[英]Spring Security 5 OAuth2 client password grant type
I have 2 applications:我有 2 个应用程序:
User will be able to login in Application 1 and access its resources.用户将能够登录应用程序 1 并访问其资源。 And I want to implement the following flow:
我想实现以下流程:
User enter his credentials in login form -> Application 1 will get token from Application 2 using user credentials and its clientId
with password grant type -> Access resources of Application 1 with token.用户在登录表单中输入他的凭据 -> 应用程序 1 将使用用户凭据及其具有密码授予类型的
clientId
从应用程序 2 获取令牌 -> 使用令牌访问应用程序 1 的资源。
The question is if Spring Security 5 supports password grant type for client?问题是 Spring Security 5 是否支持客户端的密码授予类型? I found all rest grant types, but not password in Spring Security 5 implementation.
我在 Spring Security 5 实现中找到了所有剩余授权类型,但没有找到密码。
Spring Security 5.1.x doesn't support it, see Spring Security Reference : Spring Security 5.1.x 不支持,参见Spring Security Reference :
6.6 OAuth 2.0 Client
6.6 OAuth 2.0 客户端
The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework.
OAuth 2.0 客户端功能支持 OAuth 2.0 授权框架中定义的客户端角色。
The following main features are available:
提供以下主要功能:
- Authorization Code Grant
授权码授予
- Client Credentials Grant
客户凭据授予
WebClient
extension for Servlet Environments (for making protected resource requests)Servlet 环境的
WebClient
扩展(用于发出受保护的资源请求)
HttpSecurity.oauth2Client()
provides a number of configuration options for customizing OAuth 2.0 Client.HttpSecurity.oauth2Client()
提供了许多用于自定义 OAuth 2.0 客户端的配置选项。
However, you could use Spring Security OAuth2, see OAuth 2 Developers Guide :但是,您可以使用 Spring Security OAuth2,请参阅OAuth 2 开发人员指南:
Accessing Protected Resources
访问受保护的资源
As a general rule, a web application should not use password grants, so avoid using
ResourceOwnerPasswordResourceDetails
if you can in favour ofAuthorizationCodeResourceDetails
.作为一般规则,Web 应用程序不应使用密码授权,因此如果可以支持
AuthorizationCodeResourceDetails
,请避免使用ResourceOwnerPasswordResourceDetails
。 If you desparately need password grants to work from a Java client, then use the same mechanism to configure yourOAuth2RestTemplate
and add the credentials to the AccessTokenRequest (which is a Map and is ephemeral) not theResourceOwnerPasswordResourceDetails
(which is shared between all access tokens).如果您非常需要密码授权才能从 Java 客户端工作,那么使用相同的机制来配置您的
OAuth2RestTemplate
并将凭据添加到 AccessTokenRequest(它是一个 Map 并且是临时的)而不是ResourceOwnerPasswordResourceDetails
(在所有访问令牌之间共享) .
Or you could update to Spring Security 5.2.x, see Spring Security Reference :或者您可以更新到 Spring Security 5.2.x,请参阅Spring Security 参考:
11.2 OAuth 2.0 Client
11.2 OAuth 2.0 客户端
The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework.
OAuth 2.0 客户端功能支持 OAuth 2.0 授权框架中定义的客户端角色。
At a high-level, the core features available are:
在高层次上,可用的核心功能是:
Authorization Grant support
授权资助支持
- Authorization Code
授权码
- Refresh Token
刷新令牌
- Client Credentials
客户凭证
- Resource Owner Password Credentials
资源所有者密码凭证
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.