[英]Spring Boot + Oauth2 client credentials
我试图在 Spring Boot 上使用带有客户端凭证流的 Oath2 来保护我的微服务。
顺便说一句,这些微服务只会通过中间件层相互交谈,我的意思是不需要用户凭据来允许授权(用户登录过程如 Facebook)。
我在 Inte.net 上寻找示例,展示如何创建授权和资源服务器来管理此通信。 但是,我只是找到了解释如何使用用户凭据(三条腿)进行操作的示例。
有没有人有任何示例如何在 Spring Boot 和 Oauth2 中执行此操作? 如果可以提供有关所用范围的更多详细信息,令牌交换将不胜感激。
我们使用Oauth2客户端凭证方案保护REST服务。 资源和授权服务在同一个应用程序中运行,但可以拆分为不同的应用程序。
@Configuration
public class SecurityConfig {
@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
// Identifies this resource server. Usefull if the AuthorisationServer authorises multiple Resource servers
private static final String RESOURCE_ID = "*****";
@Resource(name = "OAuth")
@Autowired
DataSource dataSource;
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests().anyRequest().authenticated();
// @formatter:on
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(RESOURCE_ID);
resources.tokenStore(tokenStore());
}
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
}
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Resource(name = "OAuth")
@Autowired
DataSource dataSource;
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore());
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
}
}
Oauth2表的数据源配置:
@Bean(name = "OAuth")
@ConfigurationProperties(prefix="datasource.oauth")
public DataSource secondaryDataSource() {
return DataSourceBuilder.create().build();
}
与身份验证和资源服务器通信如下
curl -H "Accept: application/json" user:password@localhost:8080/oauth/token -d grant_type=client_credentials
curl -H "Authorization: Bearer token" localhost:8080/...
Oauth2数据库中包含以下记录:
client_id resource_ids client_secret scope authorized_grant_types web_server_redirect_uri authorities access_token_validity refresh_token_validity additional_information autoapprove
user **** password NULL client_credentials NULL X NULL NULL NULL NULL
在客户端应用程序中重新配置配置
@Configuration
@EnableOAuth2Client
public class OAuthConfig {
@Value("${OAuth2ClientId}")
private String oAuth2ClientId;
@Value("${OAuth2ClientSecret}")
private String oAuth2ClientSecret;
@Value("${Oauth2AccesTokenUri}")
private String accessTokenUri;
@Bean
public RestTemplate oAuthRestTemplate() {
ClientCredentialsResourceDetails resourceDetails = new ClientCredentialsResourceDetails();
resourceDetails.setId("1");
resourceDetails.setClientId(oAuth2ClientId);
resourceDetails.setClientSecret(oAuth2ClientSecret);
resourceDetails.setAccessTokenUri(accessTokenUri);
/*
When using @EnableOAuth2Client spring creates a OAuth2ClientContext for us:
"The OAuth2ClientContext is placed (for you) in session scope to keep the state for different users separate.
Without that you would have to manage the equivalent data structure yourself on the server,
mapping incoming requests to users, and associating each user with a separate instance of the OAuth2ClientContext."
(http://projects.spring.io/spring-security-oauth/docs/oauth2.html#client-configuration)
Internally the SessionScope works with a threadlocal to store variables, hence a new thread cannot access those.
Therefore we can not use @Async
Solution: create a new OAuth2ClientContext that has no scope.
*Note: this is only safe when using client_credentials as OAuth grant type!
*/
// OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resourceDetails, oauth2ClientContext);
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resourceDetails, new DefaultOAuth2ClientContext());
return restTemplate;
}
}
您可以注入restTemplate以与Oauth2安全服务进行通信(异步)。 我们目前不使用范围。
更新 Spring-boot-2.7 和 Java 17。
https://chuangtc.com/Java/spring-boot-27-security-social-login.php
public class SecurityConfig {
@Value("${spring.social.facebook.appSecret}")
String appSecret;
@Value("${spring.social.facebook.appId}")
String appId;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private FacebookConnectionSignup facebookConnectionSignup;
@Bean
public AuthenticationManager authManager(HttpSecurity http) throws Exception {
return http.getSharedObject(AuthenticationManagerBuilder.class)
.userDetailsService(userDetailsService)
.and()
.build();
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.authorizeRequests()
.antMatchers("/login*", "/signin/**", "/signup/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout();
return http.build();
}
@Bean
// @Primary
public ProviderSignInController providerSignInController() {
ConnectionFactoryLocator connectionFactoryLocator = connectionFactoryLocator();
UsersConnectionRepository usersConnectionRepository = getUsersConnectionRepository(connectionFactoryLocator);
((InMemoryUsersConnectionRepository) usersConnectionRepository).setConnectionSignUp(facebookConnectionSignup);
return new ProviderSignInController(connectionFactoryLocator, usersConnectionRepository, new FacebookSignInAdapter());
}
private ConnectionFactoryLocator connectionFactoryLocator() {
ConnectionFactoryRegistry registry = new ConnectionFactoryRegistry();
registry.addConnectionFactory(new FacebookConnectionFactory(appId, appSecret));
return registry;
}
private UsersConnectionRepository getUsersConnectionRepository(ConnectionFactoryLocator connectionFactoryLocator) {
return new InMemoryUsersConnectionRepository(connectionFactoryLocator);
}
}
Facebook登录适配器
@Service
public class FacebookSignInAdapter implements SignInAdapter {
@Override
public String signIn(String localUserId, Connection<?> connection, NativeWebRequest request) {
System.out.println(" ====== Sign In adapter");
SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(connection.getDisplayName(), null, Arrays.asList(new SimpleGrantedAuthority("FACEBOOK_USER"))));
return null;
}
}
OAuth2客户端凭据通过Spring Boot Keycloak集成进行流动
[英]OAuth2 client credentials flow via Spring Boot Keycloak integration
Spring Boot 2和OAuth2客户端凭证不受支持的授予类型
[英]Spring Boot 2 and OAuth2 client-credentials unsupported grant type
Spring Boot 2 Spring-Security 5 OAuth2 支持 client_credentials grant_type
[英]Spring Boot 2 Spring-Security 5 OAuth2 support for client_credentials grant_type
Oauth2客户端凭证流+ Spring Boot2引发对于id“ null”错误,没有映射PasswordPasscoder>
[英]Oauth2 Client Credentials Flow + Spring Boot2 throwing There is no PasswordEncoder mapped > for the for the id “null” error
为什么 Spring Boot WebClient OAuth2 (client_credentials) 要求为每个请求提供一个新令牌?
[英]Why Spring Boot WebClient OAuth2 (client_credentials) asks for a new token for each request?
如何在 Spring Boot Oauth2 授权服务器中 grant_type=client_credentials 时抛出错误凭据的任何异常
[英]How to throw any Exceptions for wrong credentials when grant_type=client_credentials in Spring Boot Oauth2 Authorization Server
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.