堆棧內存溢出
  簡體   English   中英

使用帶有OpenID Connect提供程序的spring-security-oauth2客戶端時,如何訪問“id_token”和“refresh_token”?

[英]How to access the “id_token” and “refresh_token” when using spring-security-oauth2 client with OpenID Connect provider?

 原文  2017-03-24 15:40:56       java/ spring/ spring-security/ spring-security-oauth2/ openid-connect

問題描述

我已成功將Spring Security OAuth2與我的Open ID Connect提供程序(Forgerock OpenAM)集成。 我可以看到正在檢索的訪問令牌。 如何從/token端點訪問作為響應一部分的id_tokenrefresh_token

2 個解決方案

解決方案1
 0  2018-04-13 13:27:52

最后找出答案和發布,以防它對有相同問題的人有用。 會話通過Spring Security OAuth2進行Authentication ,會有一個Authentication對象設置。 它需要轉換為OAuth2Authentication的實例。 該對象具有令牌。 

    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    if (auth instanceof OAuth2Authentication) {
        Object details = auth.getDetails();
        OAuth2AccessToken token = oauth2Ctx.getAccessToken();

        if (token != null && !token.isExpired()) {
            // Do Stuff
        }

解決方案2
 0  2019-07-06 21:21:56

一個替代方法的完整示例(使用Spring Boot並禁用其自動配置的一部分)。

application.properties: 

security.oauth2.client.client-id=client-id
security.oauth2.client.client-secret=client-secret
security.oauth2.client.access-token-uri=http://my-oidc-provider/auth/oauth2/token
security.oauth2.client.user-authorization-uri=http://my-oidc-provider/auth/oauth2/authorize
security.oauth2.resource.token-info-uri=http://my-oidc-provider/auth/oauth2/check_token
security.oauth2.client.scope=openid,email,profile
security.oauth2.resource.jwk.key-set-uri=http://my-oidc-provider/auth/oidc/jwks

/**
 * Extending the AuthorizationServerEndpointsConfiguration disables the Spring
 * Boot ResourceServerTokenServicesConfiguration.
 */
@Configuration
@EnableOAuth2Sso
public class OAuth2Config extends AuthorizationServerEndpointsConfiguration {

    @Value("${security.oauth2.resource.jwk.key-set-uri}")
    private String keySetUri;

    @Value("${security.oauth2.resource.token-info-uri}")
    private String checkTokenEndpointUrl;

    @Value("${security.oauth2.client.client-id}")
    private String clientId;

    @Value("${security.oauth2.client.client-secret}")
    private String clientSecret;

    @Bean
    public RemoteTokenServices resourceServerTokenServices() {
        RemoteTokenServices tokenService = new RemoteTokenServices();

        DefaultAccessTokenConverter accessTokenConverter = new DefaultAccessTokenConverter();
        accessTokenConverter.setUserTokenConverter(new CustomIdTokenConverter(keySetUri));
        tokenService.setAccessTokenConverter(accessTokenConverter);

        tokenService.setCheckTokenEndpointUrl(checkTokenEndpointUrl);
        tokenService.setClientId(clientId);
        tokenService.setClientSecret(clientSecret);

        return tokenService;
    }

    @Bean
    public ClientDetailsService clientDetailsService() {
        return new InMemoryClientDetailsService();
    }

    @Bean
    public UserInfoRestTemplateFactory userInfoRestTemplateFactory(
            ObjectProvider<List<UserInfoRestTemplateCustomizer>> customizers,
            ObjectProvider<OAuth2ProtectedResourceDetails> details,
            ObjectProvider<OAuth2ClientContext> oauth2ClientContext) {
        return new DefaultUserInfoRestTemplateFactory(customizers, details,
                oauth2ClientContext);
    }
}

public class CustomIdTokenConverter extends DefaultUserAuthenticationConverter {

    private final JwkTokenStore jwkTokenStore;

    public CustomIdTokenConverter(String keySetUri) {
        this.jwkTokenStore = new JwkTokenStore(keySetUri);
    }

    @Override
    public Authentication extractAuthentication(Map<String, ?> map) {

        String idToken = (String) map.get("id_token");

        OAuth2AccessToken token = jwkTokenStore.readAccessToken(idToken);

        Map<String, Object> claims = token.getAdditionalInformation();
        OAuth2RefreshToken refreshToken = token.getRefreshToken();

        String principal = (String) claims.get("sub");

        List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER");

        return new CustomAuthenticationData(principal, claims, authorities);
    }
}

public class CustomAuthenticationData extends UsernamePasswordAuthenticationToken {

    private final Map<String, Object> attributes;

    public CustomAuthenticationData(String username, Map<String, Object> attributes, Collection<? extends GrantedAuthority> authorities) {
        super(username, "N/A", authorities);
        this.attributes = attributes;
    }

    public Map<String, Object> getAttributes() {
        return attributes;
    }
}

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 spring-security-oauth2中的OAuth2 refresh_token邏輯實現 如何使用 redis 使用 spring-security-oauth2 來持久化令牌 Spring Security Oauth 2。 在服務器端存儲refresh_token 使用Spring Security 3在我的Grails OAuth提供程序上存儲訪問令牌 在 Spring-Security-Oauth2 中無需 access_token 即可訪問受保護資源 如何在 Oauth2.0 中使用 refresh_token 重新生成 access_token 使用java config創建spring-security-oauth2客戶端的文檔 如何在spring security oauth2中分離訪問令牌和刷新令牌端點 如何使用 Spring Security 5 OAuth2 客戶端和 RestTemplate 刷新 OAuth2 令牌 Google Oauth2 refresh_token為空
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM