共计 10064 个字符,预计需要花费 26 分钟才能阅读完成。
阅读本文拟将了解到 Spring 授权服务器的默认配置:新客户端的注册、测试端点、JWT 自定义和引用 / 自包含令牌。
Spring 推出了 OAuth2 解决方案,在本文中,我们将介绍 spring-oauth 服务器捆绑的默认配置。有关 OAuth2.0 工作原理的详细信息超出了本文的范围,读者预期具备基本的了解,可以在这里找到更多详细信息。
在本文和其他文章中,我将更多地讨论 Spring OAuth2.0 解决方案的技术方面。
默认配置
Spring OAuth 服务器带有一些默认设置。可以通过在 application.yml 配置文件中配置服务器 / 客户端来进行自定义。支持以下流程(授权类型):
-
客户端凭据流(/oauth2/token 端点)
-
授权码流(包括 PKCE)
-
资源所有者凭证流(已弃用)
-
隐式流(无需代码的代码流)
-
设备授权流
有关配置的详细信息可以在 GitHub 上找到。这是一个示例代码库。
有关默认配置,请参考此处的服务器配置,了解如何使用默认服务器配置。
可以参考 AuthorizationServerTest,了解如何通过功能测试来验证不同的端点。为了使该测试成功运行,OAuth 服务器应该在运行中。要运行服务器,可以使用 IDE 或从命令提示符中使用以下命令运行 AuthorizationServerApplication 类:
mvn spring-boot:run让我们看一下示例客户端“spring ”(您可以将其命名为任何您想要的名称)配置并讨论下面每个属性的意义。
spring:
security:
oauth2:
authorizationserver:
client:
spring:
registration:
client-id: "spring-test" #The name to be used in different configurations to refer this client.
client-secret: "sMJ1ltm5wxdcOeEJGaE6WdFj9ArR75wkBqUgVE7vwwo=" ##Using D3PasswordEncoder
client-authentication-methods: #methods supported to authenticate the client
- "client_secret_basic"
- "client_secret_post"
authorization-grant-types: #The flows this client support
- "authorization_code"
- "refresh_token"
- "client_credentials"
redirect-uris: # The Url to be used at the end of successful authentication
- "https://127.0.0.1:9443/"
- "https://127.0.0.1:9443/login/oauth2/code/spring"
post-logout-redirect-uris:
- "http://127.0.0.1:8080/"
scopes:
- "openid"
- "profile"
- "email"
require-authorization-consent: true-
client-id:分配给客户端的唯一 ID;每当客户端调用授权服务器时,它将用于识别客户端和配置。
-
client-secret:客户端在调用授权服务器时使用的秘密来验证自己的身份
-
client-authentication-methods:客户端用来验证自身身份的验证方法
-
client_secret_basic:基本身份验证方法,其中凭据作为标头提供 (httpHeaders -> httpHeaders.setBasicAuth(TEST_CLIENT_ID, TEST_SECRET))
-
client_secret_post:通过在请求正文中提供凭据进行身份验证 (application/x-www-form-urlencoded)
-
authorization-grant-types:客户端支持的授权类型
-
redirect-uris:redirect-uri客户端支持并允许客户端在启动 authorize_code 流程时可以使用的重定向
-
post-logout-redirect-uris: redirect-uri(s) 成功注销后openId
-
scopes:客户端支持的范围
-
require-authorization-consent:如果在授权码流程中需要同意
一些值得了解但在不同示例中默认不存在的默认配置是:
-
访问令牌格式默认是自包含的(jwt),可以通过配置配置为不透明(引用)令牌。
-
刷新令牌 TTL 为 60 分钟。
-
访问令牌 TTL 为 5 分钟。
-
授权码 TTL 为 5 分钟。
-
默认情况下禁用同意书。
我们可以通过覆盖 application.yml 文件中的配置来覆盖上述默认行为:
spring:
security:
oauth2:
authorizationserver:
client:
spring-client:
require-authorization-consent: true
token:
access-token-format: reference
authorization-code-time-to-live: PT10M
access-token-time-to-live: PT10M
refresh-token-time-to-live: PT2H默认安全过滤器链
有时我会考虑如何配置安全框架以使其正常工作,因此我尝试将如何使用不同的配置、过滤器和属性配置应用程序以使其正常工作,整理如下。
从应用程序 FilterChain 开始
过滤器(5):
-
ApplicationFilterConfig (characterEncodingFilter) -
ApplicationFilterConfig (formContentFilter) -
ApplicationFilterConfig (requestContextFilter) -
ApplicationFilterConfig (springSecurityFilterChain) -
ApplicationFilterConfig (Tomcat WebsocketFilter-JSR356)
应用程序过滤器配置(springSecurityFilterChain)
应用程序过滤器配置“springSecurityFilterChain”是保存过滤器(Spring Security)实例的主类,这些实例在 Web 应用程序启动时实例化。
springSecurityFilterChain-ApplicationFilterConfigit() 持有的 过滤器实例是 DelegatingFilterProxyRegistrationBean。DelegatingFilterProxyRegistrationBean 是一个 ServletContextInitializer; 它注册 DelegatingFilterProxy 并保存实际代表的姓名。
筛选 (DelegatingFilterProxyRegistrationBean) [springSecurityFilterChain urls=[/*] order=-100]:
public class DelegatingFilterProxyRegistrationBean
extends AbstractFilterRegistrationBean
implements ApplicationContextAware 委托过滤代理
Spring 提供了过滤器实现,它是 servlet 容器和 Spring 的ApplicationContext.
过滤器链代理
它包含 Spring Security 过滤器链。关于 OAuth 授权服务器,有两个安全过滤器链 (DefaultSecurityFilterChain):一个用于 OAuth 端点,另一个用于其余部分。
-
oauth2FilterChains:过滤器链 概述 -
DefaultSecurityFilterChain (OAuth2 端点)
-
请求匹配器 (
OAuth2AuthorizationServerConfigurer) -
Or [ OAuth2ClientuthenticationConfigurer Or [Ant [pattern='/oauth2/token', POST], Ant [pattern='/oauth2/introspect', POST], Ant [pattern='/oauth2/revoke', POST], Ant [pattern='/oauth2/device_authorization', POST] ], OAuth2AuthorizationServerMetadataEndpointConfigurer Ant [pattern='/.well-known/oauth-authorization-server', GET], OAuth2AuthorizationEndpointConfigurer Or [Ant [pattern='/oauth2/authorize', GET], Ant [pattern='/oauth2/authorize', POST] ], OAuth2TokenEndpointConfigurer Ant [pattern='/oauth2/token', POST], OAuth2TokenIntrospectionEndpointConfigurer Ant [pattern='/oauth2/introspect', POST], OAuth2TokenRevocationEndpointConfigurer Ant [pattern='/oauth2/revoke', POST], OAuth2DeviceAuthorizationEndpointConfigurer Ant [pattern='/oauth2/device_authorization', POST], OAuth2DeviceVerificationEndpointConfigurer Or [Ant [pattern='/oauth2/device_verification', GET], Ant [pattern='/oauth2/device_verification', POST] ], OidcConfigurer Or [ OidcProviderConfigurationEndpointConfigurer Ant [pattern='/.well-known/openid-configuration', GET], OidcLogoutEndpointConfigurer Or [Ant [pattern='/connect/logout', GET], Ant [pattern='/connect/logout', POST] ], OidcUserInfoEndpointConfigurer Or [Ant [pattern='/userinfo', GET], Ant [pattern='/userinfo', POST]] ], NimbusJwkSetEndpointFilter Ant [pattern='/oauth2/jwks', GET] ] -
Filters (25)
0 = {DisableEncodeUrlFilter} 1 = {WebAsyncManagerIntegrationFilter} 2 = {SecurityContextHolderFilter} 3 = {AuthorizationServerContextFilter} 4 = {HeaderWriterFilter} 5 = {CsrfFilter} 6 = {OidcLogoutEndpointFilter} 7 = {LogoutFilter} 8 = {OAuth2AuthorizationServerMetadataEndpointFilter} 9 = {OAuth2AuthorizationEndpointFilter} 10 = {OAuth2DeviceVerificationEndpointFilter} 11 = {OidcProviderConfigurationEndpointFilter} 12 = {NimbusJwkSetEndpointFilter} 13 = {OAuth2ClientAuthenticationFilter} 14 = {BearerTokenAuthenticationFilter} 15 = {RequestCacheAwareFilter} 16 = {SecurityContextHolderAwareRequestFilter} 17 = {AnonymousAuthenticationFilter} 18 = {ExceptionTranslationFilter} 19 = {AuthorizationFilter} 20 = {OAuth2TokenEndpointFilter} 21 = {OAuth2TokenIntrospectionEndpointFilter} 22 = {OAuth2TokenRevocationEndpointFilter} 23 = {OAuth2DeviceAuthorizationEndpointFilter} 24 = {OidcUserInfoEndpointFilter} -
DefaultSecurityFilterChain (other endpoints)
-
RequestMatcher (AnyRequestMatcher)
-
Filters (14)
-
0 = {DisableEncodeUrlFilter@8893} 1 = {WebAsyncManagerIntegrationFilter@8894} 2 = {SecurityContextHolderFilter@8895} 3 = {HeaderWriterFilter@8896} 4 = {CsrfFilter@8897} 5 = {LogoutFilter@8898} 6 = {UsernamePasswordAuthenticationFilter@8899} 7 = {DefaultLoginPageGeneratingFilter@8900} 8 = {DefaultLogoutPageGeneratingFilter@8901} 9 = {RequestCacheAwareFilter@8902} 10 = {SecurityContextHolderAwareRequestFilter@8903} 11 = {AnonymousAuthenticationFilter@8904} 12 = {ExceptionTranslationFilter@8905} 13 = {AuthorizationFilter@8906}
默认响应
令牌端点
默认情况下,端点的令牌响应 /oauth2/token 为:
{
"access_token":"eyJraWQiOiJiOTM0NjIyMy00ZWJiLTQyZjItYTAyYy1hNDlkNDQwOWRlMjEiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjYwNjAiLCJzdWIiOiJzcHJpbmctdGVzdCIsImF1ZCI6InNwcmluZy10ZXN0IiwibmJmIjoxNjk3MTgzODU2LCJleHAiOjE2OTcxODQxNTYsImlhdCI6MTY5NzE4Mzg1Nn0.KzYvm4YAuLRvpF9eco-z1ESbYU-MCChvxbdEPuGgQN-8seco8MgLWWoGM4dbbMRBJLe3Rv3YAEGhJ9qqenNtpFmVnysAUFqw_S8GEUpPlXzzRTnV_qoeqY9YVazCn9TonJJkjzj_RATTHgDx4TD6ZXSP963L5fwNjLtQ2Cp_yoi5R8WDgMkpvOubmuhjAxYpRH7rBH3qzNWo3vqRPuWreeoyaRyK-9HNOTKxT3vj7aLkTK1wyxzfPxliXXXMJ4IsxjxUOTfzzfHF9qmOYZCoCCgVtNlopsSKmjJKRID8UVugzmYQx1pZkUSPMOxiz1AloEX1-6DhgoC3lMi0-Ez6pQ",
"token_type":"Bearer",
"expires_in":299
}如果使用 jwt.io 解析 access_token,则可以查看令牌中发出的声明。默认声明集是:
{
"iss": "http://localhost:6060",
"sub": "spring-test",
"aud": "spring-test",
"nbf": 1697183856,
"exp": 1697184156,
"iat": 1697183856
}元数据端点
1.http://localhost:6060/.well-known/oauth-authorization-server
2. http://localhost:6060/.well-known/openid-configuration
元数据端点提供有关授权服务器和 openId 当前配置以及公开端点的详细信息。
代码流令牌响应 (/oauth2/token)
{
"access_token":"eyJraWQiOiI4M2ZiMmRhYy1hZGNlLTRkNzgtODlhYy0wOGQzM2U3OGRmNGMiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyMSIsImF1ZCI6InNwcmluZy10ZXN0IiwibmJmIjoxNjk4MTUxODMzLCJzY29wZSI6WyJvcGVuaWQiLCJwcm9maWxlIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NjA2MCIsImV4cCI6MTY5ODE1MjEzMywiaWF0IjoxNjk4MTUxODMzfQ.jbNg1MyrL-9kHpfhhkarNfSq1VuS3fPJUZyXjSaliuaziKZzSrma2OyUtVrrPJYzv7FMk-pGrTZVJLZ8f6Jayq2IbHkuWl2XYexRRQmUUDSeC3WMxDhWqezqRc-AEyrTQXm2d0HNs0zdJX9H28bSpGg_SADuKuN-vLuFp3_5w2utveuYxq1e2Ts-IXE-9ulf9O19Mj0Wf9hgENTOZiKbqUWvvoZwXhsx4LzPXqGKM0MbZTS6kFpdSZIgzcbaPzcMX_Vq_B2AU9_UAlJua2Vzxh-9rdJ7SPDVxT-ezoUGp61c1s5eDop2zNszjDqd7kE4qepCiJy6bUuwvP7yewdreg",
"refresh_token":"ARM4_nA8LFzFajbTOzJjN1OTGByZAFu9HGoDeZ9mfciY9vEv5XbWc7MuzcQnAArZMMnB_ydsCxsLRC4HY4u0oh9DscHySysYPXb1BE-7JBwcdH_hVKM3pXWmO4NEiDY",
"scope":"openid profile",
"id_token":"eyJraWQiOiI4M2ZiMmRhYy1hZGNlLTRkNzgtODlhYy0wOGQzM2U3OGRmNGMiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyMSIsImF1ZCI6InNwcmluZy10ZXN0IiwiYXpwIjoic3ByaW5nLXRlc3QiLCJhdXRoX3RpbWUiOjE2OTgxNTE4MzMsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NjA2MCIsImV4cCI6MTY5ODE1MzYzMywiaWF0IjoxNjk4MTUxODMzLCJzaWQiOiJfVmYzY1ZTREd1UDQtMEN6czNzR1BxQTZkaUk1ZjB1TE1pT1BkUzd3Z0c4In0.QDHOUa2p8RZKHVuhnHUsvMX-HmEvsGXXQ6QgfidXEMO0vDxJilmYIWW90z9Etc2cJ1SjfFk4OrUZWQF2foa2secatuAeffTbUx_9lTPD4KT_xzg9SsP69tHt55J2U35FcFef2WHuGF06MOj2hr6dVqlk8B5ORV0z_XiBM9FBEmnraLvXWtXtlwp_-jGA95O7y2U8SZt9H8wns-IpatXshB8lnUk-P5NjV8-CUwqtb9FHKOr9ie4KSXHQ8IpY2FaBMI0nA4E_hCUV2xpP_nBAb7Prh5EDYoCFkjHtO5ZXe-VYhyff9AydPzFsdSmEeF6BEK6SeJPBXRUvtL_bZykjdA",
"token_type":"Bearer",
"expires_in":299
}在代码流的末尾,当向客户端发出代码时 redirect_uri,后端服务将收集代码并调用令牌端点 /oauth2/token。文章来源:https://www.toymoban.com/diary/system/522.html
令牌处于活动状态时的内省响应
{
"active": true,
"client_id": "spring-test",
"iat": 1698151833,
"exp": 1698155433
}撤销后内省响应
{
"active": false,
"iat": 0,
"exp": 0
}我希望您觉得这篇文章内容丰富。我将在另一篇文章中提供更多详细信息,介绍如何通过 向 JWT 添加新声明来自定义令牌 响应。
文章来源地址 https://www.toymoban.com/diary/system/522.html
到此这篇关于 Spring OAuth Server: 默认配置的文章就介绍到这了, 更多相关内容可以在右上角搜索或继续浏览下面的相关文章,希望大家以后多多支持 TOY 模板网!
原文地址:https://www.toymoban.com/diary/system/522.html
如若转载,请注明出处:如若内容造成侵权 / 违法违规 / 事实不符,请联系站长进行投诉反馈,一经查实,立即删除!
