使用具有特定用例的 Spring 安全性获取访问令牌
[英]Get access token using Spring Security with a specific use-case
问题描述
Is this use-case supported for Spring Security 5, or something else, where we don't have to reinvent the wheel? 
Spring Security 5 或其他东西是否支持此用例,我们不必重新发明轮子? Thoughts on how to (re)implement this better?关于如何(重新)更好地实现这一点的想法?
Details are as follows.详情如下。 3rd party vendor supplied endpoints.第三方供应商提供的端点。 We pull info from upstream source then forward to the downstream vendor.我们从上游来源提取信息,然后转发给下游供应商。 Only 2 APIs are required:只需要 2 个 API:
- Request Access Token请求访问令牌
- Save Info保存信息
Both are actually being called via a gateway.两者实际上都是通过网关调用的。 We've been given specifics:我们得到了具体信息:
(A) The token request requires Basic Auth (standard header - usual base64 encoded). (A) 令牌请求需要基本身份验证(标准 header - 通常 base64 编码)。 Gateway User and Gateway Password are provided.提供网关用户和网关密码。
Credentials for request token are provided to us:请求令牌的凭据提供给我们:
- Grant Type = password授权类型 = 密码
- Consumer Id消费者 ID
- Consumer Secret消费者秘密
- Account User帐户用户
- Account Password户口密码
It responds with an access token and few other details we don't really care about and of zero value to our use-case.它以访问令牌和我们并不真正关心的一些其他细节进行响应,并且对我们的用例而言价值为零。
There is no expires_in info in the response.响应中没有expires_in信息。 But I've tested it multiple times to know it does expire.但是我已经多次测试它知道它确实过期了。 Not sure how long right now, I could do more tests to determine that.不知道现在多久,我可以做更多的测试来确定。
(B) The save request requires a different custom header for the same Gateway User / Password, then a Bearer Authorization header in the call to the Save Info API. (B) 保存请求需要为相同的网关用户/密码使用不同的自定义 header ,然后在调用保存信息 API 时需要承载授权 header。
Right now, all implementations for above are using RestTemplate .现在,上面的所有实现都在使用RestTemplate 。 Working fine already.工作正常了。 But a token is requested for each save which is costly.但是每次保存都需要一个令牌,这是昂贵的。 Before writing any caching, or some other logic to wait XY minutes before another token request is made, I would appreciate any other options which may already be possibly handled via Spring-specific libraries or further advise on how to handle this scenario.在编写任何缓存或其他一些逻辑以在发出另一个令牌请求之前等待 XY 分钟之前,我将不胜感激任何其他可能已经通过特定于 Spring 的库处理的选项,或者进一步建议如何处理这种情况。
Apologies if this is not the right place to ask this, or it has already been asked before.抱歉,如果这不是问这个问题的正确地方,或者之前已经问过这个问题。 Been searching for a similar use-case but can't seem to find one.一直在寻找类似的用例,但似乎找不到。
Thanks.谢谢。
1 个解决方案
解决方案1
0 已采纳 2021-02-14 22:09:54
- Try any one of the option尝试任何一个选项
You can use OAuth2ClientContext which stores your access token.
您可以使用 OAuth2ClientContext 来存储您的访问令牌。final OAuth2RestTemplate restTemplate=new OAuth2RestTemplate(resourceDetails, clientContext);You can create session & store your token & user details inside it.
您可以创建 session 并将您的令牌和用户详细信息存储在其中。UsernamePasswordAuthenticationToken authToken = new UsernamePasswordAuthenticationToken(user, null,null);SecurityContextHolder.getContext().setAuthentication(authToken);
SecurityContextHolder.getContext().setAuthentication(authToken);
- from option 1 Or option 2 you can then fetch existing token for each request at your Filter eg PRE_AUTH_FILTER然后从选项 1 或选项 2 中,您可以在过滤器中为每个请求获取现有令牌,例如 PRE_AUTH_FILTER
- Then check if token expired - if yes request new token Or call refresh token然后检查令牌是否过期 - 如果是,则请求新令牌或调用刷新令牌
Check Oauth2 expires_in in below:- https://tools.ietf.org/html/rfc6749 ?在下面检查 Oauth2 expires_in:- https://tools.ietf.org/html/rfc6749 ?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.