|
对于最新的稳定版本,请使用 Spring Security 7.0.4! |
授权许可支持
本节介绍 Spring Security 对授权许可(authorization grants)的支持。
授权码
|
有关授权码许可的更多详细信息,请参阅 OAuth 2.0 授权框架。 |
获取授权
|
参见授权请求/响应协议流程,了解授权码许可类型。 |
发起授权请求
OAuth2AuthorizationRequestRedirectFilter 使用一个 OAuth2AuthorizationRequestResolver 来解析 OAuth2AuthorizationRequest,并通过将最终用户的用户代理重定向到授权服务器的授权端点来启动授权码许可流程。
OAuth2AuthorizationRequestResolver 的主要作用是从提供的 Web 请求中解析出一个 OAuth2AuthorizationRequest。
默认实现 DefaultOAuth2AuthorizationRequestResolver 会匹配(默认)路径 /oauth2/authorization/{registrationId},从中提取 registrationId,并使用该 ID 为关联的 OAuth2AuthorizationRequest 构建 ClientRegistration。
请考虑以下用于 OAuth 2.0 客户端注册的 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/authorized/okta"
scope: read, write
provider:
okta:
authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token根据上述属性,一个以 /oauth2/authorization/okta 为基本路径的请求将由 OAuth2AuthorizationRequestRedirectFilter 触发授权请求重定向,并最终启动授权码许可流程。
|
|
如果 OAuth 2.0 客户端是公共客户端,请按如下方式配置 OAuth 2.0 客户端注册:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-authentication-method: none
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/authorized/okta"
# ...通过使用代码交换证明密钥(PKCE)来支持公共客户端。 如果客户端运行在不受信任的环境中(例如原生应用程序或基于Web浏览器的应用程序),因此无法保证其凭据的机密性,则在满足以下条件时将自动使用PKCE:
-
client-secret是省略的(或为空)和 -
client-authentication-method被设置为none(ClientAuthenticationMethod.NONE)
or
-
当
ClientRegistration.clientSettings.requireProofKey为true时(在此情况下,ClientRegistration.authorizationGrantType必须为authorization_code)
|
如果 OAuth 2.0 提供商支持对 |
以下配置使用了所有受支持的URI模板变量:
spring:
security:
oauth2:
client:
registration:
okta:
# ...
redirect-uri: "{baseScheme}://{baseHost}{basePort}{basePath}/authorized/{registrationId}"
# ...|
|
使用 redirect-uri 模板变量配置 URI 在 OAuth 2.0 客户端运行在代理服务器之后时特别有用。
这样做可确保在展开 X-Forwarded-* 时使用 redirect-uri 请求头。
自定义授权请求
OAuth2AuthorizationRequestResolver 的一个主要用例是能够使用超出 OAuth 2.0 授权框架中定义的标准参数之外的附加参数来自定义授权请求。
例如,OpenID Connect 为授权码流程定义了额外的 OAuth 2.0 请求参数,这些参数是对OAuth 2.0 授权框架中定义的标准参数的扩展。
其中一个扩展参数是 prompt 参数。
|
|
以下示例展示了如何使用一个 DefaultOAuth2AuthorizationRequestResolver 来配置 Consumer<OAuth2AuthorizationRequest.Builder>,通过添加请求参数 oauth2Login() 来自定义 prompt=consent 的授权请求。
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {
@Autowired
private ClientRegistrationRepository clientRegistrationRepository;
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.oauth2Login(oauth2 -> oauth2
.authorizationEndpoint(authorization -> authorization
.authorizationRequestResolver(
authorizationRequestResolver(this.clientRegistrationRepository)
)
)
);
return http.build();
}
private OAuth2AuthorizationRequestResolver authorizationRequestResolver(
ClientRegistrationRepository clientRegistrationRepository) {
DefaultOAuth2AuthorizationRequestResolver authorizationRequestResolver =
new DefaultOAuth2AuthorizationRequestResolver(
clientRegistrationRepository, "/oauth2/authorization");
authorizationRequestResolver.setAuthorizationRequestCustomizer(
authorizationRequestCustomizer());
return authorizationRequestResolver;
}
private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
return customizer -> customizer
.additionalParameters(params -> params.put("prompt", "consent"));
}
}@Configuration
@EnableWebSecurity
class SecurityConfig {
@Autowired
private lateinit var customClientRegistrationRepository: ClientRegistrationRepository
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorize(anyRequest, authenticated)
}
oauth2Login {
authorizationEndpoint {
authorizationRequestResolver = authorizationRequestResolver(customClientRegistrationRepository)
}
}
}
return http.build()
}
private fun authorizationRequestResolver(
clientRegistrationRepository: ClientRegistrationRepository?): OAuth2AuthorizationRequestResolver {
val authorizationRequestResolver = DefaultOAuth2AuthorizationRequestResolver(
clientRegistrationRepository, "/oauth2/authorization")
authorizationRequestResolver.setAuthorizationRequestCustomizer(
authorizationRequestCustomizer())
return authorizationRequestResolver
}
private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
return Consumer { customizer ->
customizer
.additionalParameters { params -> params["prompt"] = "consent" }
}
}
}对于简单使用场景,如果某个特定提供程序的附加请求参数始终相同,您可以直接在 authorization-uri 属性中添加该参数。
例如,如果对于提供商 prompt,请求参数 consent 的值始终为 okta,则可以按如下方式配置:
spring:
security:
oauth2:
client:
provider:
okta:
authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize?prompt=consent前面的示例展示了在标准参数基础上添加自定义参数的常见用例。
或者,如果你的需求更加高级,可以通过重写 OAuth2AuthorizationRequest.authorizationRequestUri 属性,完全控制授权请求 URI 的构建。
|
|
以下示例展示了前一个示例中 authorizationRequestCustomizer() 的一种变体,改为覆盖 OAuth2AuthorizationRequest.authorizationRequestUri 属性:
-
Java
-
Kotlin
private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
return customizer -> customizer
.authorizationRequestUri(uriBuilder -> uriBuilder
.queryParam("prompt", "consent").build());
}private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
return Consumer { customizer: OAuth2AuthorizationRequest.Builder ->
customizer
.authorizationRequestUri { uriBuilder: UriBuilder ->
uriBuilder
.queryParam("prompt", "consent").build()
}
}
}存储授权请求
AuthorizationRequestRepository 负责在授权请求发起之时到接收到授权响应(即回调)期间,对 OAuth2AuthorizationRequest 进行持久化。
|
|
AuthorizationRequestRepository 的默认实现是 HttpSessionOAuth2AuthorizationRequestRepository,它将 OAuth2AuthorizationRequest 存储在 HttpSession 中。
如果你有自定义的 AuthorizationRequestRepository 实现,可以按如下方式配置:
-
Java
-
Kotlin
-
Xml
@Configuration
@EnableWebSecurity
public class OAuth2ClientSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.oauth2Client(oauth2 -> oauth2
.authorizationCodeGrant(codeGrant -> codeGrant
.authorizationRequestRepository(this.authorizationRequestRepository())
// ...
)
)
.oauth2Login(oauth2 -> oauth2
.authorizationEndpoint(endpoint -> endpoint
.authorizationRequestRepository(this.authorizationRequestRepository())
// ...
)
);
return http.build();
}
@Bean
public AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository() {
return new CustomOAuth2AuthorizationRequestRepository();
}
}@Configuration
@EnableWebSecurity
class OAuth2ClientSecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
oauth2Client {
authorizationCodeGrant {
authorizationRequestRepository = authorizationRequestRepository()
}
}
}
return http.build()
}
}<http>
<oauth2-client>
<authorization-code-grant authorization-request-repository-ref="authorizationRequestRepository"/>
</oauth2-client>
</http>请求访问Tokens
|
参见授权码许可的访问Tokens请求/响应协议流程。 |
存在两种实现 OAuth2AccessTokenResponseClient 的方式,可以用于向 Token 端点发起 HTTP 请求以获取授权码授予方式下的访问Tokens:
-
DefaultAuthorizationCodeTokenResponseClient(默认) -
RestClientAuthorizationCodeTokenResponseClient
The default implementation uses a RestOperations 实例来在授权服务器的Tokens端点处交换授权码以获取访问Tokens。
Spring Security 6.4 引入了一个新的实现,基于RestClient,它提供了类似的功能但更好地与组件的响应式版本(基于WebClient)对齐,以便为两种堆栈上的应用程序提供一致的配置。
|
本节专注于 |
要启用使用RestClientAuthorizationCodeTokenResponseClient,只需提供一个bean,如下例所示,它将被默认的OAuth2AuthorizedClientManager自动识别:
|
新的实现将在Spring Security 7 中默认使用。 |
RestClientAuthorizationCodeTokenResponseClient 非常灵活,提供了多种选项用于自定义授权码许可(Authorization Code grant)的 OAuth 2.0 访问Tokens请求和响应。
请从以下使用场景中选择以了解更多信息:
自定义访问Tokens请求
RestClientAuthorizationCodeTokenResponseClient 提供了用于自定义 OAuth 2.0 访问Tokens请求的 HTTP 请求头和请求参数的钩子。
自定义请求头
有两种自定义 HTTP 头部的选项:
-
通过调用
addHeadersConverter()添加额外的请求头 -
通过调用
setHeadersConverter()完全自定义标头
你可以使用 addHeadersConverter() 方法添加额外的请求头,而不会影响每个请求默认添加的请求头。
以下示例在 User-Agent 为 registrationId 时,向请求中添加一个 spring 请求头:
-
Java
-
Kotlin
RestClientAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new RestClientAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = RestClientAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}你可以通过复用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定义实现来完全自定义请求头。
以下示例复用了 DefaultOAuth2TokenRequestHeadersConverter,并禁用了 encodeClientCredentials,从而使得 HTTP Basic 凭据不再使用 application/x-www-form-urlencoded 进行编码:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
RestClientAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new RestClientAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = RestClientAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三种选项可用于自定义请求参数:
-
通过调用
addParametersConverter()添加额外参数 -
通过调用
setParametersConverter()来覆盖参数 -
通过调用
setParametersCustomizer()完全自定义参数
|
使用 |
你可以使用 addParametersConverter() 添加额外的参数,而不会影响每个请求中默认添加的参数。
以下示例在 audience 为 registrationId 时,向请求中添加一个 keycloak 参数:
-
Java
-
Kotlin
RestClientAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new RestClientAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = RestClientAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}你可以使用 setParametersConverter() 来覆盖默认参数。
以下示例在 client_id 为 registrationId 时,覆盖了 okta 参数:
-
Java
-
Kotlin
RestClientAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new RestClientAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val parametersConverter = DefaultOAuth2TokenRequestParametersConverter<OAuth2AuthorizationCodeGrantRequest>()
parametersConverter.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}
val accessTokenResponseClient = RestClientAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全自定义参数(包括省略默认参数)。
以下示例在请求中包含 client_id 参数时,省略了 client_assertion 参数:
-
Java
-
Kotlin
RestClientAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new RestClientAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = RestClientAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问Tokens响应
RestClientAuthorizationCodeTokenResponseClient 提供了用于自定义 OAuth 2.0 访问Tokens响应的响应参数和错误处理的钩子。
自定义RestClient
您可以通过向 RestClient 提供一个预先配置好的 setRestClient() 来自定义Tokens(Token)响应。
默认的 RestClient 配置如下:
RestClient 配置-
Java
-
Kotlin
RestClient restClient = RestClient.builder()
.messageConverters(messageConverters -> {
messageConverters.clear();
messageConverters.add(new FormHttpMessageConverter());
messageConverters.add(new OAuth2AccessTokenResponseHttpMessageConverter());
})
.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
.build();
RestClientAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new RestClientAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setRestClient(restClient);val restClient = RestClient.builder()
.messageConverters { messageConverters ->
messageConverters.clear()
messageConverters.add(FormHttpMessageConverter())
messageConverters.add(OAuth2AccessTokenResponseHttpMessageConverter())
}
.defaultStatusHandler(OAuth2ErrorResponseErrorHandler())
.build()
val accessTokenResponseClient = RestClientAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setRestClient(restClient)OAuth2AccessTokenResponseHttpMessageConverter 是用于 OAuth 2.0 访问Tokens响应的 HttpMessageConverter。
您可以通过调用 OAuth2AccessTokenResponse 方法来自定义Tokens响应参数到 setAccessTokenResponseConverter() 的转换。
默认实现为 DefaultMapOAuth2AccessTokenResponseConverter。
OAuth2ErrorResponseErrorHandler 是一个 ResponseErrorHandler,可用于处理 OAuth 2.0 错误,例如 400 Bad Request。
它使用 OAuth2ErrorHttpMessageConverter 将 OAuth 2.0 错误参数转换为 OAuth2Error。
您可以通过调用 OAuth2Error 方法来自定义Tokens响应参数到 setErrorConverter() 的转换过程。
|
需要 Spring MVC 的 |
自定义响应参数
以下示例为自定义Tokens响应参数转换为 OAuth2AccessTokenResponse 提供了一个起点:
-
Java
-
Kotlin
OAuth2AccessTokenResponseHttpMessageConverter accessTokenResponseMessageConverter =
new OAuth2AccessTokenResponseHttpMessageConverter();
accessTokenResponseMessageConverter.setAccessTokenResponseConverter(parameters -> {
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build();
});val accessTokenResponseMessageConverter = OAuth2AccessTokenResponseHttpMessageConverter()
accessTokenResponseMessageConverter.setAccessTokenResponseConverter { parameters ->
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}自定义错误处理
以下示例为自定义将 Error 参数转换为 OAuth2Error 提供了一个起点:
-
Java
-
Kotlin
OAuth2ErrorHttpMessageConverter errorConverter =
new OAuth2ErrorHttpMessageConverter();
errorConverter.setErrorConverter(parameters -> {
// ...
return new OAuth2Error("custom-error", "custom description", "custom-uri");
});
OAuth2ErrorResponseErrorHandler errorHandler =
new OAuth2ErrorResponseErrorHandler();
errorHandler.setErrorConverter(errorConverter);val errorConverter = OAuth2ErrorHttpMessageConverter()
errorConverter.setErrorConverter { parameters ->
// ...
return OAuth2Error("custom-error", "custom description", "custom-uri")
}
val errorHandler = OAuth2ErrorResponseErrorHandler()
errorHandler.setErrorConverter(errorConverter)使用 DSL 进行自定义
无论您是自定义 RestClientAuthorizationCodeTokenResponseClient,还是提供自己的 OAuth2AccessTokenResponseClient 实现,都可以使用 DSL 进行配置(作为发布一个 Bean的替代方案),如下所示:
-
Java
-
Kotlin
-
Xml
@Configuration
@EnableWebSecurity
public class OAuth2ClientSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.oauth2Client(oauth2 -> oauth2
.authorizationCodeGrant(codeGrant -> codeGrant
.accessTokenResponseClient(this.accessTokenResponseClient())
// ...
)
);
return http.build();
}
}@Configuration
@EnableWebSecurity
class OAuth2ClientSecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
oauth2Client {
authorizationCodeGrant {
accessTokenResponseClient = accessTokenResponseClient()
}
}
}
return http.build()
}
}<http>
<oauth2-client>
<authorization-code-grant access-token-response-client-ref="accessTokenResponseClient"/>
</oauth2-client>
</http>刷新Tokens
|
有关刷新Tokens的更多详细信息,请参阅 OAuth 2.0 授权框架。 |
刷新访问Tokens
|
请参阅访问Tokens请求/响应协议流程,了解刷新Tokens授权(Refresh Token grant)的相关内容。 |
可以用于向Tokens端点(Token Endpoint)发送HTTP请求以获取刷新Tokens(Refresh Token)授予方式下的访问Tokens的 OAuth2AccessTokenResponseClient 实现有两个版本:
-
DefaultRefreshTokenTokenResponseClient(默认) -
RestClientRefreshTokenTokenResponseClient
The default implementation uses a RestOperations 实例来在授权服务器的Tokens端点处交换授权码以获取访问Tokens。
Spring Security 6.4 引入了一个新的实现,基于RestClient,它提供了类似的功能但更好地与组件的响应式版本(基于WebClient)对齐,以便为两种堆栈上的应用程序提供一致的配置。
|
本节专注于 |
要启用使用RestClientRefreshTokenTokenResponseClient,只需提供一个bean,如下例所示,它将被默认的OAuth2AuthorizedClientManager自动识别:
-
Java
-
Kotlin
@Bean
public OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient() {
return new RestClientRefreshTokenTokenResponseClient();
}@Bean
fun accessTokenResponseClient(): OAuth2AccessTokenResponseClient<Refresh Token> {
return RestClientRefreshTokenTokenResponseClient()
}|
新的实现将在Spring Security 7 中默认使用。 |
RestClientRefreshTokenTokenResponseClient 非常灵活,并提供了多种选项来自定义 OAuth 2.0 刷新Tokens grant 的访问Tokens请求和响应。
从以下用例中选择以获取更多信息:
自定义访问Tokens请求
RestClientRefreshTokenTokenResponseClient 提供了用于自定义 OAuth 2.0 访问Tokens请求的 HTTP 请求头和请求参数的钩子。
自定义请求头
有两种自定义 HTTP 头部的选项:
-
通过调用
addHeadersConverter()添加额外的请求头 -
通过调用
setHeadersConverter()完全自定义标头
你可以使用 addHeadersConverter() 方法添加额外的请求头,而不会影响每个请求默认添加的请求头。
以下示例在 User-Agent 为 registrationId 时,向请求中添加一个 spring 请求头:
-
Java
-
Kotlin
RestClientRefreshTokenTokenResponseClient accessTokenResponseClient =
new RestClientRefreshTokenTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = RestClientRefreshTokenTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}你可以通过复用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定义实现来完全自定义请求头。
以下示例复用了 DefaultOAuth2TokenRequestHeadersConverter,并禁用了 encodeClientCredentials,从而使得 HTTP Basic 凭据不再使用 application/x-www-form-urlencoded 进行编码:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
RestClientRefreshTokenTokenResponseClient accessTokenResponseClient =
new RestClientRefreshTokenTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = RestClientRefreshTokenTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三种选项可用于自定义请求参数:
-
通过调用
addParametersConverter()添加额外参数 -
通过调用
setParametersConverter()来覆盖参数 -
通过调用
setParametersCustomizer()完全自定义参数
|
使用 |
你可以使用 addParametersConverter() 添加额外的参数,而不会影响每个请求中默认添加的参数。
以下示例在 audience 为 registrationId 时,向请求中添加一个 keycloak 参数:
-
Java
-
Kotlin
RestClientRefreshTokenTokenResponseClient accessTokenResponseClient =
new RestClientRefreshTokenTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = RestClientRefreshTokenTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}你可以使用 setParametersConverter() 来覆盖默认参数。
以下示例在 client_id 为 registrationId 时,覆盖了 okta 参数:
-
Java
-
Kotlin
RestClientRefreshTokenTokenResponseClient accessTokenResponseClient =
new RestClientRefreshTokenTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val parametersConverter = DefaultOAuth2TokenRequestParametersConverter<OAuth2RefreshTokenGrantRequest>()
parametersConverter.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}
val accessTokenResponseClient = RestClientRefreshTokenTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全自定义参数(包括省略默认参数)。
以下示例在请求中包含 client_id 参数时,省略了 client_assertion 参数:
-
Java
-
Kotlin
RestClientRefreshTokenTokenResponseClient accessTokenResponseClient =
new RestClientRefreshTokenTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = RestClientRefreshTokenTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问Tokens响应
RestClientRefreshTokenTokenResponseClient 提供了用于自定义 OAuth 2.0 访问Tokens响应的响应参数和错误处理的钩子。
自定义RestClient
您可以通过向 RestClient 提供一个预先配置好的 setRestClient() 来自定义Tokens(Token)响应。
默认的 RestClient 配置如下:
RestClient 配置-
Java
-
Kotlin
RestClient restClient = RestClient.builder()
.messageConverters(messageConverters -> {
messageConverters.clear();
messageConverters.add(new FormHttpMessageConverter());
messageConverters.add(new OAuth2AccessTokenResponseHttpMessageConverter());
})
.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
.build();
RestClientRefreshTokenTokenResponseClient accessTokenResponseClient =
new RestClientRefreshTokenTokenResponseClient();
accessTokenResponseClient.setRestClient(restClient);val restClient = RestClient.builder()
.messageConverters { messageConverters ->
messageConverters.clear()
messageConverters.add(FormHttpMessageConverter())
messageConverters.add(OAuth2AccessTokenResponseHttpMessageConverter())
}
.defaultStatusHandler(OAuth2ErrorResponseErrorHandler())
.build()
val accessTokenResponseClient = RestClientRefreshTokenTokenResponseClient()
accessTokenResponseClient.setRestClient(restClient)OAuth2AccessTokenResponseHttpMessageConverter 是用于 OAuth 2.0 访问Tokens响应的 HttpMessageConverter。
您可以通过调用 OAuth2AccessTokenResponse 方法来自定义Tokens响应参数到 setAccessTokenResponseConverter() 的转换。
默认实现为 DefaultMapOAuth2AccessTokenResponseConverter。
OAuth2ErrorResponseErrorHandler 是一个 ResponseErrorHandler,可用于处理 OAuth 2.0 错误,例如 400 Bad Request。
它使用 OAuth2ErrorHttpMessageConverter 将 OAuth 2.0 错误参数转换为 OAuth2Error。
您可以通过调用 OAuth2Error 方法来自定义Tokens响应参数到 setErrorConverter() 的转换过程。
|
需要 Spring MVC 的 |
自定义响应参数
以下示例为自定义Tokens响应参数转换为 OAuth2AccessTokenResponse 提供了一个起点:
-
Java
-
Kotlin
OAuth2AccessTokenResponseHttpMessageConverter accessTokenResponseMessageConverter =
new OAuth2AccessTokenResponseHttpMessageConverter();
accessTokenResponseMessageConverter.setAccessTokenResponseConverter(parameters -> {
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build();
});val accessTokenResponseMessageConverter = OAuth2AccessTokenResponseHttpMessageConverter()
accessTokenResponseMessageConverter.setAccessTokenResponseConverter { parameters ->
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}自定义错误处理
以下示例为自定义将 Error 参数转换为 OAuth2Error 提供了一个起点:
-
Java
-
Kotlin
OAuth2ErrorHttpMessageConverter errorConverter =
new OAuth2ErrorHttpMessageConverter();
errorConverter.setErrorConverter(parameters -> {
// ...
return new OAuth2Error("custom-error", "custom description", "custom-uri");
});
OAuth2ErrorResponseErrorHandler errorHandler =
new OAuth2ErrorResponseErrorHandler();
errorHandler.setErrorConverter(errorConverter);val errorConverter = OAuth2ErrorHttpMessageConverter()
errorConverter.setErrorConverter { parameters ->
// ...
return OAuth2Error("custom-error", "custom description", "custom-uri")
}
val errorHandler = OAuth2ErrorResponseErrorHandler()
errorHandler.setErrorConverter(errorConverter)使用构建器进行自定义
是否自定义RestClientRefreshTokenTokenResponseClient或提供您自己的OAuth2AccessTokenResponseClient的实现,您可以使用OAuth2AuthorizedClientProviderBuilder对其进行配置(作为发布bean的一个替代方案),如下所示:
-
Java
-
Kotlin
// Customize
OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> refreshTokenTokenResponseClient = ...
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken(configurer -> configurer.accessTokenResponseClient(refreshTokenTokenResponseClient))
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val refreshTokenTokenResponseClient: OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> = ...
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken { it.accessTokenResponseClient(refreshTokenTokenResponseClient) }
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
The OAuth2RefreshToken 可以在使用 authorization_code 和 password 授权类型时,可选地返回在 Access Token Response 中。
If the OAuth2AuthorizedClient.getRefreshToken() 是可用的,并且 OAuth2AuthorizedClient.getAccessToken() 已过期,则会自动由 RefreshTokenOAuth2AuthorizedClientProvider 刷新。
客户端凭证
|
有关客户端凭证授权类型的更多详细信息,请参阅 OAuth 2.0 授权框架。 |
请求访问Tokens
|
参见访问Tokens请求/响应协议流程,了解客户端凭证授权(Client Credentials grant)。 |
有两类实现OAuth2AccessTokenResponseClient可以用于向Tokens端点发送HTTP请求,以获取客户端凭据授权的访问Tokens:
-
DefaultClientCredentialsTokenResponseClient(默认) -
RestClientClientCredentialsTokenResponseClient
The default implementation uses a RestOperations 实例来在授权服务器的Tokens端点处交换授权码以获取访问Tokens。
Spring Security 6.4 引入了一个新的实现,基于RestClient,它提供了类似的功能但更好地与组件的响应式版本(基于WebClient)对齐,以便为两种堆栈上的应用程序提供一致的配置。
|
本节专注于 |
要启用使用RestClientClientCredentialsTokenResponseClient,只需提供一个bean,如下例所示,它将被默认的OAuth2AuthorizedClientManager自动识别:
-
Java
-
Kotlin
@Bean
public OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient() {
return new RestClientClientCredentialsTokenResponseClient();
}@Bean
fun accessTokenResponseClient(): OAuth2AccessTokenResponseClient<Client Credentials> {
return RestClientClientCredentialsTokenResponseClient()
}|
新的实现将在Spring Security 7 中默认使用。 |
RestClientClientCredentialsTokenResponseClient 非常灵活,并提供了多种自定义 OAuth 2.0 Access Token 请求和响应选项,适用于 Client Credentials 授予方式。
请选择以下用例以获取更多信息:
自定义访问Tokens请求
RestClientClientCredentialsTokenResponseClient 提供了用于自定义 OAuth 2.0 访问Tokens请求的 HTTP 请求头和请求参数的钩子。
自定义请求头
有两种自定义 HTTP 头部的选项:
-
通过调用
addHeadersConverter()添加额外的请求头 -
通过调用
setHeadersConverter()完全自定义标头
你可以使用 addHeadersConverter() 方法添加额外的请求头,而不会影响每个请求默认添加的请求头。
以下示例在 User-Agent 为 registrationId 时,向请求中添加一个 spring 请求头:
-
Java
-
Kotlin
RestClientClientCredentialsTokenResponseClient accessTokenResponseClient =
new RestClientClientCredentialsTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = RestClientClientCredentialsTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}你可以通过复用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定义实现来完全自定义请求头。
以下示例复用了 DefaultOAuth2TokenRequestHeadersConverter,并禁用了 encodeClientCredentials,从而使得 HTTP Basic 凭据不再使用 application/x-www-form-urlencoded 进行编码:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
RestClientClientCredentialsTokenResponseClient accessTokenResponseClient =
new RestClientClientCredentialsTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = RestClientClientCredentialsTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三种选项可用于自定义请求参数:
-
通过调用
addParametersConverter()添加额外参数 -
通过调用
setParametersConverter()来覆盖参数 -
通过调用
setParametersCustomizer()完全自定义参数
|
使用 |
你可以使用 addParametersConverter() 添加额外的参数,而不会影响每个请求中默认添加的参数。
以下示例在 audience 为 registrationId 时,向请求中添加一个 keycloak 参数:
-
Java
-
Kotlin
RestClientClientCredentialsTokenResponseClient accessTokenResponseClient =
new RestClientClientCredentialsTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = RestClientClientCredentialsTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}你可以使用 setParametersConverter() 来覆盖默认参数。
以下示例在 client_id 为 registrationId 时,覆盖了 okta 参数:
-
Java
-
Kotlin
RestClientClientCredentialsTokenResponseClient accessTokenResponseClient =
new RestClientClientCredentialsTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val parametersConverter = DefaultOAuth2TokenRequestParametersConverter<OAuth2ClientCredentialsGrantRequest>()
parametersConverter.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}
val accessTokenResponseClient = RestClientClientCredentialsTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全自定义参数(包括省略默认参数)。
以下示例在请求中包含 client_id 参数时,省略了 client_assertion 参数:
-
Java
-
Kotlin
RestClientClientCredentialsTokenResponseClient accessTokenResponseClient =
new RestClientClientCredentialsTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = RestClientClientCredentialsTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问Tokens响应
RestClientClientCredentialsTokenResponseClient 提供了用于自定义 OAuth 2.0 访问Tokens响应的响应参数和错误处理的钩子。
自定义RestClient
您可以通过向 RestClient 提供一个预先配置好的 setRestClient() 来自定义Tokens(Token)响应。
默认的 RestClient 配置如下:
RestClient 配置-
Java
-
Kotlin
RestClient restClient = RestClient.builder()
.messageConverters(messageConverters -> {
messageConverters.clear();
messageConverters.add(new FormHttpMessageConverter());
messageConverters.add(new OAuth2AccessTokenResponseHttpMessageConverter());
})
.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
.build();
RestClientClientCredentialsTokenResponseClient accessTokenResponseClient =
new RestClientClientCredentialsTokenResponseClient();
accessTokenResponseClient.setRestClient(restClient);val restClient = RestClient.builder()
.messageConverters { messageConverters ->
messageConverters.clear()
messageConverters.add(FormHttpMessageConverter())
messageConverters.add(OAuth2AccessTokenResponseHttpMessageConverter())
}
.defaultStatusHandler(OAuth2ErrorResponseErrorHandler())
.build()
val accessTokenResponseClient = RestClientClientCredentialsTokenResponseClient()
accessTokenResponseClient.setRestClient(restClient)OAuth2AccessTokenResponseHttpMessageConverter 是用于 OAuth 2.0 访问Tokens响应的 HttpMessageConverter。
您可以通过调用 OAuth2AccessTokenResponse 方法来自定义Tokens响应参数到 setAccessTokenResponseConverter() 的转换。
默认实现为 DefaultMapOAuth2AccessTokenResponseConverter。
OAuth2ErrorResponseErrorHandler 是一个 ResponseErrorHandler,可用于处理 OAuth 2.0 错误,例如 400 Bad Request。
它使用 OAuth2ErrorHttpMessageConverter 将 OAuth 2.0 错误参数转换为 OAuth2Error。
您可以通过调用 OAuth2Error 方法来自定义Tokens响应参数到 setErrorConverter() 的转换过程。
|
需要 Spring MVC 的 |
自定义响应参数
以下示例为自定义Tokens响应参数转换为 OAuth2AccessTokenResponse 提供了一个起点:
-
Java
-
Kotlin
OAuth2AccessTokenResponseHttpMessageConverter accessTokenResponseMessageConverter =
new OAuth2AccessTokenResponseHttpMessageConverter();
accessTokenResponseMessageConverter.setAccessTokenResponseConverter(parameters -> {
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build();
});val accessTokenResponseMessageConverter = OAuth2AccessTokenResponseHttpMessageConverter()
accessTokenResponseMessageConverter.setAccessTokenResponseConverter { parameters ->
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}自定义错误处理
以下示例为自定义将 Error 参数转换为 OAuth2Error 提供了一个起点:
-
Java
-
Kotlin
OAuth2ErrorHttpMessageConverter errorConverter =
new OAuth2ErrorHttpMessageConverter();
errorConverter.setErrorConverter(parameters -> {
// ...
return new OAuth2Error("custom-error", "custom description", "custom-uri");
});
OAuth2ErrorResponseErrorHandler errorHandler =
new OAuth2ErrorResponseErrorHandler();
errorHandler.setErrorConverter(errorConverter);val errorConverter = OAuth2ErrorHttpMessageConverter()
errorConverter.setErrorConverter { parameters ->
// ...
return OAuth2Error("custom-error", "custom description", "custom-uri")
}
val errorHandler = OAuth2ErrorResponseErrorHandler()
errorHandler.setErrorConverter(errorConverter)使用构建器进行自定义
是否自定义RestClientClientCredentialsTokenResponseClient或提供您自己的OAuth2AccessTokenResponseClient的实现,您可以使用OAuth2AuthorizedClientProviderBuilder对其进行配置(作为发布bean的一个替代方案),如下所示:
-
Java
-
Kotlin
// Customize
OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient = ...
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials(configurer -> configurer.accessTokenResponseClient(clientCredentialsTokenResponseClient))
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val clientCredentialsTokenResponseClient: OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> = ...
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials { it.accessTokenResponseClient(clientCredentialsTokenResponseClient) }
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
使用访问Tokens
请考虑以下用于 OAuth 2.0 客户端注册的 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: client_credentials
scope: read, write
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token进一步考虑以下 OAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ClientRegistrationRepository,
authorizedClientRepository: OAuth2AuthorizedClientRepository): OAuth2AuthorizedClientManager {
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build()
val authorizedClientManager = DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}根据上述属性和 Bean,你可以按如下方式获取 OAuth2AccessToken:
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private OAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/")
public String index(Authentication authentication,
HttpServletRequest servletRequest,
HttpServletResponse servletResponse) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attributes(attrs -> {
attrs.put(HttpServletRequest.class.getName(), servletRequest);
attrs.put(HttpServletResponse.class.getName(), servletResponse);
})
.build();
OAuth2AuthorizedClient authorizedClient = this.authorizedClientManager.authorize(authorizeRequest);
OAuth2AccessToken accessToken = authorizedClient.getAccessToken();
// ...
return "index";
}
}class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientManager: OAuth2AuthorizedClientManager
@GetMapping("/")
fun index(authentication: Authentication?,
servletRequest: HttpServletRequest,
servletResponse: HttpServletResponse): String {
val authorizeRequest: OAuth2AuthorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attributes(Consumer { attrs: MutableMap<String, Any> ->
attrs[HttpServletRequest::class.java.name] = servletRequest
attrs[HttpServletResponse::class.java.name] = servletResponse
})
.build()
val authorizedClient = authorizedClientManager.authorize(authorizeRequest)
val accessToken: OAuth2AccessToken = authorizedClient.accessToken
// ...
return "index"
}
}|
|
资源所有者密码凭证
|
见OAuth 2.0授权框架以获取更多关于资源所有者密码凭证(Resource Owner Password Credentials)授权方式的细节。 |
请求访问Tokens
The default implementation of OAuth2AccessTokenResponseClient for the Resource Owner Password Credentials grant is DefaultPasswordTokenResponseClient, which uses a RestOperations when requesting an access token at the Authorization Server’s Token Endpoint.
|
The |
The DefaultPasswordTokenResponseClient 是灵活的,因为它允许您自定义Tokens请求的预处理或Tokens响应的后处理。
自定义访问Tokens请求
如果您需要自定义 Token 请求的预处理,可以提供 DefaultPasswordTokenResponseClient.setRequestEntityConverter() 一个自定义的 Converter<OAuth2PasswordGrantRequest, RequestEntity<?>>。
默认实现 (OAuth2PasswordGrantRequestEntityConverter) 构建了一个标准 OAuth 2.0 Access Token Request 的 RequestEntity 表现形式。
然而,提供一个自定义的 Converter 将允许您扩展标准 Token 请求并添加自定义参数(s)。
要仅自定义请求的参数,可以提供 OAuth2PasswordGrantRequestEntityConverter.setParametersConverter() 并使用自定义的 Converter<OAuth2PasswordGrantRequest, MultiValueMap<String, String>> 完全覆盖随请求发送的参数。这通常比直接构造一个 RequestEntity 更简单。
|
如果仅希望添加额外参数,可以提供 |
|
The custom |
自定义访问Tokens响应
在另一端,如果你需要自定义 Token Response 的后处理操作,你需要为 DefaultPasswordTokenResponseClient.setRestOperations() 提供一个自定义配置的 RestOperations。
默认的 RestOperations 配置如下:
-
Java
-
Kotlin
RestTemplate restTemplate = new RestTemplate(Arrays.asList(
new FormHttpMessageConverter(),
new OAuth2AccessTokenResponseHttpMessageConverter()));
restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());val restTemplate = RestTemplate(listOf(
FormHttpMessageConverter(),
OAuth2AccessTokenResponseHttpMessageConverter()))
restTemplate.errorHandler = OAuth2ErrorResponseErrorHandler()|
需要 Spring MVC 的 |
OAuth2AccessTokenResponseHttpMessageConverter 是 OAuth 2.0 访问Tokens响应的 HttpMessageConverter。 您可以为 OAuth2AccessTokenResponseHttpMessageConverter.setTokenResponseConverter() 提供一个自定义的 Converter<Map<String, String>, OAuth2AccessTokenResponse>,用于将 OAuth 2.0 访问Tokens响应参数转换为 OAuth2AccessTokenResponse。
OAuth2ErrorResponseErrorHandler 是一个可以处理 OAuth 2.0 错误(如 400 Bad Request)的 ResponseErrorHandler。
它使用一个 OAuth2ErrorHttpMessageConverter 将 OAuth 2.0 错误参数转换为 OAuth2Error。
使用构建器进行自定义
无论您是自定义 DefaultPasswordTokenResponseClient,还是提供自己的 OAuth2AccessTokenResponseClient 实现,都需要按如下方式进行配置:
-
Java
-
Kotlin
// Customize
OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> passwordTokenResponseClient = ...
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.password(configurer -> configurer.accessTokenResponseClient(passwordTokenResponseClient))
.refreshToken()
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);val passwordTokenResponseClient: OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> = ...
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.password { it.accessTokenResponseClient(passwordTokenResponseClient) }
.refreshToken()
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
使用访问Tokens
请考虑以下用于 OAuth 2.0 客户端注册的 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: password
scope: read, write
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token进一步考虑OAuth2AuthorizedClientManager@Bean:
-
Java
-
Kotlin
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build();
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Assuming the `username` and `password` are supplied as `HttpServletRequest` parameters,
// map the `HttpServletRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper());
return authorizedClientManager;
}
private Function<OAuth2AuthorizeRequest, Map<String, Object>> contextAttributesMapper() {
return authorizeRequest -> {
Map<String, Object> contextAttributes = Collections.emptyMap();
HttpServletRequest servletRequest = authorizeRequest.getAttribute(HttpServletRequest.class.getName());
String username = servletRequest.getParameter(OAuth2ParameterNames.USERNAME);
String password = servletRequest.getParameter(OAuth2ParameterNames.PASSWORD);
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = new HashMap<>();
// `PasswordOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username);
contextAttributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password);
}
return contextAttributes;
};
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ClientRegistrationRepository,
authorizedClientRepository: OAuth2AuthorizedClientRepository): OAuth2AuthorizedClientManager {
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build()
val authorizedClientManager = DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
// Assuming the `username` and `password` are supplied as `HttpServletRequest` parameters,
// map the `HttpServletRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper())
return authorizedClientManager
}
private fun contextAttributesMapper(): Function<OAuth2AuthorizeRequest, MutableMap<String, Any>> {
return Function { authorizeRequest ->
var contextAttributes: MutableMap<String, Any> = mutableMapOf()
val servletRequest: HttpServletRequest = authorizeRequest.getAttribute(HttpServletRequest::class.java.name)
val username = servletRequest.getParameter(OAuth2ParameterNames.USERNAME)
val password = servletRequest.getParameter(OAuth2ParameterNames.PASSWORD)
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = hashMapOf()
// `PasswordOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes[OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME] = username
contextAttributes[OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME] = password
}
contextAttributes
}
}根据上述属性和 Bean,你可以按如下方式获取 OAuth2AccessToken:
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private OAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/")
public String index(Authentication authentication,
HttpServletRequest servletRequest,
HttpServletResponse servletResponse) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attributes(attrs -> {
attrs.put(HttpServletRequest.class.getName(), servletRequest);
attrs.put(HttpServletResponse.class.getName(), servletResponse);
})
.build();
OAuth2AuthorizedClient authorizedClient = this.authorizedClientManager.authorize(authorizeRequest);
OAuth2AccessToken accessToken = authorizedClient.getAccessToken();
// ...
return "index";
}
}@Controller
class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientManager: OAuth2AuthorizedClientManager
@GetMapping("/")
fun index(authentication: Authentication?,
servletRequest: HttpServletRequest,
servletResponse: HttpServletResponse): String {
val authorizeRequest: OAuth2AuthorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attributes(Consumer {
it[HttpServletRequest::class.java.name] = servletRequest
it[HttpServletResponse::class.java.name] = servletResponse
})
.build()
val authorizedClient = authorizedClientManager.authorize(authorizeRequest)
val accessToken: OAuth2AccessToken = authorizedClient.accessToken
// ...
return "index"
}
}|
|
JWT Bearer
|
有关 JWT Bearer 授权的更多详细信息,请参阅《OAuth 2.0 客户端认证与授权许可的 JSON Web Token (JWT) 规范》。 |
请求访问Tokens
|
请参阅访问Tokens请求/响应协议流程,了解 JWT Bearer 授权类型。 |
可以用于向Tokens端点发送HTTP请求以获取JWT凭据授予的访问Tokens的OAuth2AccessTokenResponseClient实现有两个:
-
DefaultJwtBearerTokenResponseClient(默认) -
RestClientJwtBearerTokenResponseClient
The default implementation uses a RestOperations 实例来在授权服务器的Tokens端点处交换授权码以获取访问Tokens。
Spring Security 6.4 引入了一个新的实现,基于RestClient,它提供了类似的功能但更好地与组件的响应式版本(基于WebClient)对齐,以便为两种堆栈上的应用程序提供一致的配置。
|
本节专注于 |
要启用使用RestClientJwtBearerTokenResponseClient,只需提供一个bean,如下例所示,它将被默认的OAuth2AuthorizedClientManager自动识别:
-
Java
-
Kotlin
@Bean
public OAuth2AccessTokenResponseClient<JwtBearerGrantRequest> accessTokenResponseClient() {
return new RestClientJwtBearerTokenResponseClient();
}@Bean
fun accessTokenResponseClient(): OAuth2AccessTokenResponseClient<JWT Bearer> {
return RestClientJwtBearerTokenResponseClient()
}|
新的实现将在Spring Security 7 中默认使用。 |
RestClientJwtBearerTokenResponseClient 非常灵活,提供了多种选项用于自定义 JWT Bearer 授权的 OAuth 2.0 访问Tokens请求和响应。
请从以下使用场景中选择以了解更多信息:
自定义访问Tokens请求
RestClientJwtBearerTokenResponseClient 提供了用于自定义 OAuth 2.0 访问Tokens请求的 HTTP 请求头和请求参数的钩子。
自定义请求头
有两种自定义 HTTP 头部的选项:
-
通过调用
addHeadersConverter()添加额外的请求头 -
通过调用
setHeadersConverter()完全自定义标头
你可以使用 addHeadersConverter() 方法添加额外的请求头,而不会影响每个请求默认添加的请求头。
以下示例在 User-Agent 为 registrationId 时,向请求中添加一个 spring 请求头:
-
Java
-
Kotlin
RestClientJwtBearerTokenResponseClient accessTokenResponseClient =
new RestClientJwtBearerTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = RestClientJwtBearerTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}你可以通过复用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定义实现来完全自定义请求头。
以下示例复用了 DefaultOAuth2TokenRequestHeadersConverter,并禁用了 encodeClientCredentials,从而使得 HTTP Basic 凭据不再使用 application/x-www-form-urlencoded 进行编码:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
RestClientJwtBearerTokenResponseClient accessTokenResponseClient =
new RestClientJwtBearerTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = RestClientJwtBearerTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三种选项可用于自定义请求参数:
-
通过调用
addParametersConverter()添加额外参数 -
通过调用
setParametersConverter()来覆盖参数 -
通过调用
setParametersCustomizer()完全自定义参数
|
使用 |
你可以使用 addParametersConverter() 添加额外的参数,而不会影响每个请求中默认添加的参数。
以下示例在 audience 为 registrationId 时,向请求中添加一个 keycloak 参数:
-
Java
-
Kotlin
RestClientJwtBearerTokenResponseClient accessTokenResponseClient =
new RestClientJwtBearerTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = RestClientJwtBearerTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}你可以使用 setParametersConverter() 来覆盖默认参数。
以下示例在 client_id 为 registrationId 时,覆盖了 okta 参数:
-
Java
-
Kotlin
RestClientJwtBearerTokenResponseClient accessTokenResponseClient =
new RestClientJwtBearerTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val parametersConverter = DefaultOAuth2TokenRequestParametersConverter<JwtBearerGrantRequest>()
parametersConverter.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}
val accessTokenResponseClient = RestClientJwtBearerTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全自定义参数(包括省略默认参数)。
以下示例在请求中包含 client_id 参数时,省略了 client_assertion 参数:
-
Java
-
Kotlin
RestClientJwtBearerTokenResponseClient accessTokenResponseClient =
new RestClientJwtBearerTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = RestClientJwtBearerTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问Tokens响应
RestClientJwtBearerTokenResponseClient 提供了用于自定义 OAuth 2.0 访问Tokens响应的响应参数和错误处理的钩子。
自定义RestClient
您可以通过向 RestClient 提供一个预先配置好的 setRestClient() 来自定义Tokens(Token)响应。
默认的 RestClient 配置如下:
RestClient 配置-
Java
-
Kotlin
RestClient restClient = RestClient.builder()
.messageConverters(messageConverters -> {
messageConverters.clear();
messageConverters.add(new FormHttpMessageConverter());
messageConverters.add(new OAuth2AccessTokenResponseHttpMessageConverter());
})
.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
.build();
RestClientJwtBearerTokenResponseClient accessTokenResponseClient =
new RestClientJwtBearerTokenResponseClient();
accessTokenResponseClient.setRestClient(restClient);val restClient = RestClient.builder()
.messageConverters { messageConverters ->
messageConverters.clear()
messageConverters.add(FormHttpMessageConverter())
messageConverters.add(OAuth2AccessTokenResponseHttpMessageConverter())
}
.defaultStatusHandler(OAuth2ErrorResponseErrorHandler())
.build()
val accessTokenResponseClient = RestClientJwtBearerTokenResponseClient()
accessTokenResponseClient.setRestClient(restClient)OAuth2AccessTokenResponseHttpMessageConverter 是用于 OAuth 2.0 访问Tokens响应的 HttpMessageConverter。
您可以通过调用 OAuth2AccessTokenResponse 方法来自定义Tokens响应参数到 setAccessTokenResponseConverter() 的转换。
默认实现为 DefaultMapOAuth2AccessTokenResponseConverter。
OAuth2ErrorResponseErrorHandler 是一个 ResponseErrorHandler,可用于处理 OAuth 2.0 错误,例如 400 Bad Request。
它使用 OAuth2ErrorHttpMessageConverter 将 OAuth 2.0 错误参数转换为 OAuth2Error。
您可以通过调用 OAuth2Error 方法来自定义Tokens响应参数到 setErrorConverter() 的转换过程。
|
需要 Spring MVC 的 |
自定义响应参数
以下示例为自定义Tokens响应参数转换为 OAuth2AccessTokenResponse 提供了一个起点:
-
Java
-
Kotlin
OAuth2AccessTokenResponseHttpMessageConverter accessTokenResponseMessageConverter =
new OAuth2AccessTokenResponseHttpMessageConverter();
accessTokenResponseMessageConverter.setAccessTokenResponseConverter(parameters -> {
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build();
});val accessTokenResponseMessageConverter = OAuth2AccessTokenResponseHttpMessageConverter()
accessTokenResponseMessageConverter.setAccessTokenResponseConverter { parameters ->
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}自定义错误处理
以下示例为自定义将 Error 参数转换为 OAuth2Error 提供了一个起点:
-
Java
-
Kotlin
OAuth2ErrorHttpMessageConverter errorConverter =
new OAuth2ErrorHttpMessageConverter();
errorConverter.setErrorConverter(parameters -> {
// ...
return new OAuth2Error("custom-error", "custom description", "custom-uri");
});
OAuth2ErrorResponseErrorHandler errorHandler =
new OAuth2ErrorResponseErrorHandler();
errorHandler.setErrorConverter(errorConverter);val errorConverter = OAuth2ErrorHttpMessageConverter()
errorConverter.setErrorConverter { parameters ->
// ...
return OAuth2Error("custom-error", "custom description", "custom-uri")
}
val errorHandler = OAuth2ErrorResponseErrorHandler()
errorHandler.setErrorConverter(errorConverter)使用构建器进行自定义
是否自定义RestClientJwtBearerTokenResponseClient或提供您自己的OAuth2AccessTokenResponseClient的实现,您可以使用OAuth2AuthorizedClientProviderBuilder对其进行配置(作为发布bean的一个替代方案),如下所示:
-
Java
-
Kotlin
// Customize
OAuth2AccessTokenResponseClient<JwtBearerGrantRequest> jwtBearerTokenResponseClient = ...
JwtBearerOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider = new JwtBearerOAuth2AuthorizedClientProvider();
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient);
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val jwtBearerTokenResponseClient: OAuth2AccessTokenResponseClient<JwtBearerGrantRequest> = ...
val jwtBearerAuthorizedClientProvider = JwtBearerOAuth2AuthorizedClientProvider()
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient)
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)使用访问Tokens
给定以下用于 OAuth 2.0 客户端注册的 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: urn:ietf:params:oauth:grant-type:jwt-bearer
scope: read
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token... 和 OAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
JwtBearerOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider =
new JwtBearerOAuth2AuthorizedClientProvider();
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build();
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ClientRegistrationRepository,
authorizedClientRepository: OAuth2AuthorizedClientRepository): OAuth2AuthorizedClientManager {
val jwtBearerAuthorizedClientProvider = JwtBearerOAuth2AuthorizedClientProvider()
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build()
val authorizedClientManager = DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}您可以按如下方式获取 OAuth2AccessToken:
-
Java
-
Kotlin
@RestController
public class OAuth2ResourceServerController {
@Autowired
private OAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/resource")
public String resource(JwtAuthenticationToken jwtAuthentication) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build();
OAuth2AuthorizedClient authorizedClient = this.authorizedClientManager.authorize(authorizeRequest);
OAuth2AccessToken accessToken = authorizedClient.getAccessToken();
// ...
}
}class OAuth2ResourceServerController {
@Autowired
private lateinit var authorizedClientManager: OAuth2AuthorizedClientManager
@GetMapping("/resource")
fun resource(jwtAuthentication: JwtAuthenticationToken?): String {
val authorizeRequest: OAuth2AuthorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build()
val authorizedClient = authorizedClientManager.authorize(authorizeRequest)
val accessToken: OAuth2AccessToken = authorizedClient.accessToken
// ...
}
}|
|
|
如果你需要从其他来源解析 |
Tokens交换
|
有关Tokens交换授权的更多详细信息,请参阅 OAuth 2.0 Tokens交换。 |
请求访问Tokens
|
请参阅Tokens交换请求与响应协议流程,了解Tokens交换授权的相关内容。 |
使用 Java Spring 框架可以有两种实现方式 OAuth2AccessTokenResponseClient 来向 Token 终端点发送 HTTP 请求,以获取 Token 交换授权下的访问Tokens:
-
DefaultTokenExchangeTokenResponseClient(默认) -
RestClientTokenExchangeTokenResponseClient
The default implementation uses a RestOperations 实例来在授权服务器的Tokens端点处交换授权码以获取访问Tokens。
Spring Security 6.4 引入了一个新的实现,基于RestClient,它提供了类似的功能但更好地与组件的响应式版本(基于WebClient)对齐,以便为两种堆栈上的应用程序提供一致的配置。
|
本节专注于 |
要启用使用RestClientTokenExchangeTokenResponseClient,只需提供一个bean,如下例所示,它将被默认的OAuth2AuthorizedClientManager自动识别:
-
Java
-
Kotlin
@Bean
public OAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> accessTokenResponseClient() {
return new RestClientTokenExchangeTokenResponseClient();
}@Bean
fun accessTokenResponseClient(): OAuth2AccessTokenResponseClient<Token Exchange> {
return RestClientTokenExchangeTokenResponseClient()
}|
新的实现将在Spring Security 7 中默认使用。 |
RestClientTokenExchangeTokenResponseClient 非常灵活,并提供了多种选项来自定义 OAuth 2.0 Access Token 的请求和响应(针对 Token Exchange 授予方式)。
选择以下用例以获取更多信息:
自定义访问Tokens请求
RestClientTokenExchangeTokenResponseClient 提供了用于自定义 OAuth 2.0 访问Tokens请求的 HTTP 请求头和请求参数的钩子。
自定义请求头
有两种自定义 HTTP 头部的选项:
-
通过调用
addHeadersConverter()添加额外的请求头 -
通过调用
setHeadersConverter()完全自定义标头
你可以使用 addHeadersConverter() 方法添加额外的请求头,而不会影响每个请求默认添加的请求头。
以下示例在 User-Agent 为 registrationId 时,向请求中添加一个 spring 请求头:
-
Java
-
Kotlin
RestClientTokenExchangeTokenResponseClient accessTokenResponseClient =
new RestClientTokenExchangeTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = RestClientTokenExchangeTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}你可以通过复用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定义实现来完全自定义请求头。
以下示例复用了 DefaultOAuth2TokenRequestHeadersConverter,并禁用了 encodeClientCredentials,从而使得 HTTP Basic 凭据不再使用 application/x-www-form-urlencoded 进行编码:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
RestClientTokenExchangeTokenResponseClient accessTokenResponseClient =
new RestClientTokenExchangeTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = RestClientTokenExchangeTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三种选项可用于自定义请求参数:
-
通过调用
addParametersConverter()添加额外参数 -
通过调用
setParametersConverter()来覆盖参数 -
通过调用
setParametersCustomizer()完全自定义参数
|
使用 |
你可以使用 addParametersConverter() 添加额外的参数,而不会影响每个请求中默认添加的参数。
以下示例在 audience 为 registrationId 时,向请求中添加一个 keycloak 参数:
-
Java
-
Kotlin
RestClientTokenExchangeTokenResponseClient accessTokenResponseClient =
new RestClientTokenExchangeTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = RestClientTokenExchangeTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}你可以使用 setParametersConverter() 来覆盖默认参数。
以下示例在 client_id 为 registrationId 时,覆盖了 okta 参数:
-
Java
-
Kotlin
RestClientTokenExchangeTokenResponseClient accessTokenResponseClient =
new RestClientTokenExchangeTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val parametersConverter = DefaultOAuth2TokenRequestParametersConverter<TokenExchangeGrantRequest>()
parametersConverter.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}
val accessTokenResponseClient = RestClientTokenExchangeTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全自定义参数(包括省略默认参数)。
以下示例在请求中包含 client_id 参数时,省略了 client_assertion 参数:
-
Java
-
Kotlin
RestClientTokenExchangeTokenResponseClient accessTokenResponseClient =
new RestClientTokenExchangeTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = RestClientTokenExchangeTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问Tokens响应
RestClientTokenExchangeTokenResponseClient 提供了用于自定义 OAuth 2.0 访问Tokens响应的响应参数和错误处理的钩子。
自定义RestClient
您可以通过向 RestClient 提供一个预先配置好的 setRestClient() 来自定义Tokens(Token)响应。
默认的 RestClient 配置如下:
RestClient 配置-
Java
-
Kotlin
RestClient restClient = RestClient.builder()
.messageConverters(messageConverters -> {
messageConverters.clear();
messageConverters.add(new FormHttpMessageConverter());
messageConverters.add(new OAuth2AccessTokenResponseHttpMessageConverter());
})
.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
.build();
RestClientTokenExchangeTokenResponseClient accessTokenResponseClient =
new RestClientTokenExchangeTokenResponseClient();
accessTokenResponseClient.setRestClient(restClient);val restClient = RestClient.builder()
.messageConverters { messageConverters ->
messageConverters.clear()
messageConverters.add(FormHttpMessageConverter())
messageConverters.add(OAuth2AccessTokenResponseHttpMessageConverter())
}
.defaultStatusHandler(OAuth2ErrorResponseErrorHandler())
.build()
val accessTokenResponseClient = RestClientTokenExchangeTokenResponseClient()
accessTokenResponseClient.setRestClient(restClient)OAuth2AccessTokenResponseHttpMessageConverter 是用于 OAuth 2.0 访问Tokens响应的 HttpMessageConverter。
您可以通过调用 OAuth2AccessTokenResponse 方法来自定义Tokens响应参数到 setAccessTokenResponseConverter() 的转换。
默认实现为 DefaultMapOAuth2AccessTokenResponseConverter。
OAuth2ErrorResponseErrorHandler 是一个 ResponseErrorHandler,可用于处理 OAuth 2.0 错误,例如 400 Bad Request。
它使用 OAuth2ErrorHttpMessageConverter 将 OAuth 2.0 错误参数转换为 OAuth2Error。
您可以通过调用 OAuth2Error 方法来自定义Tokens响应参数到 setErrorConverter() 的转换过程。
|
需要 Spring MVC 的 |
自定义响应参数
以下示例为自定义Tokens响应参数转换为 OAuth2AccessTokenResponse 提供了一个起点:
-
Java
-
Kotlin
OAuth2AccessTokenResponseHttpMessageConverter accessTokenResponseMessageConverter =
new OAuth2AccessTokenResponseHttpMessageConverter();
accessTokenResponseMessageConverter.setAccessTokenResponseConverter(parameters -> {
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build();
});val accessTokenResponseMessageConverter = OAuth2AccessTokenResponseHttpMessageConverter()
accessTokenResponseMessageConverter.setAccessTokenResponseConverter { parameters ->
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}自定义错误处理
以下示例为自定义将 Error 参数转换为 OAuth2Error 提供了一个起点:
-
Java
-
Kotlin
OAuth2ErrorHttpMessageConverter errorConverter =
new OAuth2ErrorHttpMessageConverter();
errorConverter.setErrorConverter(parameters -> {
// ...
return new OAuth2Error("custom-error", "custom description", "custom-uri");
});
OAuth2ErrorResponseErrorHandler errorHandler =
new OAuth2ErrorResponseErrorHandler();
errorHandler.setErrorConverter(errorConverter);val errorConverter = OAuth2ErrorHttpMessageConverter()
errorConverter.setErrorConverter { parameters ->
// ...
return OAuth2Error("custom-error", "custom description", "custom-uri")
}
val errorHandler = OAuth2ErrorResponseErrorHandler()
errorHandler.setErrorConverter(errorConverter)使用构建器进行自定义
是否自定义RestClientTokenExchangeTokenResponseClient或提供您自己的OAuth2AccessTokenResponseClient的实现,您可以使用OAuth2AuthorizedClientProviderBuilder对其进行配置(作为发布bean的一个替代方案),如下所示:
-
Java
-
Kotlin
// Customize
OAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> tokenExchangeTokenResponseClient = ...
TokenExchangeOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider = new TokenExchangeOAuth2AuthorizedClientProvider();
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeTokenResponseClient);
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val tokenExchangeTokenResponseClient: OAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> = ...
val tokenExchangeAuthorizedClientProvider = TokenExchangeOAuth2AuthorizedClientProvider()
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeTokenResponseClient)
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)使用访问Tokens
给定以下用于 OAuth 2.0 客户端注册的 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: urn:ietf:params:oauth:grant-type:token-exchange
scope: read
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token... 和 OAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
TokenExchangeOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider =
new TokenExchangeOAuth2AuthorizedClientProvider();
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build();
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ClientRegistrationRepository,
authorizedClientRepository: OAuth2AuthorizedClientRepository): OAuth2AuthorizedClientManager {
val tokenExchangeAuthorizedClientProvider = TokenExchangeOAuth2AuthorizedClientProvider()
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build()
val authorizedClientManager = DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}您可以按如下方式获取 OAuth2AccessToken:
-
Java
-
Kotlin
@RestController
public class OAuth2ResourceServerController {
@Autowired
private OAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/resource")
public String resource(JwtAuthenticationToken jwtAuthentication) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build();
OAuth2AuthorizedClient authorizedClient = this.authorizedClientManager.authorize(authorizeRequest);
OAuth2AccessToken accessToken = authorizedClient.getAccessToken();
// ...
}
}class OAuth2ResourceServerController {
@Autowired
private lateinit var authorizedClientManager: OAuth2AuthorizedClientManager
@GetMapping("/resource")
fun resource(jwtAuthentication: JwtAuthenticationToken?): String {
val authorizeRequest: OAuth2AuthorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build()
val authorizedClient = authorizedClientManager.authorize(authorizeRequest)
val accessToken: OAuth2AccessToken = authorizedClient.accessToken
// ...
}
}|
|
|
如果你需要从不同的来源解析主体Tokens(subject token),可以向 |
|
如果你需要解析一个参与者(actor)Tokens,可以向 |