|
此版本仍在开发中,尚未被视为稳定版本。如需最新稳定版本,请使用 Spring Security 7.0.4! |
核心接口/类
客户端注册
ClientRegistration 表示在 OAuth 2.0 或 OpenID Connect 1.0 提供商处注册的客户端。
客户端注册包含诸如客户端ID、客户端密钥、授权grant类型、重定向URI、范围、授权URI、TokensURI以及其他详情等信息。
ClientRegistration 及其属性定义如下:
public final class ClientRegistration {
private String registrationId; (1)
private String clientId; (2)
private String clientSecret; (3)
private ClientAuthenticationMethod clientAuthenticationMethod; (4)
private AuthorizationGrantType authorizationGrantType; (5)
private String redirectUri; (6)
private Set<String> scopes; (7)
private ProviderDetails providerDetails;
private String clientName; (8)
public class ProviderDetails {
private String authorizationUri; (9)
private String tokenUri; (10)
private UserInfoEndpoint userInfoEndpoint;
private String jwkSetUri; (11)
private String issuerUri; (12)
private Map<String, Object> configurationMetadata; (13)
public class UserInfoEndpoint {
private String uri; (14)
private AuthenticationMethod authenticationMethod; (15)
private String userNameAttributeName; (16)
}
}
public static final class ClientSettings {
private boolean requireProofKey; (17)
}
}| 1 | registrationId:唯一标识 ClientRegistration 的 ID。 |
| 2 | clientId:客户端标识符。 |
| 3 | clientSecret:客户端密钥。 |
| 4 | clientAuthenticationMethod:用于客户端向提供方进行身份验证的方法。
支持的值包括 client_secret_basic、client_secret_post、private_key_jwt、client_secret_jwt 和 none (公共客户端)。 |
| 5 | authorizationGrantType: OAuth 2.0 授权框架定义了四种 授权类型(Authorization Grant)。支持的值包括 authorization_code、client_credentials、password,以及扩展授权类型 urn:ietf:params:oauth:grant-type:jwt-bearer。 |
| 6 | redirectUri:客户端注册的重定向 URI,授权服务器在最终用户完成身份验证并授权客户端访问后,将最终用户的用户代理重定向到该 URI。 |
| 7 | scopes:客户端在授权请求流程中所请求的范围(scope),例如 openid、email 或 profile。 |
| 8 | clientName:用于客户端的描述性名称。
该名称可能在某些场景中使用,例如在自动生成的登录页面中显示客户端的名称。 |
| 9 | authorizationUri:授权服务器的授权端点 URI。 |
| 10 | tokenUri:授权服务器的Tokens端点 URI。 |
| 11 | jwkSetUri: 用于从授权服务器检索包含用于验证IDTokens和可选的用户信息响应的JSON网络签名(JWS)中的加密密钥(JWK)集的URI。 |
| 12 | issuerUri:返回 OpenID Connect 1.0 提供商或 OAuth 2.0 授权服务器的颁发者标识符 URI。 |
| 13 | configurationMetadata: The OpenID Provider Configuration Information.
此信息仅在配置了 Spring Boot 属性 spring.security.oauth2.client.provider.[providerId].issuerUri 之后才可用。 |
| 14 | (userInfoEndpoint)uri: 用于访问已认证终端用户声明/属性的UserInfo端点URI。 |
| 15 | (userInfoEndpoint)authenticationMethod: 当向用户信息端点发送访问Tokens时使用的认证方法。支持的值包括 header, form 和 query。 |
| 16 | userNameAttributeName:在 UserInfo 响应中返回的属性名称,该属性引用最终用户的名称或标识符。 |
| 17 | requireProofKey: If true或者authorizationGrantType is none,则 PKCE 将默认启用。 |
ClientRegistrations 提供了配置一个 ClientRegistration 的便利方法,如以下示例所示:
-
Java
-
Kotlin
ClientRegistration clientRegistration =
ClientRegistrations.fromIssuerLocation("https://idp.example.com/issuer").build();val clientRegistration = ClientRegistrations.fromIssuerLocation("https://idp.example.com/issuer").build()上述代码将按序查询 idp.example.com/issuer/.well-known/openid-configuration,然后查询 idp.example.com/.well-known/openid-configuration/issuer,最后查询 idp.example.com/.well-known/oauth-authorization-server/issuer,并在第一个返回200响应时停止。
可以作为替代方案,你可以使用ClientRegistrations.fromOidcIssuerLocation()来仅查询OpenID Connect提供者的配置端点。
响应式客户端注册存储库
ReactiveClientRegistrationRepository 用作 OAuth 2.0 / OpenID Connect 1.0 ClientRegistration(客户端注册信息)的存储库。
|
客户端注册信息最终由关联的授权服务器存储和拥有。 此仓库提供了检索存储在授权服务器中的主要客户端注册信息子集的能力。 |
Spring Boot 自动配置将 spring.security.oauth2.client.registration.[registrationId] 下的每个属性绑定到一个 ClientRegistration 实例,然后将每个 ClientRegistration 实例组合到一个 ReactiveClientRegistrationRepository 中。
|
|
自动配置还会将ReactiveClientRegistrationRepository注册为@Bean在ApplicationContext中,以便在应用程序需要进行依赖注入时可用。
以下列表展示了一个示例:
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private ReactiveClientRegistrationRepository clientRegistrationRepository;
@GetMapping("/")
public Mono<String> index() {
return this.clientRegistrationRepository.findByRegistrationId("okta")
...
.thenReturn("index");
}
}@Controller
class OAuth2ClientController {
@Autowired
private lateinit var clientRegistrationRepository: ReactiveClientRegistrationRepository
@GetMapping("/")
fun index(): Mono<String> {
return this.clientRegistrationRepository.findByRegistrationId("okta")
...
.thenReturn("index")
}
}OAuth2 授权客户端
OAuth2AuthorizedClient 是授权客户端的表示形式。
一个客户端被认为是经过授权的,当终端用户(资源所有者)已经授予该客户端访问其受保护资源的权限时。
OAuth2AuthorizedClient 用于将一个 OAuth2AccessToken(以及可选的 OAuth2RefreshToken)与一个 ClientRegistration(客户端)和资源所有者关联起来,该资源所有者是授予授权的 Principal 最终用户。
ServerOAuth2AuthorizedClientRepository / ReactiveOAuth2AuthorizedClientService
ServerOAuth2AuthorizedClientRepository 负责在 web 请求之间保存 OAuth2AuthorizedClient(s)。
而 ReactiveOAuth2AuthorizedClientService 的主要作用是在应用层面管理 OAuth2AuthorizedClient(s)。
从开发者的角度来看,ServerOAuth2AuthorizedClientRepository 或 ReactiveOAuth2AuthorizedClientService 提供了查找与客户端关联的OAuth2AccessToken的能力,以便使用该Tokens发起受保护资源请求。
以下列表展示了一个示例:
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private ReactiveOAuth2AuthorizedClientService authorizedClientService;
@GetMapping("/")
public Mono<String> index(Authentication authentication) {
return this.authorizedClientService.loadAuthorizedClient("okta", authentication.getName())
.map(OAuth2AuthorizedClient::getAccessToken)
...
.thenReturn("index");
}
}@Controller
class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientService: ReactiveOAuth2AuthorizedClientService
@GetMapping("/")
fun index(authentication: Authentication): Mono<String> {
return this.authorizedClientService.loadAuthorizedClient<OAuth2AuthorizedClient>("okta", authentication.name)
.map { it.accessToken }
...
.thenReturn("index")
}
}|
Spring Boot 自动配置会注册一个 |
默认实现的ReactiveOAuth2AuthorizedClientService是InMemoryReactiveOAuth2AuthorizedClientService,它将在内存中存储OAuth2AuthorizedClient(s)。
alternatively, the R2DBC implementation R2dbcReactiveOAuth2AuthorizedClientService 可能会被配置为将OAuth2AuthorizedClient(s) 存储在数据库中。
|
|
响应式 OAuth2 授权客户端管理器 / 响应式 OAuth2 授权客户端提供者
ReactiveOAuth2AuthorizedClientManager 负责对 OAuth2AuthorizedClient(们)进行整体管理。
主要职责包括:
-
使用
ReactiveOAuth2AuthorizedClientProvider进行授权(或重新授权)一个 OAuth 2.0 客户端。 -
将
OAuth2AuthorizedClient的持久化委派出去,通常使用ReactiveOAuth2AuthorizedClientService或ServerOAuth2AuthorizedClientRepository。 -
当OAuth 2.0客户端已成功授权(或重新授权)时,委托给
ReactiveOAuth2AuthorizationSuccessHandler。 -
当OAuth 2.0 客户端授权失败(或重新授权失败)时,委托给一个
ReactiveOAuth2AuthorizationFailureHandler。
一个ReactiveOAuth2AuthorizedClientProvider 实现了一种授权(或重新授权)OAuth 2.0 客户端的策略。
实现将通常会实现一种授权许可类型,例如 authorization_code、client_credentials 等。
默认实现的ReactiveOAuth2AuthorizedClientManager是DefaultReactiveOAuth2AuthorizedClientManager,它与一个ReactiveOAuth2AuthorizedClientProvider相关联,该提供者可能支持多种授权授予类型,并使用基于委托的组合。
ReactiveOAuth2AuthorizedClientProviderBuilder可以用来配置并构建基于委托的组合。
以下代码展示了如何配置和构建一个支持authorization_code、refresh_token、client_credentials 和 password 授权授予类型的ReactiveOAuth2AuthorizedClientProvider组合体的示例:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken()
.clientCredentials()
.password()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken()
.clientCredentials()
.password()
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}当授权尝试成功时,DefaultReactiveOAuth2AuthorizedClientManager 将委托给 ReactiveOAuth2AuthorizationSuccessHandler,该组件(默认情况下)将通过 ServerOAuth2AuthorizedClientRepository 保存 OAuth2AuthorizedClient。
在重新授权失败的情况下,例如刷新Tokens不再有效,之前保存的 OAuth2AuthorizedClient 将通过 RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler 从 ServerOAuth2AuthorizedClientRepository 中移除。
默认行为可通过 setAuthorizationSuccessHandler(ReactiveOAuth2AuthorizationSuccessHandler) 和 setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler) 进行自定义。
DefaultReactiveOAuth2AuthorizedClientManager 还与类型为 Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>> 的 contextAttributesMapper 相关联,该组件负责将来自 OAuth2AuthorizeRequest 的属性映射到与 OAuth2AuthorizationContext 关联的 Map 属性。
这在您需要为 ReactiveOAuth2AuthorizedClientProvider 提供必需(支持)的属性时非常有用,例如 PasswordReactiveOAuth2AuthorizedClientProvider 要求资源所有者的 username 和 password 在 OAuth2AuthorizationContext.getAttributes() 中可用。
以下代码展示了 contextAttributesMapper 的一个示例:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper());
return authorizedClientManager;
}
private Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>> contextAttributesMapper() {
return authorizeRequest -> {
Map<String, Object> contextAttributes = Collections.emptyMap();
ServerWebExchange exchange = authorizeRequest.getAttribute(ServerWebExchange.class.getName());
ServerHttpRequest request = exchange.getRequest();
String username = request.getQueryParams().getFirst(OAuth2ParameterNames.USERNAME);
String password = request.getQueryParams().getFirst(OAuth2ParameterNames.PASSWORD);
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = new HashMap<>();
// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username);
contextAttributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password);
}
return Mono.just(contextAttributes);
};
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper())
return authorizedClientManager
}
private fun contextAttributesMapper(): Function<OAuth2AuthorizeRequest, Mono<MutableMap<String, Any>>> {
return Function { authorizeRequest ->
var contextAttributes: MutableMap<String, Any> = mutableMapOf()
val exchange: ServerWebExchange = authorizeRequest.getAttribute(ServerWebExchange::class.java.name)!!
val request: ServerHttpRequest = exchange.request
val username: String? = request.queryParams.getFirst(OAuth2ParameterNames.USERNAME)
val password: String? = request.queryParams.getFirst(OAuth2ParameterNames.PASSWORD)
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = hashMapOf()
// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes[OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME] = username!!
contextAttributes[OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME] = password!!
}
Mono.just(contextAttributes)
}
}DefaultReactiveOAuth2AuthorizedClientManager 是为了在 ServerWebExchange 的上下文中使用而设计的。
当不在 ServerWebExchange 上下文中运行时,可以使用 ServerWebExchange 代替。
一个服务应用是使用AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager的常见场景。
服务应用通常在后台运行,无需用户交互,并且通常以系统级账户而非用户账户运行。
配置了client_credentials授权类型的OAuth 2.0客户端可以被视为一种类型的服务应用。
以下代码展示了如何配置一个支持 AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager 授权类型的 client_credentials 的示例:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ReactiveOAuth2AuthorizedClientService authorizedClientService) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientService);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientService: ReactiveOAuth2AuthorizedClientService): ReactiveOAuth2AuthorizedClientManager {
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build()
val authorizedClientManager = AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientService)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}