuth 2.0 implementation step by step.这句话可能给人的印象是 OpenID Connect 可以在现有的 OAuth 2.0 实现之上一步一步实现。 However, it's not true.然而,事实并非如此。 One evidence is spring-security-oauth Issue 619 where you see the project has given up supporting OpenID Connect.一个证据是spring-security-oauth 问题 619 ,您可以看到该项目已放弃支持 OpenID Connect。 If interested, see "5. Response Type" in " Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings " for further details.如果有兴趣,请参阅“ OAuth 的 Full-Scratch 实施者和 OpenID Connect 讨论发现”中的“5. 响应类型”以获取更多详细信息。
There exist many implementations that support OpenID Connect.存在许多支持 OpenID Connect 的实现。 Why don't you check the list of certified implementations ?你为什么不检查认证实现的列表?
Update (November 14, 2019):更新(2019 年 11 月 14 日):
The Spring Security team has decided to no longer provide support for authorization servers. Spring Security 团队已决定不再为授权服务器提供支持。 See their announce for details.有关详细信息,请参阅他们的公告。
解决方案2
0 2019-08-20 21:56:09
I think it could be easier to start by first implementing OAuth2 code flow.我认为首先实现 OAuth2 代码流会更容易。 Then add implicit flow, and finally OpenID Connect part.然后添加隐式流,最后是 OpenID Connect 部分。
If you want to have a serious OpenID Provider I would suggest not implementing from scratch as there are a lot of details to get right.如果你想要一个严肃的 OpenID 提供者,我建议不要从头开始实施,因为有很多细节要做好。 Instead I would recommend using something like Hydra that can be integrated into existing system.相反,我建议使用像Hydra这样可以集成到现有系统中的东西。
Have created from scratch a OpenID Provider (SimpleLogin.io), I can say that it takes almost forever to be 100% compliant to the protocol ...从头开始创建一个 OpenID 提供程序 (SimpleLogin.io),我可以说几乎需要永远 100% 符合协议......
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.