我有一个关于oauth2和SpringSecurity的问题。你能帮点忙吗?谢谢
当我使用 spring-security-oauth2 我现在已经不赞成了
A. messaging-client 使用所有四种oauth2授权类型。
具有 a1 a2 a3 ... 当局。
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients.inMemory()
.withClient("messaging-client")
.authorizedGrantTypes("authorization_code", "refresh_token", "client_credentials", "password")
.scopes("message.read", "message.write")
.secret("{noop}secret")
.redirectUris("http://localhost:8080/authorized");
// @formatter:on
}
@Bean
public UserDetailsService users() throws Exception {
User.UserBuilder users = User.withDefaultPasswordEncoder();
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(users.username("user1").password("password").roles("USER").build());
manager.createUser(users.username("admin").password("password").roles("USER", "ADMIN").authorities("a1",
"a2","a3","a4","a5","a5","a6","a7","a8").build());
return manager;
}然后我请求代币并得到以下信息:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IllQejQwR1NjRzZ5NDNnZjM4TmxUVVJobFVwRHdOUlZydVNkQVFYTUVXMnM9In0.eyJleHAiOjE2MjEzNjg4NjEsInVzZXJfbmFtZSI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiYTEiLCJhMiIsImEzIiwiYTQiLCJhNSIsImE2IiwiYTciLCJhOCJdLCJqdGkiOiI1MTdhOWQyYy1kMDZjLTRiNzAtODAwMC00NjhhNjEyNGY0MzkiLCJjbGllbnRfaWQiOiJtZXNzYWdpbmctY2xpZW50Iiwic2NvcGUiOlsibWVzc2FnZS5yZWFkIiwibWVzc2FnZS53cml0ZSJdfQ.d4c9p3RzgdC983cJqeGHNDOFr-pcTxCWMKEIgyTP9GHjMENHzQG2TQoUAXhXlzRJZn_e-QHVPCTphh4kG9RWBLYEM_8mpO3YY7l4pFs9JxV2H8w9L2exVzzgUAE4m4yT6-2-yrRYbQIBXuVLXPxylUaG__dNbr7txkhg-HeX2lDE7vK0kpT1wQqmWU-6G7RZzwZuUy1aYiwAkRILCdn6yP9h8D2HhHVzwNSDBMqowN7waZFBfpDYHzQsGiasY1NfiCJe6beEANhvNSeFd3FBwqZM32fVEX8I5jtgnRJZgbclBe6LJXwtNSxjtjfIQThuTML-EJ2pPMvqnSXDnPJLdg",
"token_type": "bearer",
"refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IllQejQwR1NjRzZ5NDNnZjM4TmxUVVJobFVwRHdOUlZydVNkQVFYTUVXMnM9In0.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInNjb3BlIjpbIm1lc3NhZ2UucmVhZCIsIm1lc3NhZ2Uud3JpdGUiXSwiYXRpIjoiNTE3YTlkMmMtZDA2Yy00YjcwLTgwMDAtNDY4YTYxMjRmNDM5IiwiZXhwIjoxNjIzOTE3NjYxLCJhdXRob3JpdGllcyI6WyJhMSIsImEyIiwiYTMiLCJhNCIsImE1IiwiYTYiLCJhNyIsImE4Il0sImp0aSI6IjA1ZWRiNGEwLWQ5ZjMtNGVjOS05MzRkLWQ1MjljZmYzMzRlYiIsImNsaWVudF9pZCI6Im1lc3NhZ2luZy1jbGllbnQifQ.TzZARXqaiKPkKc53F3jRX57ObHoleZS9kNrAh_3dkvd4u6UF9vtfjFkaS2zP1uH4alE5U6ayLcu6k3OinLtoTkSuEvE5MbJ0ccffcLmNcRIw7DuoRyoT7n-hzTJ3z78be4iWlIxmKswyIUAl2vE2xB9IQwKjD_HOH5WnA2Fu5_OuiCNsXZZyRGbUVXqFM91wJe7iQsqjzzjhynzVReFmtblZ-hGR7a6Bo9OJj1wSsTlu8rbmLamqijCXrlj-RnLxyS1Hv9LWwKEwey7Mo2fExBQT0o2iNqtQk987DhUprln98IWxn-8H2T09cPJLjDyOg5vv-Q6GjCeKrqcVGkEVmQ",
"expires_in": 43199,
"scope": "message.read message.write",
"jti": "517a9d2c-d06c-4b70-8000-468a6124f439"}
很好。
然后我解码 access_token ,我有这些。
{
"exp": 1621368861,
"user_name": "admin",
"authorities": [
"a1",
"a2",
"a3",
"a4",
"a5",
"a6",
"a7",
"a8"
],
"jti": "517a9d2c-d06c-4b70-8000-468a6124f439",
"client_id": "messaging-client",
"scope": [
"message.read",
"message.write"
]
}很好。
但我想了解更多关于 spring-security-oauth2 ,没有文件。
由于spring-security-oauth2已被弃用,我现在转向spring授权服务器。
但是 password 授予类型不支持“是”。我也不知道 spring-authorization-server 你会支持还是不支持。所以我想贡献代码。
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
OAuth2PasswordAuthenticationToken passwordAuthenticationToken =
(OAuth2PasswordAuthenticationToken) authentication;
OAuth2ClientAuthenticationToken clientPrincipal =
getAuthenticatedClientElseThrowInvalidClient(passwordAuthenticationToken);
RegisteredClient registeredClient = clientPrincipal.getRegisteredClient();
if (!registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.PASSWORD)) {
throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT));
}
String username = passwordAuthenticationToken.getUsername();
String password = passwordAuthenticationToken.getPassword();
//validate the resource owner password credentials
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
if (!Objects.nonNull(userDetails) || !this.passwordEncoder.matches(password, userDetails.getPassword())){
throwInvalidClient();
}
Collection<? extends GrantedAuthority> authorities = userDetails.getAuthorities();
......下一步是生成 access_token ,我应该把所有的权力 access_token ? 如果用户有很多 authorities ? 我应该提出哪项索赔?
暂无答案!
目前还没有任何答案,快来回答吧!