i try to use Spring security to valid OAuth2 token by introspection. Actually my application dont try to hit OAuth server for introspection et return 403 when i call my controller.
My conf:
spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=https://example.net/introspection
spring.security.oauth2.resourceserver.opaquetoken.client-id=clientId
spring.security.oauth2.resourceserver.opaquetoken.client-secret=clientSecret
Websecurity:
@EnableWebSecurity
public class WebServerConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.oauth2ResourceServer().opaqueToken();
}
}
My Controller:
@RestController
public class Controller {
@PostMapping(value = "/foo", consumes = MediaType.APPLICATION_JSON_VALUE)
@ResponseStatus(HttpStatus.CREATED)
public void uploadMedia(BearerTokenAuthentication bearerTokenAuthentication,
@RequestHeader(value = "Authorization") String bearerToken){
System.out.println(bearerTokenAuthentication.getToken().getTokenValue());
}
}
How to use spring securty to valid OAuth token by introspection?
Mathieu
Try adding below dependency
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.1.8.RELEASE</version>
</dependency>
And in application property, you can specify
security.oauth2.resource.token-info-uri=http://localhost:8080/oauth/check_token.
Now, core class - RemoteTokenServices.loadAuthentication will be used to call authorization server. You can put it in debug.
security.oauth2.client.client-id=client1
security.oauth2.client.client-secret=secret1
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.