Spring 授权服务器核心协议端点

高子歌

 关注

阅读 90

2022-12-06

Spring 授权服务器核心协议端点_客户端

OAuth2 授权端点

​OAuth2AuthorizationEndpointConfigurer​​提供自定义OAuth2 授权端点的功能。 它定义了扩展点,允许您自定义OAuth2 授权请求的预处理、主处理和后处理逻辑。

​OAuth2AuthorizationEndpointConfigurer​​提供以下配置选项:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  authorizationServerConfigurer
    .authorizationEndpoint(authorizationEndpoint ->
      authorizationEndpoint
        .authorizationRequestConverter(authorizationRequestConverter)   
        .authorizationRequestConverters(authorizationRequestConvertersConsumer) 
        .authenticationProvider(authenticationProvider) 
        .authenticationProviders(authenticationProvidersConsumer)   
        .authorizationResponseHandler(authorizationResponseHandler) 
        .errorResponseHandler(errorResponseHandler) 
        .consentPage("/oauth2/v1/authorize")    
    );

  return http.build();
}

​authorizationRequestConverter()​​​:将尝试从实例 ofor 中提取OAuth2 授权请求(或同意)时使用的(预处理器)添加。​​AuthenticationConverter​​​​HttpServletRequest​​​​OAuth2AuthorizationCodeRequestAuthenticationToken​​​​OAuth2AuthorizationConsentAuthenticationToken​

​authorizationRequestConverters()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationConverter​​​​AuthenticationConverter​

​authenticationProvider()​​:添加用于验证理论的(主处理器)。​​AuthenticationProvider​​​​OAuth2AuthorizationCodeRequestAuthenticationToken​​​​OAuth2AuthorizationConsentAuthenticationToken​

​authenticationProviders()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationProvider​​​​AuthenticationProvider​

​authorizationResponseHandler()​​:(后处理器)用于处理“经过身份验证”并返回OAuth2AuthorizationResponse​。​​AuthenticationSuccessHandler​​​​OAuth2AuthorizationCodeRequestAuthenticationToken​

​errorResponseHandler()​​​:用于处理返回OAuth2Error 响应的 anand 的(后处理器)。​​AuthenticationFailureHandler​​​​OAuth2AuthorizationCodeRequestAuthenticationException​

​consentPage()​​​:自定义同意页面,用于将资源所有者重定向到授权请求流期间是否需要同意。​​URI​

​OAuth2AuthorizationEndpointConfigurer​​配置并使用 OAuth2 授权 server.is 处理 OAuth2 授权请求(和同意)进行注册。​​OAuth2AuthorizationEndpointFilter​​​​SecurityFilterChain​​​​@Bean​​​​OAuth2AuthorizationEndpointFilter​​​​Filter​

​OAuth2AuthorizationEndpointFilter​​配置了以下默认值:

  • AuthenticationConverter​——由和组成。DelegatingAuthenticationConverterOAuth2AuthorizationCodeRequestAuthenticationConverterOAuth2AuthorizationConsentAuthenticationConverter
  • AuthenticationManager​——安安。AuthenticationManagerOAuth2AuthorizationCodeRequestAuthenticationProviderOAuth2AuthorizationConsentAuthenticationProvider
  • AuthenticationSuccessHandler​— 处理“经过身份验证”并返回的内部实现。OAuth2AuthorizationCodeRequestAuthenticationTokenOAuth2AuthorizationResponse
  • AuthenticationFailureHandler​— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthorizationCodeRequestAuthenticationExceptionOAuth2Error

自定义授权请求验证

​OAuth2AuthorizationCodeRequestAuthenticationValidator​​是用于验证授权代码授予中使用的特定 OAuth2 授权请求参数的默认验证器。 默认实现验证 and参数。 如果验证失败,则引发 anis。​​redirect_uri​​​​scope​​​​OAuth2AuthorizationCodeRequestAuthenticationException​

​OAuth2AuthorizationCodeRequestAuthenticationProvider​​提供通过提供 typeto 的自定义身份验证验证程序来覆盖默认授权请求验证的功能。​​Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext>​​​​setAuthenticationValidator()​

​OAuth2AuthorizationCodeRequestAuthenticationContext​​​保存,其中包含 OAuth2 授权请求参数。​​OAuth2AuthorizationCodeRequestAuthenticationToken​

如果验证失败,身份验证验证程序必须抛出。​​OAuth2AuthorizationCodeRequestAuthenticationException​

在开发生命周期阶段的一个常见用例是允许参数。​​localhost​​​​redirect_uri​

以下示例演示如何使用允许参数的自定义身份验证验证程序进行配置:​​OAuth2AuthorizationCodeRequestAuthenticationProvider​​​​localhost​​​​redirect_uri​

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  authorizationServerConfigurer
    .authorizationEndpoint(authorizationEndpoint ->
      authorizationEndpoint
        .authenticationProviders(configureAuthenticationValidator())
    );

  return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
  return (authenticationProviders) ->
    authenticationProviders.forEach((authenticationProvider) -> {
      if (authenticationProvider instanceof OAuth2AuthorizationCodeRequestAuthenticationProvider) {
        Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
          // Override default redirect_uri validator
          new CustomRedirectUriValidator()
            // Reuse default scope validator
            .andThen(OAuth2AuthorizationCodeRequestAuthenticationValidator.DEFAULT_SCOPE_VALIDATOR);

        ((OAuth2AuthorizationCodeRequestAuthenticationProvider) authenticationProvider)
          .setAuthenticationValidator(authenticationValidator);
      }
    });
}

static class CustomRedirectUriValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {

  @Override
  public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
    OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
      authenticationContext.getAuthentication();
    RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
    String requestedRedirectUri = authorizationCodeRequestAuthentication.getRedirectUri();

    // Use exact string matching when comparing client redirect URIs against pre-registered URIs
    if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
      OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
      throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
    }
  }
}

OAuth2 令牌端点

​OAuth2TokenEndpointConfigurer​​提供自定义OAuth2 令牌终结点的功能。 它定义了扩展点,允许您自定义OAuth2 访问令牌请求的预处理、主处理和后处理逻辑。

​OAuth2TokenEndpointConfigurer​​提供以下配置选项:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  authorizationServerConfigurer
    .tokenEndpoint(tokenEndpoint ->
      tokenEndpoint
        .accessTokenRequestConverter(accessTokenRequestConverter)   
        .accessTokenRequestConverters(accessTokenRequestConvertersConsumer) 
        .authenticationProvider(authenticationProvider) 
        .authenticationProviders(authenticationProvidersConsumer)   
        .accessTokenResponseHandler(accessTokenResponseHandler) 
        .errorResponseHandler(errorResponseHandler) 
    );

  return http.build();
}

​accessTokenRequestConverter()​​​:添加尝试从中提取OAuth2 访问令牌请求时使用的(预处理器)到实例。​​AuthenticationConverter​​​​HttpServletRequest​​​​OAuth2AuthorizationGrantAuthenticationToken​

​accessTokenRequestConverters()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationConverter​​​​AuthenticationConverter​

​authenticationProvider()​​:添加用于身份验证的(主处理器)。​​AuthenticationProvider​​​​OAuth2AuthorizationGrantAuthenticationToken​

​authenticationProviders()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationProvider​​​​AuthenticationProvider​

​accessTokenResponseHandler()​​​:用于处理返回OAuth2AccessTokenResponse 的 anand 的(后处理器)。​​AuthenticationSuccessHandler​​​​OAuth2AccessTokenAuthenticationToken​

​errorResponseHandler()​​​:用于处理返回OAuth2Error 响应的 anand 的(后处理器)。​​AuthenticationFailureHandler​​​​OAuth2AuthenticationException​

​OAuth2TokenEndpointConfigurer​​配置并使用 OAuth2 授权 server.is 处理 OAuth2 访问令牌请求进行注册。​​OAuth2TokenEndpointFilter​​​​SecurityFilterChain​​​​@Bean​​​​OAuth2TokenEndpointFilter​​​​Filter​

支持的授权授权类型包括、和。​​authorization_code​​​​refresh_token​​​​client_credentials​

​OAuth2TokenEndpointFilter​​配置了以下默认值:

  • AuthenticationConverter​— 由、和组成。DelegatingAuthenticationConverterOAuth2AuthorizationCodeAuthenticationConverterOAuth2RefreshTokenAuthenticationConverterOAuth2ClientCredentialsAuthenticationConverter
  • AuthenticationManager​— 由、、和组成。AuthenticationManagerOAuth2AuthorizationCodeAuthenticationProviderOAuth2RefreshTokenAuthenticationProviderOAuth2ClientCredentialsAuthenticationProvider
  • AuthenticationSuccessHandler​— 处理 anand 返回的内部实现。OAuth2AccessTokenAuthenticationTokenOAuth2AccessTokenResponse
  • AuthenticationFailureHandler​— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthenticationExceptionOAuth2Error

OAuth2 令牌侦测端点

​OAuth2TokenIntrospectionEndpointConfigurer​​提供自定义OAuth2 令牌侦测端点的功能。 它定义了扩展点,允许您自定义OAuth2 侦测请求的预处理、主处理和后处理逻辑。

​OAuth2TokenIntrospectionEndpointConfigurer​​提供以下配置选项:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  authorizationServerConfigurer
    .tokenIntrospectionEndpoint(tokenIntrospectionEndpoint ->
      tokenIntrospectionEndpoint
        .introspectionRequestConverter(introspectionRequestConverter)   
        .introspectionRequestConverters(introspectionRequestConvertersConsumer) 
        .authenticationProvider(authenticationProvider) 
        .authenticationProviders(authenticationProvidersConsumer)   
        .introspectionResponseHandler(introspectionResponseHandler) 
        .errorResponseHandler(errorResponseHandler) 
    );

  return http.build();
}

​introspectionRequestConverter()​​​:添加尝试从中提取OAuth2 侦测请求时使用的(预处理器)到实例。​​AuthenticationConverter​​​​HttpServletRequest​​​​OAuth2TokenIntrospectionAuthenticationToken​

​introspectionRequestConverters()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationConverter​​​​AuthenticationConverter​

​authenticationProvider()​​:添加用于身份验证的(主处理器)。​​AuthenticationProvider​​​​OAuth2TokenIntrospectionAuthenticationToken​

​authenticationProviders()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationProvider​​​​AuthenticationProvider​

​introspectionResponseHandler()​​​:用于处理“经过身份验证”并返回OAuth2TokenIntrospection 响应的(后处理器)。​​AuthenticationSuccessHandler​​​​OAuth2TokenIntrospectionAuthenticationToken​

​errorResponseHandler()​​​:用于处理返回OAuth2Error 响应的 anand 的(后处理器)。​​AuthenticationFailureHandler​​​​OAuth2AuthenticationException​

​OAuth2TokenIntrospectionEndpointConfigurer​​配置并使用 OAuth2 授权 server.is 处理 OAuth2 自检请求。​​OAuth2TokenIntrospectionEndpointFilter​​​​SecurityFilterChain​​​​@Bean​​​​OAuth2TokenIntrospectionEndpointFilter​​​​Filter​

​OAuth2TokenIntrospectionEndpointFilter​​配置了以下默认值:

  • AuthenticationConverter​— 安.OAuth2TokenIntrospectionAuthenticationConverter
  • AuthenticationManager​——由。AuthenticationManagerOAuth2TokenIntrospectionAuthenticationProvider
  • AuthenticationSuccessHandler​— 处理“经过身份验证”并返回响应的内部实现。OAuth2TokenIntrospectionAuthenticationTokenOAuth2TokenIntrospection
  • AuthenticationFailureHandler​— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthenticationException​OAuth2Error​

OAuth2 令牌吊销端点

​OAuth2TokenRevocationEndpointConfigurer​​提供自定义OAuth2 令牌吊销终结点的功能。 它定义了扩展点,允许您自定义OAuth2 吊销请求的预处理、主处理和后处理逻辑。

​OAuth2TokenRevocationEndpointConfigurer​​提供以下配置选项:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  authorizationServerConfigurer
    .tokenRevocationEndpoint(tokenRevocationEndpoint ->
      tokenRevocationEndpoint
        .revocationRequestConverter(revocationRequestConverter) 
        .revocationRequestConverters(revocationRequestConvertersConsumer)   
        .authenticationProvider(authenticationProvider) 
        .authenticationProviders(authenticationProvidersConsumer)   
        .revocationResponseHandler(revocationResponseHandler)   
        .errorResponseHandler(errorResponseHandler) 
    );

  return http.build();
}


​revocationRequestConverter()​​​:将尝试从中提取​​OAuth2 吊销请求​​时使用的(预处理器)添加到 的实例。​​AuthenticationConverter​​​​HttpServletRequest​​​​OAuth2TokenRevocationAuthenticationToken​


​revocationRequestConverters()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationConverter​​​​AuthenticationConverter​


​authenticationProvider()​​:添加用于身份验证的(主处理器)。​​AuthenticationProvider​​​​OAuth2TokenRevocationAuthenticationToken​


​authenticationProviders()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationProvider​​​​AuthenticationProvider​


​revocationResponseHandler()​​​:用于处理“经过身份验证”并返回​​OAuth2 吊销响应​​的(后处理器)。​​AuthenticationSuccessHandler​​​​OAuth2TokenRevocationAuthenticationToken​


​errorResponseHandler()​​​:用于处理返回​​OAuth2Error 响应​​的 anand 的(后处理器)。​​AuthenticationFailureHandler​​​​OAuth2AuthenticationException​

​OAuth2TokenRevocationEndpointConfigurer​​配置并使用 OAuth2 授权 server.is 处理 OAuth2 吊销请求进行注册。​​OAuth2TokenRevocationEndpointFilter​​​​SecurityFilterChain​​​​@Bean​​​​OAuth2TokenRevocationEndpointFilter​​​​Filter​

​OAuth2TokenRevocationEndpointFilter​​配置了以下默认值:

  • AuthenticationConverter​— 安.OAuth2TokenRevocationAuthenticationConverter
  • AuthenticationManager​——由。AuthenticationManagerOAuth2TokenRevocationAuthenticationProvider
  • AuthenticationSuccessHandler​— 处理“经过身份验证”并返回 OAuth2 吊销响应的内部实现。OAuth2TokenRevocationAuthenticationToken
  • AuthenticationFailureHandler​— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthenticationExceptionOAuth2Error

OAuth2 授权服务器元数据端点

​OAuth2AuthorizationServerMetadataEndpointConfigurer​​提供自定义OAuth2 授权服务器元数据终结点的功能。 它定义了一个扩展点,允许您自定义OAuth2 授权服务器元数据响应。

​OAuth2AuthorizationServerMetadataEndpointConfigurer​​提供以下配置选项:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  authorizationServerConfigurer
    .authorizationServerMetadataEndpoint(authorizationServerMetadataEndpoint ->
      authorizationServerMetadataEndpoint
        .authorizationServerMetadataCustomizer(authorizationServerMetadataCustomizer));   

  return http.build();
}

​authorizationServerMetadataCustomizer()​​​:提供对允许自定义授权服务器配置声明的访问。​​Consumer​​​​OAuth2AuthorizationServerMetadata.Builder​

​OAuth2AuthorizationServerMetadataEndpointConfigurer​​配置并使用返回OAuth2AuthorizationServerMetadata 响应的 OAuth2 授权 server.is 注册它。​​OAuth2AuthorizationServerMetadataEndpointFilter​​​​SecurityFilterChain​​​​@Bean​​​​OAuth2AuthorizationServerMetadataEndpointFilter​​​​Filter​

JWK 设置终结点

​OAuth2AuthorizationServerConfigurer​​提供对JWK 集终结点的支持。

OAuth2AuthorizationServerConfigurer配置并使用返回JWK 集的 OAuth2 授权 server.is 注册它。​​NimbusJwkSetEndpointFilter​​​​SecurityFilterChain​​​​@Bean​​​​NimbusJwkSetEndpointFilter​​​​Filter​

仅当 ais 已注册时,才会配置 JWK Set 终结点。​​JWKSource<SecurityContext>​​​​@Bean​

OpenID Connect 1.0 提供程序配置终结点

​OidcProviderConfigurationEndpointConfigurer​​提供自定义OpenID Connect 1.0 提供程序配置终结点的功能。 它定义了一个扩展点,可用于自定义OpenID 提供程序配置响应。

​OidcProviderConfigurationEndpointConfigurer​​提供以下配置选项:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  authorizationServerConfigurer
    .oidc(oidc ->
      oidc
        .providerConfigurationEndpoint(providerConfigurationEndpoint ->
          providerConfigurationEndpoint
            .providerConfigurationCustomizer(providerConfigurationCustomizer)   
        )
    );

  return http.build();
}

​providerConfigurationCustomizer()​​​:提供对允许自定义 OpenID 提供程序配置的声明的访问。​​Consumer​​​​OidcProviderConfiguration.Builder​

​OidcProviderConfigurationEndpointConfigurer​​配置并使用返回OidcProviderConfiguration 响应的 OAuth2 授权 server.is 注册它。​​OidcProviderConfigurationEndpointFilter​​​​SecurityFilterChain​​​​@Bean​​​​OidcProviderConfigurationEndpointFilter​​​​Filter​

OpenID Connect 1.0 UserInfo Endpoint

​OidcUserInfoEndpointConfigurer​​提供自定义OpenID Connect 1.0 UserInfo 端点的功能。 它定义了扩展点,使您可以自定义UserInfo 请求的预处理、主处理和后处理逻辑。

​OidcUserInfoEndpointConfigurer​​提供以下配置选项:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  authorizationServerConfigurer
    .oidc(oidc ->
      oidc
        .userInfoEndpoint(userInfoEndpoint ->
          userInfoEndpoint
            .userInfoRequestConverter(userInfoRequestConverter) 
            .userInfoRequestConverters(userInfoRequestConvertersConsumer) 
            .authenticationProvider(authenticationProvider) 
            .authenticationProviders(authenticationProvidersConsumer) 
            .userInfoResponseHandler(userInfoResponseHandler) 
            .errorResponseHandler(errorResponseHandler) 
            .userInfoMapper(userInfoMapper) 
        )
    );

  return http.build();
}

​userInfoRequestConverter()​​​:添加尝试从中提取用户信息请求时使用的(预处理器)到实例。​​AuthenticationConverter​​​​HttpServletRequest​​​​OidcUserInfoAuthenticationToken​

​userInfoRequestConverters()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationConverter​​​​AuthenticationConverter​

​authenticationProvider()​​:添加用于身份验证的(主处理器)。​​AuthenticationProvider​​​​OidcUserInfoAuthenticationToken​

​authenticationProviders()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationProvider​​​​AuthenticationProvider​

​userInfoResponseHandler()​​​:用于处理“经过身份验证”并返回用户信息响应的(后处理器)。​​AuthenticationSuccessHandler​​​​OidcUserInfoAuthenticationToken​

​errorResponseHandler()​​​:用于处理返回用户信息错误响应的(后处理器)。​​AuthenticationFailureHandler​​​​OAuth2AuthenticationException​

​userInfoMapper()​​​:用于从实例中提取声明。​​Function​​​​OidcUserInfoAuthenticationContext​​​​OidcUserInfo​

​OidcUserInfoEndpointConfigurer​​配置并使用 OAuth2 授权 server.is 处理用户信息请求并返回OidcUserInfo 响应。​​OidcUserInfoEndpointFilter​​​​SecurityFilterChain​​​​@Bean​​​​OidcUserInfoEndpointFilter​​​​Filter​

​OidcUserInfoEndpointFilter​​配置了以下默认值:

  • AuthenticationConverter​— 从 the获取 和 创建 anwith 主体的内部实现。AuthenticationSecurityContextOidcUserInfoAuthenticationToken
  • AuthenticationManager​— 由 组成,它与内部实现相关联,根据授权期间请求的范围从ID 令牌中提取标准声明。AuthenticationManagerOidcUserInfoAuthenticationProvideruserInfoMapper
  • AuthenticationSuccessHandler​— 处理“经过身份验证”并返回响应的内部实现。OidcUserInfoAuthenticationTokenOidcUserInfo
  • AuthenticationFailureHandler​— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthenticationExceptionOAuth2Error


您可以通过提供OAuth2TokenCustomizer<JwtEncodingContext>​ 来自定义 ID 令牌。​​@Bean​

The OpenID Connect 1.0 UserInfo endpoint is an OAuth2 protected resource, which REQUIRES an access token to be sent as a bearer token in the UserInfo request. The following example shows how to enable the OAuth2 resource server configuration:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  ...

  http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);

  return http.build();
}

@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
  return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}

AisforOpenID Connect 1.0 UserInfo 端点。​​JwtDecoder​​​​@Bean​



指南操作方法:自定义 OpenID Connect 1.0UserInfo 响应包含自定义 UserInfo 终结点的示例。

OpenID Connect 1.0 客户端注册终结点

​OidcClientRegistrationEndpointConfigurer​​提供自定义OpenID Connect 1.0 客户端注册终结点的功能。 它定义了扩展点,允许您自定义客户端注册请求或客户端读取请求的预处理、主处理和后处理逻辑。

​OidcClientRegistrationEndpointConfigurer​​提供以下配置选项:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  authorizationServerConfigurer
    .oidc(oidc ->
      oidc
        .clientRegistrationEndpoint(clientRegistrationEndpoint ->
          clientRegistrationEndpoint
            .clientRegistrationRequestConverter(clientRegistrationRequestConverter) 
            .clientRegistrationRequestConverters(clientRegistrationRequestConvertersConsumers) 
            .authenticationProvider(authenticationProvider) 
            .authenticationProviders(authenticationProvidersConsumer) 
            .clientRegistrationResponseHandler(clientRegistrationResponseHandler) 
            .errorResponseHandler(errorResponseHandler) 
        )
    );

  return http.build();
}

​clientRegistrationRequestConverter()​​​:添加尝试从中提取客户端注册​请求或客户端读取请求时使用的(预处理器)。​​AuthenticationConverter​​​​HttpServletRequest​​​​OidcClientRegistrationAuthenticationToken​

​clientRegistrationRequestConverters()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationConverter​​​​AuthenticationConverter​

​authenticationProvider()​​:添加用于身份验证的(主处理器)。​​AuthenticationProvider​​​​OidcClientRegistrationAuthenticationToken​

​authenticationProviders()​​​:设置提供对默认值和(可选)添加的访问权限,允许添加、删除或自定义特定内容。​​Consumer​​​​List​​​​AuthenticationProvider​​​​AuthenticationProvider​

​clientRegistrationResponseHandler()​​:(后处理器)用于处理“已验证”并返回客户端注册响应或客户端读取响应​。​​AuthenticationSuccessHandler​​​​OidcClientRegistrationAuthenticationToken​

​errorResponseHandler()​​​:用于处理返回客户端注册错误响应或客户端读取错误响应的 anand 的(后处理器)。​​AuthenticationFailureHandler​​​​OAuth2AuthenticationException​

默认情况下,OpenID Connect 1.0 客户端注册终结点处于禁用状态,因为许多部署不需要动态客户端注册。

​OidcClientRegistrationEndpointConfigurer​​配置并使用 OAuth2 授权 server.is 处理客户端注册请求并返回OidcClientRegistration 响应。​​OidcClientRegistrationEndpointFilter​​​​SecurityFilterChain​​​​@Bean​​​​OidcClientRegistrationEndpointFilter​​​​Filter​

​OidcClientRegistrationEndpointFilter​​​还处理客户端读取请求​并返回OidcClientRegistration 响应。

​OidcClientRegistrationEndpointFilter​​配置了以下默认值:

  • AuthenticationConverter​— 安.OidcClientRegistrationAuthenticationConverter
  • AuthenticationManager​——安安。AuthenticationManagerOidcClientRegistrationAuthenticationProviderOidcClientConfigurationAuthenticationProvider
  • AuthenticationSuccessHandler​— 处理“经过身份验证”并返回响应的内部实现。OidcClientRegistrationAuthenticationTokenOidcClientRegistration
  • AuthenticationFailureHandler​— 使用与 the和 关联的内部实现 返回响应。OAuth2ErrorOAuth2AuthenticationExceptionOAuth2Error

OpenID Connect 1.0 客户端注册终结点是受 OAuth2 保护的资源,它要求在客户端注册(或客户端读取)请求中将访问令牌作为持有者令牌发送。

客户端注册请求中的访问令牌需要OAuth2 范围。​​client.create​

客户端读取请求中的访问令牌需要OAuth2 作用域。​​client.read​

以下示例演示如何启用 OAuth2 资源服务器配置:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
  OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
    new OAuth2AuthorizationServerConfigurer();
  http.apply(authorizationServerConfigurer);

  ...

  http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);

  return http.build();
}

@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
  return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}

AI是OpenIDConnect 1.0客户端注册端点所必需的。​​JwtDecoder​​​​@Bean​

相关推荐

Spring 授权服务器核心模型/组件

梅梅的时光 75 0 0

如何自定义Spring 授权服务器的 UserInfo 端点

代码小姐 149 0 0

如何使用JPA实现Spring 授权服务器的核心服务

Java架构领域 120 0 0

Spring 授权服务器配置模型

Ichjns 150 0 0

Spring Security 自定义授权服务器实践

zhaoxj0217 245 0 0

Spring Authorization Server 全新授权服务器整合使用

静鸡鸡的JC 66 0 0

spring seccurity OAuth 2.0授权服务器工作流程

艾晓雪 14 0 0

认证与授权(三):搭建授权、资源服务器

静鸡鸡的JC 66 0 0

spring cloud oauth2 搭建认证中心(授权服务器)

小时候是个乖乖 88 0 0

Spring Boot 核心理解-嵌入式服务器

蚁族的乐土 23 0 0

精彩评论(0)

0 0 举报