Spring 授权服务器核心协议端点

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Spring 授权服务器核心协议端点相关的知识,希望对你有一定的参考价值。

Spring

OAuth2 授权端点

​OAuth2AuthorizationEndpointConfigurer​​提供自定义OAuth2 授权端点的功能。 它定义了扩展点,允许您自定义OAuth2 授权请求的预处理、主处理和后处理逻辑。

​OAuth2AuthorizationEndpointConfigurer​​提供以下配置选项:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception 
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  authorizationServerConfigurer
    .authorizationEndpoint(authorizationEndpoint ->
      authorizationEndpoint
        .authorizationRequestConverter(authorizationRequestConverter)   
        .authorizationRequestConverters(authorizationRequestConvertersConsumer) 
        .authenticationProvider(authenticationProvider) 
        .authenticationProviders(authenticationProvidersConsumer)   
        .authorizationResponseHandler(authorizationResponseHandler) 
        .errorResponseHandler(errorResponseHandler) 
        .consentPage("/oauth2/v1/authorize")    
    );

  return http.build();

​authorizationRequestConverter()​​​:将尝试从实例 ofor 中提取OAuth2 授权请求(或同意)时使用的(预处理器)添加。​​AuthenticationConverter​​​​HttpServletRequest​​​​OAuth2AuthorizationCodeRequestAuthenticationToken​​​​OAuth2AuthorizationConsentAuthenticationToken​

​authorizationRequestConverters()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationConverter​​​​AuthenticationConverter​

​authenticationProvider()​​:添加用于验证理论的(主处理器)。​​AuthenticationProvider​​​​OAuth2AuthorizationCodeRequestAuthenticationToken​​​​OAuth2AuthorizationConsentAuthenticationToken​

​authenticationProviders()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationProvider​​​​AuthenticationProvider​

​authorizationResponseHandler()​​:(后处理器)用于处理“经过身份验证”并返回OAuth2AuthorizationResponse​。​​AuthenticationSuccessHandler​​​​OAuth2AuthorizationCodeRequestAuthenticationToken​

​errorResponseHandler()​​​:用于处理返回OAuth2Error 响应的 anand 的(后处理器)。​​AuthenticationFailureHandler​​​​OAuth2AuthorizationCodeRequestAuthenticationException​

​consentPage()​​​:自定义同意页面,用于将资源所有者重定向到授权请求流期间是否需要同意。​​URI​

​OAuth2AuthorizationEndpointConfigurer​​配置并使用 OAuth2 授权 server.is 处理 OAuth2 授权请求(和同意)进行注册。​​OAuth2AuthorizationEndpointFilter​​​​SecurityFilterChain​​​​@Bean​​​​OAuth2AuthorizationEndpointFilter​​​​Filter​

​OAuth2AuthorizationEndpointFilter​​配置了以下默认值:

  • AuthenticationConverter​——由和组成。DelegatingAuthenticationConverterOAuth2AuthorizationCodeRequestAuthenticationConverterOAuth2AuthorizationConsentAuthenticationConverter
  • AuthenticationManager​——安安。AuthenticationManagerOAuth2AuthorizationCodeRequestAuthenticationProviderOAuth2AuthorizationConsentAuthenticationProvider
  • AuthenticationSuccessHandler​— 处理“经过身份验证”并返回的内部实现。OAuth2AuthorizationCodeRequestAuthenticationTokenOAuth2AuthorizationResponse
  • AuthenticationFailureHandler​— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthorizationCodeRequestAuthenticationExceptionOAuth2Error

自定义授权请求验证

​OAuth2AuthorizationCodeRequestAuthenticationValidator​​是用于验证授权代码授予中使用的特定 OAuth2 授权请求参数的默认验证器。 默认实现验证 and参数。 如果验证失败,则引发 anis。​​redirect_uri​​​​scope​​​​OAuth2AuthorizationCodeRequestAuthenticationException​

​OAuth2AuthorizationCodeRequestAuthenticationProvider​​提供通过提供 typeto 的自定义身份验证验证程序来覆盖默认授权请求验证的功能。​​Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext>​​​​setAuthenticationValidator()​

​OAuth2AuthorizationCodeRequestAuthenticationContext​​​保存,其中包含 OAuth2 授权请求参数。​​OAuth2AuthorizationCodeRequestAuthenticationToken​

如果验证失败,身份验证验证程序必须抛出。​​OAuth2AuthorizationCodeRequestAuthenticationException​

在开发生命周期阶段的一个常见用例是允许参数。​​localhost​​​​redirect_uri​

以下示例演示如何使用允许参数的自定义身份验证验证程序进行配置:​​OAuth2AuthorizationCodeRequestAuthenticationProvider​​​​localhost​​​​redirect_uri​

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception 
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  authorizationServerConfigurer
    .authorizationEndpoint(authorizationEndpoint ->
      authorizationEndpoint
        .authenticationProviders(configureAuthenticationValidator())
    );

  return http.build();


private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() 
  return (authenticationProviders) ->
    authenticationProviders.forEach((authenticationProvider) -> 
      if (authenticationProvider instanceof OAuth2AuthorizationCodeRequestAuthenticationProvider) 
        Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
          // Override default redirect_uri validator
          new CustomRedirectUriValidator()
            // Reuse default scope validator
            .andThen(OAuth2AuthorizationCodeRequestAuthenticationValidator.DEFAULT_SCOPE_VALIDATOR);

        ((OAuth2AuthorizationCodeRequestAuthenticationProvider) authenticationProvider)
          .setAuthenticationValidator(authenticationValidator);
      
    );


static class CustomRedirectUriValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> 

  @Override
  public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) 
    OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
      authenticationContext.getAuthentication();
    RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
    String requestedRedirectUri = authorizationCodeRequestAuthentication.getRedirectUri();

    // Use exact string matching when comparing client redirect URIs against pre-registered URIs
    if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) 
      OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
      throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);

OAuth2 令牌端点

​OAuth2TokenEndpointConfigurer​​提供自定义OAuth2 令牌终结点的功能。 它定义了扩展点,允许您自定义OAuth2 访问令牌请求的预处理、主处理和后处理逻辑。

​OAuth2TokenEndpointConfigurer​​提供以下配置选项:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception 
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  authorizationServerConfigurer
    .tokenEndpoint(tokenEndpoint ->
      tokenEndpoint
        .accessTokenRequestConverter(accessTokenRequestConverter)   
        .accessTokenRequestConverters(accessTokenRequestConvertersConsumer) 
        .authenticationProvider(authenticationProvider) 
        .authenticationProviders(authenticationProvidersConsumer)   
        .accessTokenResponseHandler(accessTokenResponseHandler) 
        .errorResponseHandler(errorResponseHandler) 
    );

  return http.build();

​accessTokenRequestConverter()​​​:添加尝试从中提取OAuth2 访问令牌请求时使用的(预处理器)到实例。​​AuthenticationConverter​​​​HttpServletRequest​​​​OAuth2AuthorizationGrantAuthenticationToken​

​accessTokenRequestConverters()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationConverter​​​​AuthenticationConverter​

​authenticationProvider()​​:添加用于身份验证的(主处理器)。​​AuthenticationProvider​​​​OAuth2AuthorizationGrantAuthenticationToken​

​authenticationProviders()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationProvider​​​​AuthenticationProvider​

​accessTokenResponseHandler()​​​:用于处理返回OAuth2AccessTokenResponse 的 anand 的(后处理器)。​​AuthenticationSuccessHandler​​​​OAuth2AccessTokenAuthenticationToken​

​errorResponseHandler()​​​:用于处理返回OAuth2Error 响应的 anand 的(后处理器)。​​AuthenticationFailureHandler​​​​OAuth2AuthenticationException​

​OAuth2TokenEndpointConfigurer​​配置并使用 OAuth2 授权 server.is 处理 OAuth2 访问令牌请求进行注册。​​OAuth2TokenEndpointFilter​​​​SecurityFilterChain​​​​@Bean​​​​OAuth2TokenEndpointFilter​​​​Filter​

支持的授权授权类型包括、和。​​authorization_code​​​​refresh_token​​​​client_credentials​

​OAuth2TokenEndpointFilter​​配置了以下默认值:

  • AuthenticationConverter​— 由、和组成。DelegatingAuthenticationConverterOAuth2AuthorizationCodeAuthenticationConverterOAuth2RefreshTokenAuthenticationConverterOAuth2ClientCredentialsAuthenticationConverter
  • AuthenticationManager​— 由、、和组成。AuthenticationManagerOAuth2AuthorizationCodeAuthenticationProviderOAuth2RefreshTokenAuthenticationProviderOAuth2ClientCredentialsAuthenticationProvider
  • AuthenticationSuccessHandler​— 处理 anand 返回的内部实现。OAuth2AccessTokenAuthenticationTokenOAuth2AccessTokenResponse
  • AuthenticationFailureHandler​— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthenticationExceptionOAuth2Error

OAuth2 令牌侦测端点

​OAuth2TokenIntrospectionEndpointConfigurer​​提供自定义OAuth2 令牌侦测端点的功能。 它定义了扩展点,允许您自定义OAuth2 侦测请求的预处理、主处理和后处理逻辑。

​OAuth2TokenIntrospectionEndpointConfigurer​​提供以下配置选项:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception 
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  authorizationServerConfigurer
    .tokenIntrospectionEndpoint(tokenIntrospectionEndpoint ->
      tokenIntrospectionEndpoint
        .introspectionRequestConverter(introspectionRequestConverter)   
        .introspectionRequestConverters(introspectionRequestConvertersConsumer) 
        .authenticationProvider(authenticationProvider) 
        .authenticationProviders(authenticationProvidersConsumer)   
        .introspectionResponseHandler(introspectionResponseHandler) 
        .errorResponseHandler(errorResponseHandler) 
    );

  return http.build();

​introspectionRequestConverter()​​​:添加尝试从中提取OAuth2 侦测请求时使用的(预处理器)到实例。​​AuthenticationConverter​​​​HttpServletRequest​​​​OAuth2TokenIntrospectionAuthenticationToken​

​introspectionRequestConverters()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationConverter​​​​AuthenticationConverter​

​authenticationProvider()​​:添加用于身份验证的(主处理器)。​​AuthenticationProvider​​​​OAuth2TokenIntrospectionAuthenticationToken​

​authenticationProviders()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationProvider​​​​AuthenticationProvider​

​introspectionResponseHandler()​​​:用于处理“经过身份验证”并返回OAuth2TokenIntrospection 响应的(后处理器)。​​AuthenticationSuccessHandler​​​​OAuth2TokenIntrospectionAuthenticationToken​

​errorResponseHandler()​​​:用于处理返回OAuth2Error 响应的 anand 的(后处理器)。​​AuthenticationFailureHandler​​​​OAuth2AuthenticationException​

​OAuth2TokenIntrospectionEndpointConfigurer​​配置并使用 OAuth2 授权 server.is 处理 OAuth2 自检请求。​​OAuth2TokenIntrospectionEndpointFilter​​​​SecurityFilterChain​​​​@Bean​​​​OAuth2TokenIntrospectionEndpointFilter​​​​Filter​

​OAuth2TokenIntrospectionEndpointFilter​​配置了以下默认值:

  • AuthenticationConverter​— 安.OAuth2TokenIntrospectionAuthenticationConverter
  • AuthenticationManager​——由。AuthenticationManagerOAuth2TokenIntrospectionAuthenticationProvider
  • AuthenticationSuccessHandler​— 处理“经过身份验证”并返回响应的内部实现。OAuth2TokenIntrospectionAuthenticationTokenOAuth2TokenIntrospection
  • AuthenticationFailureHandler​— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthenticationException​OAuth2Error​

OAuth2 令牌吊销端点

​OAuth2TokenRevocationEndpointConfigurer​​提供自定义OAuth2 令牌吊销终结点的功能。 它定义了扩展点,允许您自定义OAuth2 吊销请求的预处理、主处理和后处理逻辑。

​OAuth2TokenRevocationEndpointConfigurer​​提供以下配置选项:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception 
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  authorizationServerConfigurer
    .tokenRevocationEndpoint(tokenRevocationEndpoint ->
      tokenRevocationEndpoint
        .revocationRequestConverter(revocationRequestConverter) 
        .revocationRequestConverters(revocationRequestConvertersConsumer)   
        .authenticationProvider(authenticationProvider) 
        .authenticationProviders(authenticationProvidersConsumer)   
        .revocationResponseHandler(revocationResponseHandler)   
        .errorResponseHandler(errorResponseHandler) 
    );

  return http.build();


​revocationRequestConverter()​​​:将尝试从中提取​​OAuth2 吊销请求​​时使用的(预处理器)添加到 的实例。​​AuthenticationConverter​​​​HttpServletRequest​​​​OAuth2TokenRevocationAuthenticationToken​


​revocationRequestConverters()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationConverter​​​​AuthenticationConverter​


​authenticationProvider()​​:添加用于身份验证的(主处理器)。​​AuthenticationProvider​​​​OAuth2TokenRevocationAuthenticationToken​


​authenticationProviders()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationProvider​​​​AuthenticationProvider​


​revocationResponseHandler()​​​:用于处理“经过身份验证”并返回​​OAuth2 吊销响应​​的(后处理器)。​​AuthenticationSuccessHandler​​​​OAuth2TokenRevocationAuthenticationToken​


​errorResponseHandler()​​​:用于处理返回​​OAuth2Error 响应​​的 anand 的(后处理器)。​​AuthenticationFailureHandler​​​​OAuth2AuthenticationException​

​OAuth2TokenRevocationEndpointConfigurer​​配置并使用 OAuth2 授权 server.is 处理 OAuth2 吊销请求进行注册。​​OAuth2TokenRevocationEndpointFilter​​​​SecurityFilterChain​​​​@Bean​​​​OAuth2TokenRevocationEndpointFilter​​​​Filter​

​OAuth2TokenRevocationEndpointFilter​​配置了以下默认值:

  • AuthenticationConverter​— 安.OAuth2TokenRevocationAuthenticationConverter
  • AuthenticationManager​——由。AuthenticationManagerOAuth2TokenRevocationAuthenticationProvider
  • AuthenticationSuccessHandler​— 处理“经过身份验证”并返回 OAuth2 吊销响应的内部实现。OAuth2TokenRevocationAuthenticationToken
  • AuthenticationFailureHandler​— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthenticationExceptionOAuth2Error

OAuth2 授权服务器元数据端点

​OAuth2AuthorizationServerMetadataEndpointConfigurer​​提供自定义OAuth2 授权服务器元数据终结点的功能。 它定义了一个扩展点,允许您自定义OAuth2 授权服务器元数据响应。

​OAuth2AuthorizationServerMetadataEndpointConfigurer​​提供以下配置选项:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception 
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  authorizationServerConfigurer
    .authorizationServerMetadataEndpoint(authorizationServerMetadataEndpoint ->
      authorizationServerMetadataEndpoint
        .authorizationServerMetadataCustomizer(authorizationServerMetadataCustomizer));   

  return http.build();

​authorizationServerMetadataCustomizer()​​​:提供对允许自定义授权服务器配置声明的访问。​​Consumer​​​​OAuth2AuthorizationServerMetadata.Builder​

​OAuth2AuthorizationServerMetadataEndpointConfigurer​​配置并使用返回OAuth2AuthorizationServerMetadata 响应的 OAuth2 授权 server.is 注册它。​​OAuth2AuthorizationServerMetadataEndpointFilter​​​​SecurityFilterChain​​​​@Bean​​​​OAuth2AuthorizationServerMetadataEndpointFilter​​​​Filter​

JWK 设置终结点

​OAuth2AuthorizationServerConfigurer​​提供对JWK 集终结点的支持。

OAuth2AuthorizationServerConfigurer配置并使用返回JWK 集的 OAuth2 授权 server.is 注册它。​​NimbusJwkSetEndpointFilter​​​​SecurityFilterChain​​​​@Bean​​​​NimbusJwkSetEndpointFilter​​​​Filter​

仅当 ais 已注册时,才会配置 JWK Set 终结点。​​JWKSource<SecurityContext>​​​​@Bean​

OpenID Connect 1.0 提供程序配置终结点

​OidcProviderConfigurationEndpointConfigurer​​提供自定义OpenID Connect 1.0 提供程序配置终结点的功能。 它定义了一个扩展点

以上是关于Spring 授权服务器核心协议端点的主要内容,如果未能解决你的问题,请参考以下文章

Spring Cloud OAuth2 整合手册

SpringCloud使用Spring Cloud OAuth2保护微服务系统

Spring social 和 oauth2 协议有啥关系?

OAuth2.0协议流程

Spring OAuth:用于验证授权端点的自定义表单

OAuth2.0 授权方式及步骤梳理总结