IBM App ID - 无法在 OAuth 2.0 授权代码流中获取访问令牌中的自定义范围
[英]IBM App ID - Cannot get custom scopes in access token in OAuth 2.0 Authorization Code Flow
问题描述
I am using App ID as an Identity Provider and Authorization Server to protect some back-end spring-boot applications.
我使用 App ID 作为身份提供者和授权服务器来保护一些后端 spring-boot 应用程序。 I have managed to set up the whole OAuth 2.0 Authorization Code flow to work but cannot manage to include custom scopes into the access token.我已经成功地设置了整个 OAuth 2.0 授权代码流,但无法将自定义范围包含到访问令牌中。 The only scopes that appear in the access token are the App ID default ones: "openid appid_default appid_readuserattr appid_readprofile appid_writeuserattr appid_authenticated"访问令牌中出现的唯一范围是 App ID 默认范围:“openid appid_default appid_readuserattr appid_readprofile appid_writeuserattr appid_authenticated”
I have configured an appropriate role with the desired custom scopes and associated this role to the user profile.我已使用所需的自定义范围配置了适当的角色,并将此角色关联到用户配置文件。 Furthermore I have associated these custom scopes to the client application.此外,我已将这些自定义范围与客户端应用程序相关联。 Everything seems fine in the App ID dashboard. App ID 仪表板中的一切似乎都很好。 However when I call the token endpoint either programmatically or via curl I always get the same default scopes in the access token.但是,当我以编程方式或通过 curl 调用令牌端点时,我总是在访问令牌中获得相同的默认范围。
Reading the Swagger , I should be able to specify the scopes for the password flow and bearer token but I am in an OAuth 2.0 Authorization Code flow.阅读Swagger ,我应该能够指定密码流和不记名令牌的范围,但我处于 OAuth 2.0 授权代码流中。 Furthermore, even with password credentials flow, I do not manage to get these custom scopes although I specify them in the request.此外,即使使用密码凭据流,我也无法获得这些自定义范围,尽管我在请求中指定了它们。
Has anyone encountered these problems?有没有人遇到过这些问题? Any help would be much appreciated.任何帮助将非常感激。
Many Thanks, Chris非常感谢,克里斯
3 个解决方案
解决方案1
1 2020-02-03 23:16:39
In order to see the application configured scopes in the token, you need to authenticate with the application that you configured scopes to and with the user you assigned the role to.为了在令牌中查看应用程序配置的作用域,您需要向您配置作用域的应用程序以及向其分配角色的用户进行身份验证。
Meaning you should use username : client ID and password : secret of the application in the request authorization header, and authenticate with the user you assigned the matching role (which contains the scopes wanted).这意味着您应该在请求授权标头中使用username : client ID和password : secret应用程序的password : secret ,并与您分配匹配角色(包含所需范围)的用户进行身份验证。
The steps to add access control to your application:向应用程序添加访问控制的步骤:
- Go to Applications and define the application that you want to protect by adding scopes.转到应用程序并通过添加范围来定义要保护的应用程序。
- Create your roles by going to Roles and profiles > Roles > Create role.通过转到角色和配置文件 > 角色 > 创建角色来创建您的角色。
- Assign the roles to specific users by going to Roles and profiles > User profiles.通过转至角色和配置文件 > 用户配置文件,将角色分配给特定用户。 Then, choose the user that you want to assign the role to and click the More options menu > Assign role.然后,选择要为其分配角色的用户,然后单击更多选项菜单 > 分配角色。
For more information see AppID Access control docs: https://cloud.ibm.com/docs/services/appid?topic=appid-access-control有关更多信息,请参阅 AppID 访问控制文档: https ://cloud.ibm.com/docs/services/appid ?topic= appid-access-control
解决方案2
0 2020-02-03 14:52:24
I have an App ID instance in us-south, and scopes are working fine for me with default Cloud Directory.我在 us-south 中有一个 App ID 实例,并且使用默认 Cloud Directory 时范围对我来说工作正常。
- create a new application (define your scopes)创建一个新应用程序(定义您的范围)
- create a role and associate your application scope创建角色并关联您的应用程序范围
- assign the role to a user将角色分配给用户
- call
/tokenendpoint呼叫/token端点
解决方案3
0 2021-11-24 18:57:05
It happened to me before, I found that one way to solve it would be to inject the roles into the token claim and then instruct Spring Security to extract them.之前发生在我身上,我发现解决它的一种方法是将角色注入令牌声明中,然后指示 Spring Security 提取它们。 I wrote about it here in detail . 我在这里详细地写了它。 The documentation explains the first part, but the gist is this cURL snippet : 文档解释了第一部分,但要点是这个 cURL 片段:
curl -X PUT "https://$REGION.appid.cloud.ibm.com/management/v4/$TENANT_ID/config/tokens" -H 'Content-Type: application/json' -H "Authorization: Bearer $IAM_TOKEN" -d '{
"access": {
"expires_in": 3600
},
"refresh": {
"enabled": true,
"expires_in": 2592001
},
"anonymousAccess": {
"enabled": false
},
"accessTokenClaims": [
{
"source": "roles"
}
],
"idTokenClaims": [
{
"source": "saml",
"sourceClaim": "attributes.uid"
}
]
}'
You can also do it in the Swagger UI .您也可以在Swagger UI 中执行此操作。 Note however that this is a PUT request, so it's going to overwrite any configuration you had beforehand.但是请注意,这是一个 PUT 请求,因此它将覆盖您之前的任何配置。 Ideally, run a GET request to get the current configuration, then add the claims into it to avoid issues.理想情况下,运行 GET 请求以获取当前配置,然后将声明添加到其中以避免出现问题。
Then, in the SecurityConfiguration, add this JWT converter :然后,在 SecurityConfiguration 中,添加此 JWT 转换器:
protected void configure(HttpSecurity http) throws Exception {
http
//...
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(jwtAuthenticationConverter());
}
Converter jwtAuthenticationConverter() {
JwtGrantedAuthoritiesConverter converter = new JwtGrantedAuthoritiesConverter();
converter.setAuthoritiesClaimName("authorities");
converter.setAuthorityPrefix(""); //so that the role has the same name as the one that comes from App ID
JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(converter);
return jwtAuthenticationConverter;
}
Now that Spring Security recognizes the roles, you can protect endpoints with annotations or with an antMatcher configuration :现在 Spring Security 识别了角色,您可以使用注释或 antMatcher 配置保护端点:
.antMatchers("/api/admin").hasRole("ADMIN")
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.