[英]Spring Security 5.3.2 OAuth 2, Resource Owner Password Credentials Flow - How to add additional HEADER parameters to authorization server uri
我正在尝试从具有资源所有者密码凭据流的自定义公司 oauth 2 授权服务器生成访问令牌。
见https://tools.ietf.org/html/rfc6749#section-4.3
此服务器仅在收到以下参数时才会生成访问令牌:
POST https://custom_corporate_server/auth/oauth/v2/token
Header
idp: 99
Body
grant_type: password
scope: my_scope
client_id: 00******-****-****-****-**********99
client_secret: 00******-****-****-****-**********99
username: my_user
password: my_password
他们的配置需要额外的 header 自定义参数:idp - 应该是一个数字。
我正在使用 Spring 引导 2.3.0 和 Spring 安全 5.3.2。
我按照下面的链接构建了我的测试示例: https://docs.spring.io/spring-security/site/docs/5.3.2.RELEASE/reference/html5/#using-the-access-token-2
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build();
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Assuming the `username` and `password` are supplied as `HttpServletRequest` parameters,
// map the `HttpServletRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper());
return authorizedClientManager;
}
private Function<OAuth2AuthorizeRequest, Map<String, Object>> contextAttributesMapper() {
return authorizeRequest -> {
Map<String, Object> contextAttributes = Collections.emptyMap();
HttpServletRequest servletRequest = authorizeRequest.getAttribute(HttpServletRequest.class.getName());
String username = servletRequest.getParameter(OAuth2ParameterNames.USERNAME);
String password = servletRequest.getParameter(OAuth2ParameterNames.PASSWORD);
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = new HashMap<>();
// `PasswordOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username);
contextAttributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password);
}
return contextAttributes;
};
}
我无法将 header 中的这个参数传递给授权服务器。 如何做到这一点是我今天的主要难题。
看看 这篇文章,它解释了对授权和令牌请求的各种自定义。 在您的情况下,关于令牌请求额外参数的部分似乎准确地描述了您的需求。
你可以这样做:
public class CustomRequestEntityConverter implements Converter<OAuth2PasswordGrantRequest, RequestEntity<?>> {
private OAuth2PasswordGrantRequestEntityConverter defaultConverter;
public CustomRequestEntityConverter() {
defaultConverter = new OAuth2PasswordGrantRequestEntityConverter();
}
@Override
public RequestEntity<?> convert(OAuth2PasswordGrantRequest req) {
RequestEntity<?> entity = defaultConverter.convert(req);
MultiValueMap<String, String> params = entity.getHeaders();
params.add("idp", "99");
return new RequestEntity<>(params, entity.getHeaders(), entity.getMethod(), entity.getUrl());
}
}
具有使用资源所有者密码凭证oauth流的多个客户端的中央身份验证服务器
[英]Central auth server with multiple clients using resource owner password credentials oauth flow
带有oauth2的Spring Security将其他参数添加到授权URL?
[英]Spring security with oauth2 adding additional parameters to authorization URL?
Spring Boot Oauth2-授权与资源服务器之间的安全性不兼容
[英]Spring boot Oauth2 - Security incompatibility between Authorization and Resource server
如何在重定向中添加授权 header (Spring Security)
[英]How to add Authorization header in redirect (Spring Security)
具有OAuth 2资源所有者密码凭证的Java scribe客户端
[英]Java scribe client with OAuth 2 Resource Owner Password Credentials
在Play(Java)中实现OAuth2的密码所有者资源流
[英]Implementing the password owner resource flow of OAuth2 in Play (Java)
使用 API 请求上的附加 header 参数跳过 Oauth 2.0 授权 - Z38008DD81C2F4AFD71Z85 安全性
[英]Skipping Oauth 2.0 authorization using additional header param on API Request - Spring Security
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.