Spring 授权服务器配置模型
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Spring 授权服务器配置模型相关的知识,希望对你有一定的参考价值。
默认配置
OAuth2AuthorizationServerConfiguration
为 OAuth2 授权服务器提供最低默认配置。@Configuration
OAuth2AuthorizationServerConfiguration
使用 OAuth2AuthorizationServerConfigurer 应用默认配置,并寄存器由支持OAuth2授权服务器的所有基础结构组件组成。SecurityFilterChain
@Bean
|
OAuth2 授权服务器配置了以下默认协议端点:SecurityFilterChain
@Bean
- OAuth2 授权端点
- OAuth2 令牌端点
- OAuth2 令牌侦测端点
- OAuth2 令牌吊销端点
- OAuth2 授权服务器元数据终结点
- JWK 设置终结点
仅当 ais 已注册时,才会配置 JWK Set 终结点。 |
以下示例演示如何使用 应用最小默认配置:OAuth2AuthorizationServerConfiguration
@Configuration
@Import(OAuth2AuthorizationServerConfiguration.class)
public class AuthorizationServerConfig
@Bean
public RegisteredClientRepository registeredClientRepository()
List<RegisteredClient> registrations = ...
return new InMemoryRegisteredClientRepository(registrations);
@Bean
public JWKSource<SecurityContext> jwkSource()
RSAKey rsaKey = ...
JWKSet jwkSet = new JWKSet(rsaKey);
return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
authorization_code授权要求对资源所有者进行身份验证。因此,除了默认的 OAuth2 安全配置之外,还必须配置用户身份验证机制。 |
OpenID Connect 1.0在默认配置中处于禁用状态。以下示例演示如何通过初始化来启用 OpenID Connect 1.0:OidcConfigurer
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
.oidc(Customizer.withDefaults()); // Initialize `OidcConfigurer`
return http.build();
除了默认协议端点外,OAuth2 授权服务器还配置了以下 OpenID Connect 1.0 协议端点:SecurityFilterChain
@Bean
- OpenID Connect 1.0 提供程序配置端点
- OpenID Connect 1.0 UserInfo endpoint
默认情况下,OpenID Connect 1.0客户端注册终结点处于禁用状态,因为许多部署不需要动态客户端注册。 |
|
以下示例演示如何注册:JwtDecoder
@Bean
@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource)
return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
其主要目的是提供一种方便的方法来应用 OAuth2 授权服务器的最低默认配置。但是,在大多数情况下,需要自定义配置。OAuth2AuthorizationServerConfiguration
自定义配置
OAuth2AuthorizationServerConfigurer
提供完全自定义 OAuth2 授权服务器的安全配置的功能。 它允许您指定要使用的核心组件 - 例如,RegisterClientRepository,OAuth2AuthorizationService,OAuth2TokenGenerator等。 此外,它还允许您自定义协议终端节点的请求处理逻辑,例如授权终端节点、令牌终端节点、令牌自检终端节点等。
OAuth2AuthorizationServerConfigurer
提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.registeredClientRepository(registeredClientRepository)
.authorizationService(authorizationService)
.authorizationConsentService(authorizationConsentService)
.authorizationServerSettings(authorizationServerSettings)
.tokenGenerator(tokenGenerator)
.clientAuthentication(clientAuthentication -> )
.authorizationEndpoint(authorizationEndpoint -> )
.tokenEndpoint(tokenEndpoint -> )
.tokenIntrospectionEndpoint(tokenIntrospectionEndpoint -> )
.tokenRevocationEndpoint(tokenRevocationEndpoint -> )
.authorizationServerMetadataEndpoint(authorizationServerMetadataEndpoint -> )
.oidc(oidc -> oidc
.providerConfigurationEndpoint(providerConfigurationEndpoint -> )
.userInfoEndpoint(userInfoEndpoint -> )
.clientRegistrationEndpoint(clientRegistrationEndpoint -> )
);
return http.build();
|
|
|
|
|
|
|
|
|
|
|
|
|
|
配置授权服务器设置
AuthorizationServerSettings
包含 OAuth2 授权服务器的配置设置。 它指定协议终结点以及颁发者标识符。 协议端点的默认值如下:URI
URI
public final class AuthorizationServerSettings extends AbstractSettings
...
public static Builder builder()
return new Builder()
.authorizationEndpoint("/oauth2/authorize")
.tokenEndpoint("/oauth2/token")
.tokenIntrospectionEndpoint("/oauth2/introspect")
.tokenRevocationEndpoint("/oauth2/revoke")
.jwkSetEndpoint("/oauth2/jwks")
.oidcUserInfoEndpoint("/userinfo")
.oidcClientRegistrationEndpoint("/connect/register");
...
|
@Import(OAuth2AuthorizationServerConfiguration.class)自动注册(如果尚未提供)。 |
以下示例演示如何自定义配置设置并注册:AuthorizationServerSettings
@Bean
@Bean
public AuthorizationServerSettings authorizationServerSettings()
return AuthorizationServerSettings.builder()
.issuer("https://example.com")
.authorizationEndpoint("/oauth2/v1/authorize")
.tokenEndpoint("/oauth2/v1/token")
.tokenIntrospectionEndpoint("/oauth2/v1/introspect")
.tokenRevocationEndpoint("/oauth2/v1/revoke")
.jwkSetEndpoint("/oauth2/v1/jwks")
.oidcUserInfoEndpoint("/connect/v1/userinfo")
.oidcClientRegistrationEndpoint("/connect/v1/register")
.build();
这是一个上下文对象,用于保存授权服务器运行时环境的信息。 它提供对“当前”颁发者标识符的访问。AuthorizationServerContext
AuthorizationServerSettings
如果未配置 颁发者标识符,则会从当前请求解析该标识符。 |
Theis 可通过 访问,它通过使用 a 将其与当前请求线程相关联。 |
配置客户端身份验证
OAuth2ClientAuthenticationConfigurer
提供自定义OAuth2 客户端身份验证的功能。 它定义了扩展点,使您可以自定义客户端身份验证请求的预处理、主处理和后处理逻辑。
OAuth2ClientAuthenticationConfigurer
提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.clientAuthentication(clientAuthentication ->
clientAuthentication
.authenticationConverter(authenticationConverter)
.authenticationConverters(authenticationConvertersConsumer)
.authenticationProvider(authenticationProvider)
.authenticationProviders(authenticationProvidersConsumer)
.authenticationSuccessHandler(authenticationSuccessHandler)
.errorResponseHandler(errorResponseHandler)
);
return http.build();
|
|
|
|
|
|
OAuth2ClientAuthenticationConfigurer
配置并使用 OAuth2 授权 server.is 处理客户端身份验证请求进行注册。OAuth2ClientAuthenticationFilter
SecurityFilterChain
@Bean
OAuth2ClientAuthenticationFilter
Filter
默认情况下,OAuth2 令牌终端节点、OAuth2 令牌侦测终端节点和OAuth2 令牌吊销终端节点需要客户端身份验证。 支持的客户端身份验证方法包括,,,,和(公共客户端)。client_secret_basic
client_secret_post
private_key_jwt
client_secret_jwt
none
OAuth2ClientAuthenticationFilter
配置了以下默认值:
-
AuthenticationConverter
— 由,,,和组成。DelegatingAuthenticationConverter
JwtClientAssertionAuthenticationConverter
ClientSecretBasicAuthenticationConverter
ClientSecretPostAuthenticationConverter
PublicClientAuthenticationConverter
-
AuthenticationManager
— 由、、和组成。AuthenticationManager
JwtClientAssertionAuthenticationProvider
ClientSecretAuthenticationProvider
PublicClientAuthenticationProvider
-
AuthenticationSuccessHandler
— 将“经过身份验证”(当前)关联到的内部实现。OAuth2ClientAuthenticationToken
Authentication
SecurityContext
-
AuthenticationFailureHandler
— 使用与 the关联的内部实现 返回 OAuth2 错误响应。OAuth2Error
OAuth2AuthenticationException
自定义 JWT 客户端断言验证
JwtClientAssertionDecoderFactory.DEFAULT_JWT_VALIDATOR_FACTORY
是提供 anfor 的默认工厂 指定和 用于验证客户端断言的 ,,,和声明。OAuth2TokenValidator<Jwt>
RegisteredClient
iss
sub
aud
exp
nbf
Jwt
JwtClientAssertionDecoderFactory
提供通过提供 typeto 的自定义工厂来重写默认客户端断言验证的功能。Jwt
Function<RegisteredClient, OAuth2TokenValidator<Jwt>>
setJwtValidatorFactory()
|
自定义的一个常见用例是验证客户端断言中的其他声明。JwtClientAssertionDecoderFactory
Jwt
以下示例演示如何使用自定义验证客户端断言中的其他声明进行配置:JwtClientAssertionAuthenticationProvider
JwtClientAssertionDecoderFactory
Jwt
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer();
http.apply(authorizationServerConfigurer);
authorizationServerConfigurer
.clientAuthentication(clientAuthentication ->
clientAuthentication
.authenticationProviders(configureJwtClientAssertionValidator())
);
return http.build();
private Consumer<List<AuthenticationProvider>> configureJwtClientAssertionValidator()
return (authenticationProviders) ->
authenticationProviders.forEach((authenticationProvider) ->
if (authenticationProvider instanceof JwtClientAssertionAuthenticationProvider)
// Customize JwtClientAssertionDecoderFactory
JwtClientAssertionDecoderFactory jwtDecoderFactory = new JwtClientAssertionDecoderFactory();
Function<RegisteredClient, OAuth2TokenValidator<Jwt>> jwtValidatorFactory = (registeredClient) ->
new DelegatingOAuth2TokenValidator<>(
// Use default validators
JwtClientAssertionDecoderFactory.DEFAULT_JWT_VALIDATOR_FACTORY.apply(registeredClient),
// Add custom validator
new JwtClaimValidator<>("claim", "value"::equals));
jwtDecoderFactory.setJwtValidatorFactory(jwtValidatorFactory);
((JwtClientAssertionAuthenticationProvider) authenticationProvider)
.setJwtDecoderFactory(jwtDecoderFactory);
);
以上是关于Spring 授权服务器配置模型的主要内容,如果未能解决你的问题,请参考以下文章
如何自定义Spring 授权服务器的 UserInfo 端点
SpringCloud使用Spring Cloud OAuth2保护微服务系统