堆栈内存溢出
  简体   繁体   English

在自定义端点上按需使用 SpringSecurity 的 OAuth2 功能

[英]Use SpringSecurity's OAuth2 functionality on demand on custom endpoint

 原文  2020-12-08 18:13:30       java/ spring-boot/ spring-security/ oauth-2.0

问题描述

We have a Spring Boot web app which uses JWT based authentication/authorisation.我们有一个Spring Boot web 应用程序,它使用基于 JWT 的身份验证/授权。 Now, we want to add OAuth2 support so that users can login using their Google account.现在,我们要添加 OAuth2 支持,以便用户可以使用他们的 Google 帐户登录。 That would be easy to do using Spring Security .使用Spring Security很容易做到这一点。

However, the requirement is a bit different.但是,要求有点不同。

If the user wants to use the Google login functionality, he first needs to link their Google account.如果用户想使用谷歌登录功能,他首先需要链接他们的谷歌账户。 Basically login into our application using his/her credentials, and on their profile page link their Google account.基本上使用他/她的凭据登录我们的应用程序,并在他们的个人资料页面上链接他们的 Google 帐户。

The flow would be something like the following:流程将类似于以下内容:

  1. Click the “ Link Google account ” button on user's profile which redirects them to Google单击用户个人资料上的“链接 Google 帐户”按钮,将他们重定向到 Google
  2. In Google choose the account you want在 Google 中选择您想要的帐户
  3. Google returns with a code.谷歌返回一个代码。 After that, make a request to our backend, on an authenticated endpoint eg POST /users/{userId}/accounts which will receive the token returned by Google之后,在经过身份验证的端点上向我们的后端发出请求,例如POST /users/{userId}/accounts将接收 Google 返回的令牌
  4. In the backend, verify this token by making a request to Google在后端,通过向 Google 发出请求来验证此令牌
  5. If all is good, link user's account with Google by updating the db accordingly如果一切正常,请通过相应更新数据库将用户帐户与 Google 关联

My question is, for step 4 , what is the best practice for that?我的问题是,对于第 4 步,最佳做法是什么? How can I use all the stuff that Spring Security is offering to achieve this?我如何使用Spring Security提供的所有东西来实现这一目标?

Thank you in advance,先感谢您,

1 个解决方案

解决方案1
 1  2020-12-16 14:39:32

You have the authorization code and you exchange for access token all over https and all in backend.您拥有授权码,并在 https 和后端交换访问令牌。

There is no need to validate access token ( I don't think spring security even does this part for integration with google ) at your end.无需在您的最后验证访问令牌(我认为 spring 安全性甚至不会为与 google 集成做这部分)。

This should be done by google when you request its resource.当您请求其资源时,这应该由谷歌完成。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在Spring Oauth2令牌端点上设置自定义AuthenticationDetailsS​​ource - Setting a custom AuthenticationDetailsSource on the Spring Oauth2 Token Endpoint 当我向授权服务器添加自定义 jwt 详细信息时,OAuth2 资源服务器如何使用端点访问公钥? - How can OAuth2 resource server use endpoint to access public key when I add custom jwt details to the authorization server? SpringSecurity 自定义登录功能不适用于 SpringBoot 和 REST api - SpringSecurity custom login functionality doesn't work with SpringBoot and REST api 我是否需要 spring 引导 oauth2 授权服务器来生成自定义 JWT 和 JWKS 端点? - Does I need a spring boot oauth2 authorization server to generate a custom JWT and a JWKS endpoint? 有没有办法在 Spring Boot 中将 api 密钥用于某些端点并将 oauth2 用于其他端点? - Is there a way to use api key for some end point and use oauth2 for other endpoint in Spring Boot? Spring Boot Oauth2 注销端点 - Spring Boot Oauth2 logout endpoint 如何将Slack的OAuth2与Java桌面应用程序一起使用 - How to use Slack's OAuth2 with a Java desktop application 在 SpringSecurity 5.4.5 中使用 @PreAuthorize("#oauth2.hasScope('internal')") - Use @PreAuthorize("#oauth2.hasScope('internal')") with SpringSecurity 5.4.5 从Java访问Spring OAuth2授权服务器端点的问题 - Problem with access to Spring OAuth2 authorization server endpoint from java Spring Boot OAuth2 无法从 HTTPS 端点获取元数据 - Spring Boot OAuth2 failed to fetch metadata from HTTPS endpoint
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM