Spring Security oauth 2使用grant_type“ password”在TokenEndPoint上禁用客戶端身份驗證

Question

我的應用程序使用Spring Security Oauth2配置來管理認證。

當前，我的請求需要這些信息：grand_type，用戶名，密碼，client_id和client_secret。

但是，我不需要我的應用程序的客戶端身份驗證（client_id + client_secret）。 因此，我如何刪除此身份驗證？

這是我當前的配置：

AuthorizationServerConfigurerAdapter：

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

@Autowired
private TokenStore tokenStore;

@Autowired
private UserApprovalHandler userApprovalHandler;

@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {

    clients.inMemory()
        .withClient("khk")
        .autoApprove(true)
        .authorizedGrantTypes("refresh_token", "password")
        .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
       .scopes("openid")
        //.secret("changeme")
        .accessTokenValiditySeconds(30000)
        .refreshTokenValiditySeconds(60000);
}

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
            .authenticationManager(authenticationManager).pathMapping("/oauth/token", "/connect").accessTokenConverter(accessTokenConverter());
}

public AccessTokenConverter accessTokenConverter() {
    return new DefaultAccessTokenConverter();
}

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
}
}

WebSecurityConfigurerAdapter：

@Configuration
@EnableWebSecurity
public class OAuth2SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired
private ClientDetailsService clientDetailsService;

@Autowired
private DataSource dataSource;

@Autowired
public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
    auth.jdbcAuthentication().dataSource(dataSource)
    .usersByUsernameQuery("select us_pseudo, us_passwd, us_enabled from t_user where us_pseudo=?")
    .authoritiesByUsernameQuery("select us.us_pseudo, gr.name from t_user us, t_group gr, r_groupuser gu where us.us_id = gu.groupuser_user_id and gr.gp_id = gu.groupuser_group_id and us.us_pseudo = ?");
    //.groupAuthoritiesByUsername("TO DO FOR RIGHTS");
}


@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}


@Bean
public TokenStore tokenStore() {
    return new InMemoryTokenStore();
}

@Bean
@Autowired
public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore){
    TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
    handler.setTokenStore(tokenStore);
    handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
    handler.setClientDetailsService(clientDetailsService);
    return handler;
}

@Bean
@Autowired
public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
    TokenApprovalStore store = new TokenApprovalStore();
    store.setTokenStore(tokenStore);
    return store;
}

}

ResourceServerConfigurerAdapter：

@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

private static final String RESOURCE_ID = "SPRING_REST_API";

@Override
public void configure(ResourceServerSecurityConfigurer resources) {
    resources.resourceId(RESOURCE_ID).stateless(false);
}

@Override
public void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers(HttpMethod.POST, "/connect").permitAll()
            .anyRequest().permitAll()
            .and()
        .exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}

}

Answer 1

簡短的答案是： 您需要該信息才能使用oauth2 。 它不是可選信息，您可以刪除所有信息並使它們正常運行。

請記住，client_id和client_secret的目的是授權您的客戶端應用程序本身。 根據所使用的授予類型，您將使用客戶端應用程序僅需要client_id或兩者都需要。

如果只需要client_id，則可以在“ 自動代碼”或“ 隱式”授予類型之間進行選擇。 但是首先，我建議閱讀本文以了解不同的贈款類型，並確定哪種最適合您的情況。