security-oauth2定制oauth2令牌请求的授权头?

jtoj6r0c  于 2021-09-29  发布在  Java
关注(0)|答案(1)|浏览(581)

我正在尝试通过网络客户端电话升级到SpringSecurity 5.5.1。我发现oauth2 clientid和secret现在是url编码的 AbstractWebClientReactiveOAuth2AccessTokenResponseClient ,但我的令牌提供程序不支持此操作(例如,如果机密包含 + 字符仅当它作为 + 不如 %2B ). 我知道这被看作是spring安全方面的一个bug修复),但我不能让令牌提供者轻易地改变其行为。
所以我试着找到一种方法来解决这个问题。
[文件](https://docs.spring.io/spring-security/site/docs/current/reference/html5/#customizing-当您使用webclient配置(这是我的情况)时,关于如何自定义访问令牌请求的访问令牌请求似乎不适用。
为了删除clientid/secret编码,我必须从中扩展和复制大部分现有代码 AbstractWebClientReactiveOAuth2AccessTokenResponseClient 自定义 WebClientReactiveClientCredentialsTokenResponseClient 因为它的大部分都具有私有/默认可见性。我在spring安全项目中的一个增强问题中对此进行了跟踪。
是否有更简单的方法自定义令牌请求的授权头,以跳过url编码?

spring-securityspring-webfluxspring-security-oauth2spring-webclient

1条答案

按热度按时间
wdebmtf2

wdebmtf21#

关于定制的一些API肯定有改进的余地,而且可以肯定的是,来自社区的这些类型的问题/请求/问题将继续有助于突出这些领域。
关于 AbstractWebClientReactiveOAuth2AccessTokenResponseClient 特别是,目前无法重写内部方法来填充数据库中的基本身份验证凭据 Authorization 标题。但是,您可以自定义 WebClient 用于进行api调用的。如果它在您的用例中是可接受的(暂时,在处理行为更改和/或添加自定义选项时),您应该能够在 WebClient .
下面是一个将创建 WebClient 能够使用 OAuth2AuthorizedClient :

  1. @Configuration
  2. public class WebClientConfiguration {
  4.     @Bean
  5.     public WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
  6.         // @formatter:off
  7.         ServerOAuth2AuthorizedClientExchangeFilterFunction exchangeFilterFunction =
  8.                 new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
  9.         exchangeFilterFunction.setDefaultOAuth2AuthorizedClient(true);
  11.         return WebClient.builder()
  12.                 .filter(exchangeFilterFunction)
  13.                 .build();
  14.         // @formatter:on
  15.     }
  17.     @Bean
  18.     public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
  19.             ReactiveClientRegistrationRepository clientRegistrationRepository,
  20.             ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
  21.         // @formatter:off
  22.         WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
  23.                 new WebClientReactiveClientCredentialsTokenResponseClient();
  24.         accessTokenResponseClient.setWebClient(createAccessTokenResponseWebClient());
  26.         ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
  27.                 ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
  28.                         .clientCredentials(consumer ->
  29.                                 consumer.accessTokenResponseClient(accessTokenResponseClient)
  30.                                         .build())
  31.                         .build();
  33.         DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
  34.                 new DefaultReactiveOAuth2AuthorizedClientManager(
  35.                         clientRegistrationRepository, authorizedClientRepository);
  36.         authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
  37.         // @formatter:on
  39.         return authorizedClientManager;
  40.     }
  42.     protected WebClient createAccessTokenResponseWebClient() {
  43.         // @formatter:off
  44.         return WebClient.builder()
  45.                 .filter((clientRequest, exchangeFunction) -> {
  46.                     HttpHeaders headers = clientRequest.headers();
  47.                     String authorizationHeader = headers.getFirst("Authorization");
  48.                     Assert.notNull(authorizationHeader, "Authorization header cannot be null");
  49.                     Assert.isTrue(authorizationHeader.startsWith("Basic "),
  50.                             "Authorization header should start with Basic");
  51.                     String encodedCredentials = authorizationHeader.substring("Basic ".length());
  52.                     byte[] decodedBytes = Base64.getDecoder().decode(encodedCredentials);
  53.                     String credentialsString = new String(decodedBytes, StandardCharsets.UTF_8);
  54.                     Assert.isTrue(credentialsString.contains(":"), "Decoded credentials should contain a \":\"");
  55.                     String[] credentials = credentialsString.split(":");
  56.                     String clientId = URLDecoder.decode(credentials[0], StandardCharsets.UTF_8);
  57.                     String clientSecret = URLDecoder.decode(credentials[1], StandardCharsets.UTF_8);
  59.                     ClientRequest newClientRequest = ClientRequest.from(clientRequest)
  60.                             .headers(httpHeaders -> httpHeaders.setBasicAuth(clientId, clientSecret))
  61.                             .build();
  62.                     return exchangeFunction.exchange(newClientRequest);
  63.                 })
  64.                 .build();
  65.         // @formatter:on
  66.     }
  68. }

此测试演示了为内部访问令牌响应解码凭据 WebClient :

  1. @ExtendWith(MockitoExtension.class)
  2. public class WebClientConfigurationTests {
  4.     private WebClientConfiguration webClientConfiguration;
  6.     @Mock
  7.     private ExchangeFunction exchangeFunction;
  9.     @Captor
  10.     private ArgumentCaptor<ClientRequest> clientRequestCaptor;
  12.     @BeforeEach
  13.     public void setUp() {
  14.         webClientConfiguration = new WebClientConfiguration();
  15.     }
  17.     @Test
  18.     public void exchangeWhenBasicAuthThenDecoded() {
  19.         WebClient webClient = webClientConfiguration.createAccessTokenResponseWebClient()
  20.                 .mutate()
  21.                 .exchangeFunction(exchangeFunction)
  22.                 .build();
  23.         when(exchangeFunction.exchange(any(ClientRequest.class)))
  24.                 .thenReturn(Mono.just(ClientResponse.create(HttpStatus.OK).build()));
  26.         webClient.post()
  27.                 .uri("/oauth/token")
  28.                 .headers(httpHeaders -> httpHeaders.setBasicAuth("aladdin", URLEncoder.encode("open sesame", StandardCharsets.UTF_8)))
  29.                 .retrieve()
  30.                 .bodyToMono(Void.class)
  31.                 .block();
  33.         verify(exchangeFunction).exchange(clientRequestCaptor.capture());
  35.         ClientRequest clientRequest = clientRequestCaptor.getValue();
  36.         String authorizationHeader = clientRequest.headers().getFirst("Authorization");
  37.         assertThat(authorizationHeader).isNotNull();
  38.         String encodedCredentials = authorizationHeader.substring("Basic ".length());
  39.         byte[] decodedBytes = Base64.getDecoder().decode(encodedCredentials);
  40.         String credentialsString = new String(decodedBytes, StandardCharsets.UTF_8);
  41.         String[] credentials = credentialsString.split(":");
  43.         assertThat(credentials[0]).isEqualTo("aladdin");
  44.         assertThat(credentials[1]).isEqualTo("open sesame");
  45.     }
  47. }
展开查看全部
赞(0)分享  回复(0)举报  2021-09-29
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com