高级配置

HttpSecurity.oauth2Login() 提供了多个配置选项，用于自定义 OAuth 2.0 登录。主要的配置选项按其对应的协议端点进行分组。spring-doc.cadn.net.cn

例如，oauth2Login().authorizationEndpoint() 允许配置授权端点，而 oauth2Login().tokenEndpoint() 允许配置Tokens端点。spring-doc.cadn.net.cn

以下代码展示了一个示例：spring-doc.cadn.net.cn

高级 OAuth2 登录配置

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			.oauth2Login((oauth2) -> oauth2
			    .authorizationEndpoint((authorization) -> authorization
			            ...
			    )
			    .redirectionEndpoint((redirection) -> redirection
			            ...
			    )
			    .tokenEndpoint((token) -> token
			            ...
			    )
			    .userInfoEndpoint((userInfo) -> userInfo
			            ...
			    )
			);
		return http.build();
	}
}

@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            oauth2Login {
                authorizationEndpoint {
                    ...
                }
                redirectionEndpoint {
                    ...
                }
                tokenEndpoint {
                    ...
                }
                userInfoEndpoint {
                    ...
                }
            }
        }
        return http.build()
    }
}

oauth2Login() DSL 的主要目标是紧密遵循规范中定义的命名。spring-doc.cadn.net.cn

OAuth 2.0 授权框架将协议端点定义如下：spring-doc.cadn.net.cn

授权流程使用两个授权服务器端点（HTTP 资源）：spring-doc.cadn.net.cn

授权端点：客户端通过用户代理重定向，从资源所有者处获取授权。spring-doc.cadn.net.cn
Tokens端点（Token Endpoint）：客户端使用该端点，通常在客户端身份验证的情况下，将授权许可（authorization grant）交换为访问Tokens（access token）。spring-doc.cadn.net.cn

授权流程还使用一个客户端端点：spring-doc.cadn.net.cn

重定向端点：授权服务器通过资源所有者的用户代理，使用此端点向客户端返回包含授权凭据的响应。spring-doc.cadn.net.cn

OpenID Connect Core 1.0 规范对UserInfo 端点的定义如下：spring-doc.cadn.net.cn

用户信息（UserInfo）端点是一个 OAuth 2.0 受保护资源，用于返回已认证最终用户的声明信息。为了获取关于该最终用户的请求声明，客户端需使用通过 OpenID Connect 身份验证所获得的访问Tokens，向用户信息端点发起请求。这些声明通常以一个 JSON 对象表示，其中包含一组声明的名称-值对集合。spring-doc.cadn.net.cn

以下代码展示了 oauth2Login() DSL 可用的完整配置选项：spring-doc.cadn.net.cn

OAuth2 登录配置选项

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			.oauth2Login((oauth2) -> oauth2
			    .clientRegistrationRepository(this.clientRegistrationRepository())
			    .authorizedClientRepository(this.authorizedClientRepository())
			    .authorizedClientService(this.authorizedClientService())
			    .loginPage("/login")
			    .authorizationEndpoint((authorization) -> authorization
			        .baseUri(this.authorizationRequestBaseUri())
			        .authorizationRequestRepository(this.authorizationRequestRepository())
			        .authorizationRequestResolver(this.authorizationRequestResolver())
			    )
			    .redirectionEndpoint((redirection) -> redirection
			        .baseUri(this.authorizationResponseBaseUri())
			    )
			    .tokenEndpoint((token) -> token
			        .accessTokenResponseClient(this.accessTokenResponseClient())
			    )
			    .userInfoEndpoint((userInfo) -> userInfo
			        .userAuthoritiesMapper(this.userAuthoritiesMapper())
			        .userService(this.oauth2UserService())
			        .oidcUserService(this.oidcUserService())
			    )
			);
		return http.build();
	}
}

@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            oauth2Login {
                clientRegistrationRepository = clientRegistrationRepository()
                authorizedClientRepository = authorizedClientRepository()
                authorizedClientService = authorizedClientService()
                loginPage = "/login"
                authorizationEndpoint {
                    baseUri = authorizationRequestBaseUri()
                    authorizationRequestRepository = authorizationRequestRepository()
                    authorizationRequestResolver = authorizationRequestResolver()
                }
                redirectionEndpoint {
                    baseUri = authorizationResponseBaseUri()
                }
                tokenEndpoint {
                    accessTokenResponseClient = accessTokenResponseClient()
                }
                userInfoEndpoint {
                    userAuthoritiesMapper = userAuthoritiesMapper()
                    userService = oauth2UserService()
                    oidcUserService = oidcUserService()
                }
            }
        }
        return http.build()
    }
}

除了 oauth2Login() DSL 之外，也支持 XML 配置。spring-doc.cadn.net.cn

以下代码展示了安全命名空间中可用的完整配置选项：spring-doc.cadn.net.cn

OAuth2 登录 XML 配置选项

<http>
	<oauth2-login client-registration-repository-ref="clientRegistrationRepository"
				  authorized-client-repository-ref="authorizedClientRepository"
				  authorized-client-service-ref="authorizedClientService"
				  authorization-request-repository-ref="authorizationRequestRepository"
				  authorization-request-resolver-ref="authorizationRequestResolver"
				  access-token-response-client-ref="accessTokenResponseClient"
				  user-authorities-mapper-ref="userAuthoritiesMapper"
				  user-service-ref="oauth2UserService"
				  oidc-user-service-ref="oidcUserService"
				  login-processing-url="/login/oauth2/code/*"
				  login-page="/login"
				  authentication-success-handler-ref="authenticationSuccessHandler"
				  authentication-failure-handler-ref="authenticationFailureHandler"
				  jwt-decoder-factory-ref="jwtDecoderFactory"/>
</http>

以下各节将详细介绍每种可用的配置选项：spring-doc.cadn.net.cn

默认情况下，OAuth 2.0 登录页面由 DefaultLoginPageGeneratingFilter 自动生成。默认登录页面会为每个已配置的 OAuth 客户端显示一个链接，该链接使用其 ClientRegistration.clientName 作为展示名称，并可用于发起授权请求（即 OAuth 2.0 登录）。spring-doc.cadn.net.cn

为了让 DefaultLoginPageGeneratingFilter 显示已配置的 OAuth 客户端链接，注册的 ClientRegistrationRepository 还需要实现 Iterable<ClientRegistration> 接口。请参考 InMemoryClientRegistrationRepository。spring-doc.cadn.net.cn

每个 OAuth 客户端的链接目标默认如下：spring-doc.cadn.net.cn

OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI + "/{registrationId}"spring-doc.cadn.net.cn

以下这行展示了一个示例：spring-doc.cadn.net.cn

<a href="/oauth2/authorization/google">Google</a>

要覆盖默认的登录页面，请配置 oauth2Login().loginPage() 和（可选地）oauth2Login().authorizationEndpoint().baseUri()。spring-doc.cadn.net.cn

以下列表展示了一个示例：spring-doc.cadn.net.cn

OAuth2 登录页面配置

@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			.oauth2Login((oauth2) -> oauth2
			    .loginPage("/login/oauth2")
			    ...
			    .authorizationEndpoint((authorization) -> authorization
			        .baseUri("/login/oauth2/authorization")
			        ...
			    )
			);
		return http.build();
	}
}

@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            oauth2Login {
                loginPage = "/login/oauth2"
                authorizationEndpoint {
                    baseUri = "/login/oauth2/authorization"
                }
            }
        }
        return http.build()
    }
}

<http>
	<oauth2-login login-page="/login/oauth2"
				  ...
    />
</http>

你需要提供一个带有 @Controller 的 @RequestMapping("/login/oauth2")，用于渲染自定义登录页面。spring-doc.cadn.net.cn

如前所述，配置 oauth2Login().authorizationEndpoint().baseUri() 是可选的。然而，如果您选择对其进行自定义，请确保每个 OAuth 客户端的链接与 authorizationEndpoint().baseUri() 相匹配。spring-doc.cadn.net.cn

以下这行展示了一个示例：spring-doc.cadn.net.cn

<a href="/login/oauth2/authorization/google">Google</a>

重定向端点

重定向端点由授权服务器用于通过资源所有者用户代理将授权响应（其中包含授权凭据）返回给客户端。spring-doc.cadn.net.cn

OAuth 2.0 登录利用了授权码许可（Authorization Code Grant）。因此，授权凭证就是授权码。spring-doc.cadn.net.cn

默认的授权响应 baseUri（重定向端点）为 /login/oauth2/code/*，该值定义在 OAuth2LoginAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI 中。spring-doc.cadn.net.cn

如果你想自定义授权响应（Authorization Response）的 baseUri，请按如下方式配置：spring-doc.cadn.net.cn

重定向端点配置

@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {

    @Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			.oauth2Login((oauth2) -> oauth2
			    .redirectionEndpoint((redirection) -> redirection
			        .baseUri("/login/oauth2/callback/*")
			        ...
			    )
			);
		return http.build();
	}
}

@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            oauth2Login {
                redirectionEndpoint {
                    baseUri = "/login/oauth2/callback/*"
                }
            }
        }
        return http.build()
    }
}

<http>
	<oauth2-login login-processing-url="/login/oauth2/callback/*"
				  ...
    />
</http>

您还需要确保 ClientRegistration.redirectUri 与自定义授权响应的 baseUri 相匹配。spring-doc.cadn.net.cn

以下列表展示了一个示例：spring-doc.cadn.net.cn

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

return CommonOAuth2Provider.GOOGLE.getBuilder("google")
	.clientId("google-client-id")
	.clientSecret("google-client-secret")
	.redirectUri("{baseUrl}/login/oauth2/callback/{registrationId}")
	.build();

return CommonOAuth2Provider.GOOGLE.getBuilder("google")
    .clientId("google-client-id")
    .clientSecret("google-client-secret")
    .redirectUri("{baseUrl}/login/oauth2/callback/{registrationId}")
    .build()

用户信息端点

用户信息（UserInfo）端点包含若干配置选项，如下列子章节所述：spring-doc.cadn.net.cn

映射用户权限

用户成功通过 OAuth 2.0 提供商认证后，OAuth2User.getAuthorities()（或 OidcUser.getAuthorities()）将包含一个授权权限列表，该列表由 OAuth2UserRequest.getAccessToken().getScopes() 填充，并以 SCOPE_ 作为前缀。这些授权权限可以映射为一组新的 GrantedAuthority 实例，并在完成认证时提供给 OAuth2AuthenticationToken。spring-doc.cadn.net.cn

OAuth2AuthenticationToken.getAuthorities() 用于授权请求，例如在 hasRole('USER') 或 hasRole('ADMIN') 中。

在映射用户权限时，有几个选项可供选择：spring-doc.cadn.net.cn

使用 GrantedAuthoritiesMapper

GrantedAuthoritiesMapper 会接收到一个已授予权限的列表，该列表包含一个特殊类型的权限 OAuth2UserAuthority 和权限字符串 OAUTH2_USER（或者 OidcUserAuthority 和权限字符串 OIDC_USER）。spring-doc.cadn.net.cn

提供一个 GrantedAuthoritiesMapper 的实现并进行如下配置：spring-doc.cadn.net.cn

授予的权限映射器配置

@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {

    @Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			.oauth2Login((oauth2) -> oauth2
			    .userInfoEndpoint((userInfo) -> userInfo
			        .userAuthoritiesMapper(this.userAuthoritiesMapper())
			        ...
			    )
			);
		return http.build();
	}

	private GrantedAuthoritiesMapper userAuthoritiesMapper() {
		return (authorities) -> {
			Set<GrantedAuthority> mappedAuthorities = new HashSet<>();

			authorities.forEach(authority -> {
				if (OidcUserAuthority.class.isInstance(authority)) {
					OidcUserAuthority oidcUserAuthority = (OidcUserAuthority)authority;

					OidcIdToken idToken = oidcUserAuthority.getIdToken();
					OidcUserInfo userInfo = oidcUserAuthority.getUserInfo();

					// Map the claims found in idToken and/or userInfo
					// to one or more GrantedAuthority's and add it to mappedAuthorities

				} else if (OAuth2UserAuthority.class.isInstance(authority)) {
					OAuth2UserAuthority oauth2UserAuthority = (OAuth2UserAuthority)authority;

					Map<String, Object> userAttributes = oauth2UserAuthority.getAttributes();

					// Map the attributes found in userAttributes
					// to one or more GrantedAuthority's and add it to mappedAuthorities

				}
			});

			return mappedAuthorities;
		};
	}
}

@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            oauth2Login {
                userInfoEndpoint {
                    userAuthoritiesMapper = userAuthoritiesMapper()
                }
            }
        }
        return http.build()
    }

    private fun userAuthoritiesMapper(): GrantedAuthoritiesMapper = GrantedAuthoritiesMapper { authorities: Collection<GrantedAuthority> ->
        val mappedAuthorities = emptySet<GrantedAuthority>()

        authorities.forEach { authority ->
            if (authority is OidcUserAuthority) {
                val idToken = authority.idToken
                val userInfo = authority.userInfo
                // Map the claims found in idToken and/or userInfo
                // to one or more GrantedAuthority's and add it to mappedAuthorities
            } else if (authority is OAuth2UserAuthority) {
                val userAttributes = authority.attributes
                // Map the attributes found in userAttributes
                // to one or more GrantedAuthority's and add it to mappedAuthorities
            }
        }

        mappedAuthorities
    }
}

<http>
	<oauth2-login user-authorities-mapper-ref="userAuthoritiesMapper"
				  ...
    />
</http>

或者，你可以注册一个 GrantedAuthoritiesMapper @Bean，使其自动应用于配置，如下所示：spring-doc.cadn.net.cn

已授予权限映射器 Bean 配置

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
		    .oauth2Login(withDefaults());
		return http.build();
	}

	@Bean
	public GrantedAuthoritiesMapper userAuthoritiesMapper() {
		...
	}
}

@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            oauth2Login { }
        }
        return http.build()
    }

    @Bean
    fun userAuthoritiesMapper(): GrantedAuthoritiesMapper {
        ...
    }
}

身份验证完成后，它还包含授予的权限 FACTOR_AUTHORIZATION_CODE。spring-doc.cadn.net.cn

基于委托的 OAuth2UserService 策略

该策略相比使用 GrantedAuthoritiesMapper 更为高级。然而，它也更加灵活，因为它允许你访问 OAuth2UserRequest 和 OAuth2User（在使用 OAuth 2.0 UserService 时），或 OidcUserRequest 和 OidcUser（在使用 OpenID Connect 1.0 UserService 时）。spring-doc.cadn.net.cn

OAuth2UserRequest（以及OidcUserRequest）为您提供对关联的OAuth2AccessToken的访问权限，这在委托方需要从受保护的资源中获取权限信息、然后才能为用户映射自定义权限的情况下非常有用。spring-doc.cadn.net.cn

以下示例展示了如何使用 OpenID Connect 1.0 UserService 实现并配置基于委托的策略：spring-doc.cadn.net.cn

OAuth2UserService 配置

@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			.oauth2Login((oauth2) -> oauth2
			    .userInfoEndpoint((userInfo) -> userInfo
			        .oidcUserService(this.oidcUserService())
			        ...
			    )
			);
		return http.build();
	}

	private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
		final OidcUserService delegate = new OidcUserService();

		return (userRequest) -> {
			// Delegate to the default implementation for loading a user
			OidcUser oidcUser = delegate.loadUser(userRequest);

			OAuth2AccessToken accessToken = userRequest.getAccessToken();
			Set<GrantedAuthority> mappedAuthorities = new HashSet<>();

			// TODO
			// 1) Fetch the authority information from the protected resource using accessToken
			// 2) Map the authority information to one or more GrantedAuthority's and add it to mappedAuthorities

			// 3) Create a copy of oidcUser but use the mappedAuthorities instead
			ProviderDetails providerDetails = userRequest.getClientRegistration().getProviderDetails();
			String userNameAttributeName = providerDetails.getUserInfoEndpoint().getUserNameAttributeName();
			if (StringUtils.hasText(userNameAttributeName)) {
				oidcUser = new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo(), userNameAttributeName);
			} else {
				oidcUser = new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo());
			}

			return oidcUser;
		};
	}
}

@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig  {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            oauth2Login {
                userInfoEndpoint {
                    oidcUserService = oidcUserService()
                }
            }
        }
        return http.build()
    }

    @Bean
    fun oidcUserService(): OAuth2UserService<OidcUserRequest, OidcUser> {
        val delegate = OidcUserService()

        return OAuth2UserService { userRequest ->
            // Delegate to the default implementation for loading a user
            val oidcUser = delegate.loadUser(userRequest)

            val accessToken = userRequest.accessToken
            val mappedAuthorities = HashSet<GrantedAuthority>()

            // TODO
            // 1) Fetch the authority information from the protected resource using accessToken
            // 2) Map the authority information to one or more GrantedAuthority's and add it to mappedAuthorities
            // 3) Create a copy of oidcUser but use the mappedAuthorities instead
            val providerDetails = userRequest.getClientRegistration().getProviderDetails()
            val userNameAttributeName = providerDetails.getUserInfoEndpoint().getUserNameAttributeName()
            if (StringUtils.hasText(userNameAttributeName)) {
                DefaultOidcUser(mappedAuthorities, oidcUser.idToken, oidcUser.userInfo, userNameAttributeName)
            } else {
                DefaultOidcUser(mappedAuthorities, oidcUser.idToken, oidcUser.userInfo)
            }
        }
    }
}

<http>
	<oauth2-login oidc-user-service-ref="oidcUserService"
				  ...
    />
</http>

OAuth 2.0 用户服务

DefaultOAuth2UserService 是 OAuth2UserService 的一个实现，支持标准的 OAuth 2.0 提供商。spring-doc.cadn.net.cn

OAuth2UserService 从授权流程中授予客户端的访问Tokens（通过在用户信息端点处使用该Tokens）获取最终用户的属性（资源所有者），并以 AuthenticatedPrincipal 的形式返回一个 OAuth2User。spring-doc.cadn.net.cn

DefaultOAuth2UserService 在向 UserInfo 端点请求用户属性时，会使用一个 RestOperations 实例。spring-doc.cadn.net.cn

如果你需要自定义 UserInfo 请求的预处理逻辑，可以向 DefaultOAuth2UserService.setRequestEntityConverter() 提供一个自定义的 Converter<OAuth2UserRequest, RequestEntity<?>>。默认实现 OAuth2UserRequestEntityConverter 会构建一个 UserInfo 请求的 RequestEntity 表示形式，默认情况下会在 OAuth2AccessToken 请求头中设置 Authorization。spring-doc.cadn.net.cn

另一方面，如果你需要自定义 UserInfo 响应的后处理逻辑，则需要向 DefaultOAuth2UserService.setRestOperations() 提供一个经过自定义配置的 RestOperations。默认的 RestOperations 配置如下：spring-doc.cadn.net.cn

RestTemplate restTemplate = new RestTemplate();
restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());

OAuth2ErrorResponseErrorHandler 是一个 ResponseErrorHandler，用于处理 OAuth 2.0 错误（400 Bad Request）。它使用 OAuth2ErrorHttpMessageConverter 将 OAuth 2.0 错误参数转换为 OAuth2Error。spring-doc.cadn.net.cn

无论您是自定义 DefaultOAuth2UserService，还是提供自己的 OAuth2UserService 实现，都需要按如下方式进行配置：spring-doc.cadn.net.cn

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			.oauth2Login((oauth2) -> oauth2
			    .userInfoEndpoint((userInfo) -> userInfo
			        .userService(this.oauth2UserService())
			        ...
			    )
			);
		return http.build();
	}

	private OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() {
		...
	}
}

@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            oauth2Login {
                userInfoEndpoint {
                    userService = oauth2UserService()
                    // ...
                }
            }
        }
        return http.build()
    }

    private fun oauth2UserService(): OAuth2UserService<OAuth2UserRequest, OAuth2User> {
        // ...
    }
}

OpenID Connect 1.0 用户服务

OidcUserService 是 OAuth2UserService 的一个实现，支持 OpenID Connect 1.0 提供商。spring-doc.cadn.net.cn

OidcUserService 在请求用户属性（User Attributes）时利用了 DefaultOAuth2UserService，这些属性来自 UserInfo Endpoint。spring-doc.cadn.net.cn

如果你需要自定义 UserInfo 请求的预处理或 UserInfo 响应的后处理，则需要向 OidcUserService.setOauth2UserService() 提供一个经过自定义配置的 DefaultOAuth2UserService。spring-doc.cadn.net.cn

无论您是自定义 OidcUserService，还是为 OpenID Connect 1.0 提供商提供自己的 OAuth2UserService 实现，都需要按如下方式进行配置：spring-doc.cadn.net.cn

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			.oauth2Login((oauth2) -> oauth2
				.userInfoEndpoint((userInfo) -> userInfo
				    .oidcUserService(this.oidcUserService())
				    ...
			    )
			);
		return http.build();
	}

	private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
		...
	}
}

@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            oauth2Login {
                userInfoEndpoint {
                    oidcUserService = oidcUserService()
                    // ...
                }
            }
        }
        return http.build()
    }

    private fun oidcUserService(): OAuth2UserService<OidcUserRequest, OidcUser> {
        // ...
    }
}

ID Token 签名验证

OpenID Connect 1.0 认证引入了ID Token，它是一种安全Tokens，当客户端使用时，其中包含关于授权服务器对最终用户认证的声明（Claims）。spring-doc.cadn.net.cn

ID Tokens以JSON Web Token（JWT）的形式表示，并且必须使用JSON Web Signature（JWS）进行签名。spring-doc.cadn.net.cn

OidcIdTokenDecoderFactory 提供一个用于 JwtDecoder 签名验证的 OidcIdToken。默认算法为 RS256，但在客户端注册期间分配时可能会有所不同。对于这些情况，您可以配置一个解析器，以返回为特定客户端分配的预期 JWS 算法。spring-doc.cadn.net.cn

JWS 算法解析器是一个 Function，它接受一个 ClientRegistration 并返回该客户端预期的 JwsAlgorithm，例如 SignatureAlgorithm.RS256 或 MacAlgorithm.HS256。spring-doc.cadn.net.cn

以下代码展示了如何配置 OidcIdTokenDecoderFactory @Bean，使其对所有 MacAlgorithm.HS256 实例默认使用 ClientRegistration：spring-doc.cadn.net.cn

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

@Bean
public JwtDecoderFactory<ClientRegistration> idTokenDecoderFactory() {
	OidcIdTokenDecoderFactory idTokenDecoderFactory = new OidcIdTokenDecoderFactory();
	idTokenDecoderFactory.setJwsAlgorithmResolver((clientRegistration) -> clientRegistration.HS256);
	return idTokenDecoderFactory;
}

@Bean
fun idTokenDecoderFactory(): JwtDecoderFactory<ClientRegistration?> {
    val idTokenDecoderFactory = OidcIdTokenDecoderFactory()
    idTokenDecoderFactory.setJwsAlgorithmResolver { MacAlgorithm.HS256 }
    return idTokenDecoderFactory
}

对于基于 MAC 的算法（例如 HS256、HS384 或 HS512），与 client-secret 对应的 client-id 将用作签名验证的对称密钥。spring-doc.cadn.net.cn

如果为 OpenID Connect 1.0 身份验证配置了多个 ClientRegistration，JWS 算法解析器可能会评估所提供的 ClientRegistration，以确定应返回哪个算法。spring-doc.cadn.net.cn

然后，您可以继续配置注销 spring-doc.cadn.net.cn