简体繁体 English

Spring Security 5 OAuth2 客户端密码授予类型

[英]Spring Security 5 OAuth2 client password grant type

原文 2018-11-01 10:00:58 2 1 spring/ spring-boot/ spring-security/ oauth-2.0/ spring-security-oauth2

I have 2 applications:我有 2 个应用程序：

Spring Application 1 is client and resource server. Spring Application 1 是客户端和资源服务器。
Spring Application 2 is authorization server. Spring Application 2 是授权服务器。

User will be able to login in Application 1 and access its resources.用户将能够登录应用程序 1 并访问其资源。 And I want to implement the following flow:我想实现以下流程：

User enter his credentials in login form -> Application 1 will get token from Application 2 using user credentials and its clientId with password grant type -> Access resources of Application 1 with token.用户在登录表单中输入他的凭据 -> 应用程序 1 将使用用户凭据及其具有密码授予类型的clientId从应用程序 2 获取令牌 -> 使用令牌访问应用程序 1 的资源。

The question is if Spring Security 5 supports password grant type for client?问题是 Spring Security 5 是否支持客户端的密码授予类型？ I found all rest grant types, but not password in Spring Security 5 implementation.我在 Spring Security 5 实现中找到了所有剩余授权类型，但没有找到密码。

1 个解决方案

Spring Security 5.1.x doesn't support it, see Spring Security Reference : Spring Security 5.1.x 不支持，参见Spring Security Reference ：

6.6 OAuth 2.0 Client 6.6 OAuth 2.0 客户端

The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework. OAuth 2.0 客户端功能支持 OAuth 2.0 授权框架中定义的客户端角色。

The following main features are available:提供以下主要功能：

Authorization Code Grant授权码授予

Client Credentials Grant客户凭据授予

WebClient extension for Servlet Environments (for making protected resource requests) Servlet 环境的WebClient扩展（用于发出受保护的资源请求）

HttpSecurity.oauth2Client() provides a number of configuration options for customizing OAuth 2.0 Client. HttpSecurity.oauth2Client()提供了许多用于自定义 OAuth 2.0 客户端的配置选项。

However, you could use Spring Security OAuth2, see OAuth 2 Developers Guide :但是，您可以使用 Spring Security OAuth2，请参阅OAuth 2 开发人员指南：

Accessing Protected Resources访问受保护的资源

As a general rule, a web application should not use password grants, so avoid using ResourceOwnerPasswordResourceDetails if you can in favour of AuthorizationCodeResourceDetails .作为一般规则，Web 应用程序不应使用密码授权，因此如果可以支持AuthorizationCodeResourceDetails ，请避免使用ResourceOwnerPasswordResourceDetails 。 If you desparately need password grants to work from a Java client, then use the same mechanism to configure your OAuth2RestTemplate and add the credentials to the AccessTokenRequest (which is a Map and is ephemeral) not the ResourceOwnerPasswordResourceDetails (which is shared between all access tokens).如果您非常需要密码授权才能从 Java 客户端工作，那么使用相同的机制来配置您的OAuth2RestTemplate并将凭据添加到 AccessTokenRequest（它是一个 Map 并且是临时的）而不是ResourceOwnerPasswordResourceDetails （在所有访问令牌之间共享） .

Or you could update to Spring Security 5.2.x, see Spring Security Reference :或者您可以更新到 Spring Security 5.2.x，请参阅Spring Security 参考：

11.2 OAuth 2.0 Client 11.2 OAuth 2.0 客户端

The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework. OAuth 2.0 客户端功能支持 OAuth 2.0 授权框架中定义的客户端角色。

At a high-level, the core features available are:在高层次上，可用的核心功能是：

Authorization Grant support授权资助支持

Authorization Code授权码

Refresh Token刷新令牌

Client Credentials客户凭证

Resource Owner Password Credentials资源所有者密码凭证