授权后获取用户角色
[英]Get user role after authorization
问题描述
I want to implement Spring Boot Project with Angular 9 based on OAuth2 for security.
为了安全起见,我想使用基于 OAuth2 的 Angular 9 实现 Spring 引导项目。 The problem which is not clear for me is what is the best way to get the user role after user authentication.我不清楚的问题是在用户身份验证后获取用户角色的最佳方式是什么。 I found 2 ways:我找到了两种方法:
Add properly after user is authenticated using OAuth2 into the response payload:
在使用 OAuth2 对用户进行身份验证后正确添加到响应负载中:{ "access_token": "wdwdw", "token_type": "bearer", "refresh_token": "wdwdwdwd", "expires_in": 4, "scope": "read", "role": [ "ROLE_ADMIN" ], "jti": "wfwfe" }The second way is to use a second API call to
oauth/check_tokenin order to get the role:第二种方法是使用第二个 API 调用oauth/check_token以获得角色:
$ curl localhost:8080/oauth/check_token/?token=fc9e4ad4-d6e8-4f57-b67e-c0285dcdeb58 $ curl 本地主机:8080/oauth/check_token/?token=fc9e4ad4-d6e8-4f57-b67e-c0285dcdeb58
{
"scope": [
"read",
"write"
],
"active": true,
"exp": 1544940147,
"authorities": [
"ROLE_USER"
],
"client_id": "ger-client-id"
}
I'm interested which of both ways is better in terms of security and best practices.我很感兴趣这两种方式中哪一种在安全性和最佳实践方面更好。
2 个解决方案
解决方案1
1 已采纳 2020-07-22 23:53:44
I'll go for the first way in case you me need to control the routing and modules loading based on user authorities so you don't need to fire a new request for just find authorities.我将 go 作为第一种方式,以防您需要根据用户权限控制路由和模块加载,因此您无需为查找权限而发起新请求。
解决方案2
0 2020-08-01 18:13:15
I'll prefer the first way whatever the security credentials will pass as object properties and you can use it.无论安全凭证将作为 object 属性传递,我都会更喜欢第一种方式,您可以使用它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.