![](/img/trans.png)
[英]405 method not allowed error in AWS Cognito oauth2/token endpoint
[英]How to configure Spring Boot to authenticate Web-app users and REST clients using AWS Cognito (OAuth2/OIDC)
我需要配置 Spring 引导服务器以使用 AWS Cognito 用户池对 Web 用户和 REST 客户端进行身份验证:
Authorization: Bearer...
header。问题是:
让我们从术语开始:
Spring 的spring-security-oauth2-client
模块负责“授权码授予流程”, spring-security-oauth2-resource-server
模块负责“客户端凭证流程”。
为了同时使用这两种流程/方法,我们需要告诉 spring 如何确定对传入的 HTTP 请求使用哪种身份验证方法。 正如https://stackoverflow.com/a/64752665/2692895中所解释的,这可以通过查找Authorization: bearer...
header 来完成:
Authorization
header,则假定其为 REST 客户端并使用“客户端凭据流”。我正在使用 Spring-Boot 2.6.6(Spring 5.6.2)。
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-resource-server</artifactId>
</dependency>
application.yaml
spring:
security:
oauth2:
# Interactive/web users authentication
client:
registration:
cognito:
clientId: ${COGNITO_CLIENT_ID}
clientSecret: ${COGNITO_CLIENT_SECRET}
scope: openid
clientName: ${CLIENT_APP_NAME}
provider:
cognito:
issuerUri: https://cognito-idp.eu-central-1.amazonaws.com/${COGNITO_POOL_ID}
user-name-attribute: email
# REST API authentication
resourceserver:
jwt:
issuer-uri: https://cognito-idp.eu-central-1.amazonaws.com/${COGNITO_POOL_ID}
交互式/网络用户身份验证:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(
// Needed for method access control via the @Secured annotation
prePostEnabled = true,
jsr250Enabled = true,
securedEnabled = true
)
@Profile({"cognito"})
@Order(2)
public class CognitoSecurityConfiguration extends WebSecurityConfigurerAdapter {
@SneakyThrows
@Override
protected void configure(HttpSecurity http) {
http
// TODO disable CSRF because when enabled controllers aren't initialized
// and if they are, POST are getting 403
.csrf().disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Client()
.and()
.logout()
.and()
.oauth2Login()
.redirectionEndpoint().baseUri("/login/oauth2/code/cognito")
.and()
;
}
}
REST 客户端认证:
/**
* Allow users to use a token (id-token, jwt) instead of the interactive login.
* The token is specified as the "Authorization: Bearer ..." header.
* </p>
* To get a token, the cognito client-app needs to support USER_PASSWORD_AUTH then use the following command:
* <pre>
* aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --output json \
* --region $region --client-id $clientid --auth-parameters "USERNAME=$username,PASSWORD=$password" \
* | jq .AuthenticationResult.IdToken
* </pre>
*/
@Slf4j
@Configuration
@Profile({"cognito"})
@Order(1)
public class CognitoTokenBasedSecurityConfiguration extends WebSecurityConfigurerAdapter {
@SneakyThrows
@Override
protected void configure(HttpSecurity http) {
http
.requestMatcher(new RequestHeaderRequestMatcher("Authorization"))
.authorizeRequests().anyRequest().authenticated()
.and().oauth2ResourceServer().jwt()
;
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.