协议端点
OAuth2 授权端点
OAuth2AuthorizationEndpointConfigurer提供自定义 OAuth2 授权端点的功能。
它定义了扩展点,允许您自定义 OAuth2 授权请求的预处理、主处理和后处理逻辑。
OAuth2AuthorizationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint
.authorizationRequestConverter(authorizationRequestConverter) (1)
.authorizationRequestConverters(authorizationRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.authorizationResponseHandler(authorizationResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
.consentPage("/oauth2/v1/authorize") (7)
)
);
return http.build();
}| 1 | authorizationRequestConverter():添加AuthenticationConverter (预处理器)尝试从 中提取 OAuth2 授权请求(或同意)时使用HttpServletRequest添加到OAuth2AuthorizationCodeRequestAuthenticationToken或OAuth2AuthorizationConsentAuthenticationToken. |
| 2 | authorizationRequestConverters():设置Consumer提供对Listof default 和 (可选) addedAuthenticationConverter允许添加、删除或自定义特定AuthenticationConverter. |
| 3 | authenticationProvider():添加AuthenticationProvider (主处理器)用于验证OAuth2AuthorizationCodeRequestAuthenticationToken或OAuth2AuthorizationConsentAuthenticationToken. |
| 4 | authenticationProviders():设置Consumer提供对Listof default 和 (可选) addedAuthenticationProvider允许添加、删除或自定义特定AuthenticationProvider. |
| 5 | authorizationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理 “authenticated”OAuth2AuthorizationCodeRequestAuthenticationToken并返回 OAuth2AuthorizationResponse。 |
| 6 | errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthorizationCodeRequestAuthenticationException并返回 OAuth2Error 响应。 |
| 7 | consentPage():这URI,以便在授权请求流程中将资源所有者重定向到是否需要同意。 |
OAuth2AuthorizationEndpointConfigurer配置OAuth2AuthorizationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2AuthorizationEndpointFilter是Filter处理 OAuth2 授权请求(和同意)。
OAuth2AuthorizationEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 一个DelegatingAuthenticationConverter组成OAuth2AuthorizationCodeRequestAuthenticationConverter和OAuth2AuthorizationConsentAuthenticationConverter. -
AuthenticationManager— 一个AuthenticationManager组成OAuth2AuthorizationCodeRequestAuthenticationProvider和OAuth2AuthorizationConsentAuthenticationProvider. -
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OAuth2AuthorizationCodeRequestAuthenticationToken并返回OAuth2AuthorizationResponse. -
AuthenticationFailureHandler— 使用OAuth2Error与OAuth2AuthorizationCodeRequestAuthenticationException并返回OAuth2Error响应。
自定义授权请求验证
OAuth2AuthorizationCodeRequestAuthenticationValidator是用于验证授权码授予中使用的特定 OAuth2 授权请求参数的默认验证器。
默认实现会验证redirect_uri和scope参数。
如果验证失败,则OAuth2AuthorizationCodeRequestAuthenticationException被抛出。
OAuth2AuthorizationCodeRequestAuthenticationProvider通过提供Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext>自setAuthenticationValidator().
OAuth2AuthorizationCodeRequestAuthenticationContext持有OAuth2AuthorizationCodeRequestAuthenticationToken,其中包含 OAuth2 授权请求参数。 |
如果验证失败,身份验证验证器必须抛出OAuth2AuthorizationCodeRequestAuthenticationException. |
在开发生命周期阶段,一个常见的用例是允许localhost在redirect_uri参数。
以下示例显示如何配置OAuth2AuthorizationCodeRequestAuthenticationProvider使用自定义身份验证验证器,允许localhost在redirect_uri参数:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint
.authenticationProviders(configureAuthenticationValidator())
)
);
return http.build();
}
private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
return (authenticationProviders) ->
authenticationProviders.forEach((authenticationProvider) -> {
if (authenticationProvider instanceof OAuth2AuthorizationCodeRequestAuthenticationProvider) {
Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
// Override default redirect_uri validator
new CustomRedirectUriValidator()
// Reuse default scope validator
.andThen(OAuth2AuthorizationCodeRequestAuthenticationValidator.DEFAULT_SCOPE_VALIDATOR);
((OAuth2AuthorizationCodeRequestAuthenticationProvider) authenticationProvider)
.setAuthenticationValidator(authenticationValidator);
}
});
}
static class CustomRedirectUriValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {
@Override
public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
authenticationContext.getAuthentication();
RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
String requestedRedirectUri = authorizationCodeRequestAuthentication.getRedirectUri();
// Use exact string matching when comparing client redirect URIs against pre-registered URIs
if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
}
}
}OAuth2 设备授权端点
OAuth2DeviceAuthorizationEndpointConfigurer提供自定义 OAuth2 设备授权端点的功能。
它定义了扩展点,允许您自定义 OAuth2 设备授权请求的预处理、主处理和后处理逻辑。
OAuth2DeviceAuthorizationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.deviceAuthorizationEndpoint(deviceAuthorizationEndpoint ->
deviceAuthorizationEndpoint
.deviceAuthorizationRequestConverter(deviceAuthorizationRequestConverter) (1)
.deviceAuthorizationRequestConverters(deviceAuthorizationRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.deviceAuthorizationResponseHandler(deviceAuthorizationResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
.verificationUri("/oauth2/v1/device_verification") (7)
)
);
return http.build();
}| 1 | deviceAuthorizationRequestConverter():添加AuthenticationConverter (预处理器)尝试从 中提取 OAuth2 设备授权请求时使用HttpServletRequest添加到OAuth2DeviceAuthorizationRequestAuthenticationToken. |
| 2 | deviceAuthorizationRequestConverters():设置Consumer提供对Listof default 和 (可选) addedAuthenticationConverter允许添加、删除或自定义特定AuthenticationConverter. |
| 3 | authenticationProvider():添加AuthenticationProvider (主处理器)用于验证OAuth2DeviceAuthorizationRequestAuthenticationToken. |
| 4 | authenticationProviders():设置Consumer提供对Listof default 和 (可选) addedAuthenticationProvider允许添加、删除或自定义特定AuthenticationProvider. |
| 5 | deviceAuthorizationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理 “authenticated”OAuth2DeviceAuthorizationRequestAuthenticationToken并返回 OAuth2DeviceAuthorizationResponse。 |
| 6 | errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 OAuth2Error 响应。 |
| 7 | verificationUri():这URI将资源所有者定向到辅助设备上。 |
OAuth2DeviceAuthorizationEndpointConfigurer配置OAuth2DeviceAuthorizationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2DeviceAuthorizationEndpointFilter是Filter处理 OAuth2 设备授权请求。
OAuth2DeviceAuthorizationEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 一个OAuth2DeviceAuthorizationRequestAuthenticationConverter. -
AuthenticationManager— 一个AuthenticationManager组成OAuth2DeviceAuthorizationRequestAuthenticationProvider. -
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OAuth2DeviceAuthorizationRequestAuthenticationToken并返回OAuth2DeviceAuthorizationResponse. -
AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.
OAuth2 设备验证端点
OAuth2DeviceVerificationEndpointConfigurer提供自定义 OAuth2 设备验证端点(或“用户交互”)的功能。
它定义了扩展点,允许您自定义 OAuth2 设备验证请求的预处理、主处理和后处理逻辑。
OAuth2DeviceVerificationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.deviceVerificationEndpoint(deviceVerificationEndpoint ->
deviceVerificationEndpoint
.deviceVerificationRequestConverter(deviceVerificationRequestConverter) (1)
.deviceVerificationRequestConverters(deviceVerificationRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.deviceVerificationResponseHandler(deviceVerificationResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
.consentPage("/oauth2/v1/consent") (7)
)
);
return http.build();
}| 1 | deviceVerificationRequestConverter():添加AuthenticationConverter (预处理器)尝试从 中提取 OAuth2 设备验证请求(或同意)时使用HttpServletRequest添加到OAuth2DeviceVerificationAuthenticationToken或OAuth2DeviceAuthorizationConsentAuthenticationToken. |
| 2 | deviceVerificationRequestConverters():设置Consumer提供对Listof default 和 (可选) addedAuthenticationConverter允许添加、删除或自定义特定AuthenticationConverter. |
| 3 | authenticationProvider():添加AuthenticationProvider (主处理器)用于验证OAuth2DeviceVerificationAuthenticationToken或OAuth2DeviceAuthorizationConsentAuthenticationToken. |
| 4 | authenticationProviders():设置Consumer提供对Listof default 和 (可选) addedAuthenticationProvider允许添加、删除或自定义特定AuthenticationProvider. |
| 5 | deviceVerificationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理 “authenticated”OAuth2DeviceVerificationAuthenticationToken并指示资源所有者返回到其设备。 |
| 6 | errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回错误响应。 |
| 7 | consentPage():这URI,将资源所有者重定向到在设备验证请求流程中是否需要同意。 |
OAuth2DeviceVerificationEndpointConfigurer配置OAuth2DeviceVerificationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2DeviceVerificationEndpointFilter是Filter处理 OAuth2 设备验证请求(和同意)。
OAuth2DeviceVerificationEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 一个DelegatingAuthenticationConverter组成OAuth2DeviceVerificationAuthenticationConverter和OAuth2DeviceAuthorizationConsentAuthenticationConverter. -
AuthenticationManager— 一个AuthenticationManager组成OAuth2DeviceVerificationAuthenticationProvider和OAuth2DeviceAuthorizationConsentAuthenticationProvider. -
AuthenticationSuccessHandler— 一个SimpleUrlAuthenticationSuccessHandler处理 “authenticated”OAuth2DeviceVerificationAuthenticationToken并将用户重定向到成功页面 (/?success). -
AuthenticationFailureHandler— 使用OAuth2Error与OAuth2AuthenticationException并返回OAuth2Error响应。
OAuth2 令牌端点
OAuth2TokenEndpointConfigurer提供自定义 OAuth2 令牌端点的功能。
它定义了扩展点,允许您自定义 OAuth2 访问令牌请求的预处理、主处理和后处理逻辑。
OAuth2TokenEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.tokenEndpoint(tokenEndpoint ->
tokenEndpoint
.accessTokenRequestConverter(accessTokenRequestConverter) (1)
.accessTokenRequestConverters(accessTokenRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.accessTokenResponseHandler(accessTokenResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
)
);
return http.build();
}| 1 | accessTokenRequestConverter():添加AuthenticationConverter (预处理器)尝试从 中提取 OAuth2 访问令牌请求时使用HttpServletRequest添加到OAuth2AuthorizationGrantAuthenticationToken. |
| 2 | accessTokenRequestConverters():设置Consumer提供对Listof default 和 (可选) addedAuthenticationConverter允许添加、删除或自定义特定AuthenticationConverter. |
| 3 | authenticationProvider():添加AuthenticationProvider (主处理器)用于验证OAuth2AuthorizationGrantAuthenticationToken. |
| 4 | authenticationProviders():设置Consumer提供对Listof default 和 (可选) addedAuthenticationProvider允许添加、删除或自定义特定AuthenticationProvider. |
| 5 | accessTokenResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理OAuth2AccessTokenAuthenticationToken并返回OAuth2AccessTokenResponse. |
| 6 | errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 OAuth2Error 响应。 |
OAuth2TokenEndpointConfigurer配置OAuth2TokenEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2TokenEndpointFilter是Filter处理 OAuth2 访问令牌请求。
支持的授权授权类型包括authorization_code,refresh_token,client_credentials,urn:ietf:params:oauth:grant-type:device_code和urn:ietf:params:oauth:grant-type:token-exchange.
OAuth2TokenEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 一个DelegatingAuthenticationConverter组成OAuth2AuthorizationCodeAuthenticationConverter,OAuth2RefreshTokenAuthenticationConverter,OAuth2ClientCredentialsAuthenticationConverter,OAuth2DeviceCodeAuthenticationConverter和OAuth2TokenExchangeAuthenticationConverter. -
AuthenticationManager— 一个AuthenticationManager组成OAuth2AuthorizationCodeAuthenticationProvider,OAuth2RefreshTokenAuthenticationProvider,OAuth2ClientCredentialsAuthenticationProvider,OAuth2DeviceCodeAuthenticationProvider和OAuth2TokenExchangeAuthenticationProvider. -
AuthenticationSuccessHandler— 一个OAuth2AccessTokenResponseAuthenticationSuccessHandler. -
AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.
自定义客户端身份凭证授权请求验证
OAuth2ClientCredentialsAuthenticationValidator是用于验证特定 OAuth2 客户端凭证授予请求参数的默认验证器。
默认实现会验证scope参数。
如果验证失败,则OAuth2AuthenticationException被抛出。
OAuth2ClientCredentialsAuthenticationProvider通过提供 type 为Consumer<OAuth2ClientCredentialsAuthenticationContext>自setAuthenticationValidator().
OAuth2ClientCredentialsAuthenticationContext持有OAuth2ClientCredentialsAuthenticationToken,其中包含 OAuth2 客户端凭证授予请求参数。 |
如果验证失败,身份验证验证器必须抛出OAuth2AuthenticationException. |
以下示例显示如何配置OAuth2ClientCredentialsAuthenticationProvider替换为覆盖默认scope验证:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.tokenEndpoint(tokenEndpoint ->
tokenEndpoint
.authenticationProviders(configureAuthenticationValidator())
)
);
return http.build();
}
private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
return (authenticationProviders) ->
authenticationProviders.forEach((authenticationProvider) -> {
if (authenticationProvider instanceof OAuth2ClientCredentialsAuthenticationProvider) {
Consumer<OAuth2ClientCredentialsAuthenticationContext> authenticationValidator =
new CustomScopeValidator();
// Override default scope validation
((OAuth2ClientCredentialsAuthenticationProvider) authenticationProvider)
.setAuthenticationValidator(authenticationValidator);
}
});
}
static class CustomScopeValidator implements Consumer<OAuth2ClientCredentialsAuthenticationContext> {
@Override
public void accept(OAuth2ClientCredentialsAuthenticationContext authenticationContext) {
OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthentication =
authenticationContext.getAuthentication();
Set<String> requestedScopes = clientCredentialsAuthentication.getScopes();
RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
Set<String> allowedScopes = registeredClient.getScopes();
// TODO Implement scope validation
}
}OAuth2 令牌自省端点
OAuth2TokenIntrospectionEndpointConfigurer提供自定义 OAuth2 令牌自检端点的功能。
它定义了扩展点,允许您自定义 OAuth2 自省请求的预处理、主处理和后处理逻辑。
OAuth2TokenIntrospectionEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.tokenIntrospectionEndpoint(tokenIntrospectionEndpoint ->
tokenIntrospectionEndpoint
.introspectionRequestConverter(introspectionRequestConverter) (1)
.introspectionRequestConverters(introspectionRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.introspectionResponseHandler(introspectionResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
)
);
return http.build();
}| 1 | introspectionRequestConverter():添加AuthenticationConverter (预处理器)尝试从 中提取 OAuth2 内省请求时使用HttpServletRequest添加到OAuth2TokenIntrospectionAuthenticationToken. |
| 2 | introspectionRequestConverters():设置Consumer提供对Listof default 和 (可选) addedAuthenticationConverter允许添加、删除或自定义特定AuthenticationConverter. |
| 3 | authenticationProvider():添加AuthenticationProvider (主处理器)用于验证OAuth2TokenIntrospectionAuthenticationToken. |
| 4 | authenticationProviders():设置Consumer提供对Listof default 和 (可选) addedAuthenticationProvider允许添加、删除或自定义特定AuthenticationProvider. |
| 5 | introspectionResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理 “authenticated”OAuth2TokenIntrospectionAuthenticationToken并返回 OAuth2TokenIntrospection 响应。 |
| 6 | errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 OAuth2Error 响应。 |
OAuth2TokenIntrospectionEndpointConfigurer配置OAuth2TokenIntrospectionEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2TokenIntrospectionEndpointFilter是Filter处理 OAuth2 自省请求。
OAuth2TokenIntrospectionEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 一个OAuth2TokenIntrospectionAuthenticationConverter. -
AuthenticationManager— 一个AuthenticationManager组成OAuth2TokenIntrospectionAuthenticationProvider. -
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OAuth2TokenIntrospectionAuthenticationToken并返回OAuth2TokenIntrospection响应。 -
AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.
OAuth2 令牌吊销端点
OAuth2TokenRevocationEndpointConfigurer提供自定义 OAuth2 令牌吊销端点的功能。
它定义了扩展点,允许您自定义 OAuth2 吊销请求的预处理、主处理和后处理逻辑。
OAuth2TokenRevocationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.tokenRevocationEndpoint(tokenRevocationEndpoint ->
tokenRevocationEndpoint
.revocationRequestConverter(revocationRequestConverter) (1)
.revocationRequestConverters(revocationRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.revocationResponseHandler(revocationResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
)
);
return http.build();
}| 1 | revocationRequestConverter():添加AuthenticationConverter (预处理器)尝试从 中提取 OAuth2 吊销请求时使用HttpServletRequest添加到OAuth2TokenRevocationAuthenticationToken. |
| 2 | revocationRequestConverters():设置Consumer提供对Listof default 和 (可选) addedAuthenticationConverter允许添加、删除或自定义特定AuthenticationConverter. |
| 3 | authenticationProvider():添加AuthenticationProvider (主处理器)用于验证OAuth2TokenRevocationAuthenticationToken. |
| 4 | authenticationProviders():设置Consumer提供对Listof default 和 (可选) addedAuthenticationProvider允许添加、删除或自定义特定AuthenticationProvider. |
| 5 | revocationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理 “authenticated”OAuth2TokenRevocationAuthenticationToken并返回 OAuth2 吊销响应。 |
| 6 | errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 OAuth2Error 响应。 |
OAuth2TokenRevocationEndpointConfigurer配置OAuth2TokenRevocationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2TokenRevocationEndpointFilter是Filter处理 OAuth2 吊销请求。
OAuth2TokenRevocationEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 一个OAuth2TokenRevocationAuthenticationConverter. -
AuthenticationManager— 一个AuthenticationManager组成OAuth2TokenRevocationAuthenticationProvider. -
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OAuth2TokenRevocationAuthenticationToken并返回 OAuth2 吊销响应。 -
AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.
OAuth2 授权服务器元数据端点
OAuth2AuthorizationServerMetadataEndpointConfigurer提供自定义 OAuth2 授权服务器元数据端点的功能。
它定义了一个扩展点,允许您自定义 OAuth2 Authorization Server 元数据响应。
OAuth2AuthorizationServerMetadataEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.authorizationServerMetadataEndpoint(authorizationServerMetadataEndpoint ->
authorizationServerMetadataEndpoint
.authorizationServerMetadataCustomizer(authorizationServerMetadataCustomizer) (1)
)
);
return http.build();
}| 1 | authorizationServerMetadataCustomizer():这Consumer提供对OAuth2AuthorizationServerMetadata.Builder允许自定义 Authorization Server 配置的声明。 |
OAuth2AuthorizationServerMetadataEndpointConfigurer配置OAuth2AuthorizationServerMetadataEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2AuthorizationServerMetadataEndpointFilter是Filter返回 OAuth2AuthorizationServerMetadata 响应。
JWK 设置端点
OAuth2AuthorizationServerConfigurer提供对 JWK Set 端点的支持。
OAuth2AuthorizationServerConfigurer配置NimbusJwkSetEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.NimbusJwkSetEndpointFilter是Filter,这将返回 JWK 集。
仅当 JWK Set 的JWKSource<SecurityContext> @Bean已注册。 |
OpenID Connect 1.0 提供者配置终端节点
OidcProviderConfigurationEndpointConfigurer提供自定义 OpenID Connect 1.0 提供程序配置终端节点的功能。
它定义了一个扩展点,允许您自定义 OpenID Provider Configuration 响应。
OidcProviderConfigurationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(oidc ->
oidc
.providerConfigurationEndpoint(providerConfigurationEndpoint ->
providerConfigurationEndpoint
.providerConfigurationCustomizer(providerConfigurationCustomizer) (1)
)
)
);
return http.build();
}| 1 | providerConfigurationCustomizer():这Consumer提供对OidcProviderConfiguration.Builder允许自定义 OpenID Provider 配置的声明。 |
OidcProviderConfigurationEndpointConfigurer配置OidcProviderConfigurationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcProviderConfigurationEndpointFilter是Filter,这将返回 OidcProviderConfiguration 响应。
OpenID Connect 1.0 注销端点
OidcLogoutEndpointConfigurer提供自定义 OpenID Connect 1.0 注销终端节点的功能。
它定义了扩展点,允许您自定义 RP 发起的注销请求的预处理、主处理和后处理逻辑。
OidcLogoutEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(oidc ->
oidc
.logoutEndpoint(logoutEndpoint ->
logoutEndpoint
.logoutRequestConverter(logoutRequestConverter) (1)
.logoutRequestConverters(logoutRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.logoutResponseHandler(logoutResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
)
)
);
return http.build();
}| 1 | logoutRequestConverter():添加AuthenticationConverter (预处理器)尝试从 中提取注销请求时使用HttpServletRequest添加到OidcLogoutAuthenticationToken. |
| 2 | logoutRequestConverters():设置Consumer提供对Listof default 和 (可选) addedAuthenticationConverter允许添加、删除或自定义特定AuthenticationConverter. |
| 3 | authenticationProvider():添加AuthenticationProvider (主处理器)用于验证OidcLogoutAuthenticationToken. |
| 4 | authenticationProviders():设置Consumer提供对Listof default 和 (可选) addedAuthenticationProvider允许添加、删除或自定义特定AuthenticationProvider. |
| 5 | logoutResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理 “authenticated”OidcLogoutAuthenticationToken并执行注销。 |
| 6 | errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回错误响应。 |
OidcLogoutEndpointConfigurer配置OidcLogoutEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcLogoutEndpointFilter是Filter处理 RP 发起的注销请求并执行最终用户的注销。
OidcLogoutEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 一个OidcLogoutAuthenticationConverter. -
AuthenticationManager— 一个AuthenticationManager组成OidcLogoutAuthenticationProvider. -
AuthenticationSuccessHandler— 一个OidcLogoutAuthenticationSuccessHandler. -
AuthenticationFailureHandler— 使用OAuth2Error与OAuth2AuthenticationException并返回OAuth2Error响应。
OidcLogoutAuthenticationProvider使用SessionRegistry要查找SessionInformation实例。 |
OidcClientInitiatedLogoutSuccessHandler是 Spring Security 的 OAuth2 客户端支持中用于配置 OpenID Connect 1.0 RP 发起的注销的相应配置。 |
自定义注销请求验证
OidcLogoutAuthenticationValidator是用于验证特定 OpenID Connect RP 发起的注销请求参数的默认验证程序。
默认实现会验证post_logout_redirect_uri参数。
如果验证失败,则OAuth2AuthenticationException被抛出。
OidcLogoutAuthenticationProvider通过提供Consumer<OidcLogoutAuthenticationContext>自setAuthenticationValidator().
OidcLogoutAuthenticationContext持有OidcLogoutAuthenticationToken,其中包含 logout 请求参数。 |
如果验证失败,身份验证验证器必须抛出OAuth2AuthenticationException. |
以下示例显示如何配置OidcLogoutAuthenticationProvider使用自定义身份验证验证器:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(oidc ->
oidc
.logoutEndpoint(logoutEndpoint ->
logoutEndpoint
.authenticationProviders(configureAuthenticationValidator())
)
)
);
return http.build();
}
private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
return (authenticationProviders) ->
authenticationProviders.forEach((authenticationProvider) -> {
if (authenticationProvider instanceof OidcLogoutAuthenticationProvider oidcLogoutAuthenticationProvider) {
Consumer<OidcLogoutAuthenticationContext> authenticationValidator = new CustomPostLogoutRedirectUriValidator();
oidcLogoutAuthenticationProvider.setAuthenticationValidator(authenticationValidator);
}
});
}
static class CustomPostLogoutRedirectUriValidator implements Consumer<OidcLogoutAuthenticationContext> {
@Override
public void accept(OidcLogoutAuthenticationContext authenticationContext) {
OidcLogoutAuthenticationToken oidcLogoutAuthentication =
authenticationContext.getAuthentication();
RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
// TODO
}
}OpenID Connect 1.0 UserInfo 端点
OidcUserInfoEndpointConfigurer提供自定义 OpenID Connect 1.0 UserInfo 终端节点的功能。
它定义了扩展点,允许您自定义 UserInfo 请求的预处理、主处理和后处理逻辑。
OidcUserInfoEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(oidc ->
oidc
.userInfoEndpoint(userInfoEndpoint ->
userInfoEndpoint
.userInfoRequestConverter(userInfoRequestConverter) (1)
.userInfoRequestConverters(userInfoRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.userInfoResponseHandler(userInfoResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
.userInfoMapper(userInfoMapper) (7)
)
)
);
return http.build();
}| 1 | userInfoRequestConverter():添加AuthenticationConverter (预处理器)尝试从 中提取 UserInfo 请求时使用HttpServletRequest添加到OidcUserInfoAuthenticationToken. |
| 2 | userInfoRequestConverters():设置Consumer提供对Listof default 和 (可选) addedAuthenticationConverter允许添加、删除或自定义特定AuthenticationConverter. |
| 3 | authenticationProvider():添加AuthenticationProvider (主处理器)用于验证OidcUserInfoAuthenticationToken. |
| 4 | authenticationProviders():设置Consumer提供对Listof default 和 (可选) addedAuthenticationProvider允许添加、删除或自定义特定AuthenticationProvider. |
| 5 | userInfoResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理 “authenticated”OidcUserInfoAuthenticationToken并返回 UserInfo 响应。 |
| 6 | errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 UserInfo Error 响应。 |
| 7 | userInfoMapper():这Function用于从OidcUserInfoAuthenticationContext添加到OidcUserInfo. |
OidcUserInfoEndpointConfigurer配置OidcUserInfoEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcUserInfoEndpointFilter是Filter处理 UserInfo 请求并返回 OidcUserInfo 响应。
OidcUserInfoEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 一个内部实现,用于获取Authentication从SecurityContext并创建一个OidcUserInfoAuthenticationToken与校长。 -
AuthenticationManager— 一个AuthenticationManager组成OidcUserInfoAuthenticationProvider,它与userInfoMapper它根据授权期间请求的范围从 ID 令牌中提取标准声明。 -
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OidcUserInfoAuthenticationToken并返回OidcUserInfo响应。 -
AuthenticationFailureHandler— 使用OAuth2Error与OAuth2AuthenticationException并返回OAuth2Error响应。
您可以通过提供OAuth2TokenCustomizer<JwtEncodingContext> @Bean. |
OpenID Connect 1.0 UserInfo 终端节点是受 OAuth2 保护的资源,它要求在 UserInfo 请求中将访问令牌作为持有者令牌发送。
OAuth2 资源服务器支持是自动配置的,但是,一个JwtDecoder @Bean对于 OpenID Connect 1.0 UserInfo 终端节点是必需的。 |
| 指南作方法:自定义 OpenID Connect 1.0 UserInfo 响应包含自定义 UserInfo 端点的示例。 |
OpenID Connect 1.0 客户端注册终端节点
OidcClientRegistrationEndpointConfigurer提供自定义 OpenID Connect 1.0 客户端注册终端节点的功能。
它定义了扩展点,允许您自定义客户端注册请求或客户端读取请求的预处理、主处理和后处理逻辑。
OidcClientRegistrationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(oidc ->
oidc
.clientRegistrationEndpoint(clientRegistrationEndpoint ->
clientRegistrationEndpoint
.clientRegistrationRequestConverter(clientRegistrationRequestConverter) (1)
.clientRegistrationRequestConverters(clientRegistrationRequestConvertersConsumers) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.clientRegistrationResponseHandler(clientRegistrationResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
)
)
);
return http.build();
}| 1 | clientRegistrationRequestConverter():添加AuthenticationConverter (预处理器)尝试从 中提取客户端注册请求或客户端读取请求时使用HttpServletRequest添加到OidcClientRegistrationAuthenticationToken. |
| 2 | clientRegistrationRequestConverters():设置Consumer提供对Listof default 和 (可选) addedAuthenticationConverter允许添加、删除或自定义特定AuthenticationConverter. |
| 3 | authenticationProvider():添加AuthenticationProvider (主处理器)用于验证OidcClientRegistrationAuthenticationToken. |
| 4 | authenticationProviders():设置Consumer提供对Listof default 和 (可选) addedAuthenticationProvider允许添加、删除或自定义特定AuthenticationProvider. |
| 5 | clientRegistrationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理 “authenticated”OidcClientRegistrationAuthenticationToken并返回 Client Registration 响应或 Client Read 响应。 |
| 6 | errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 Client Registration Error 响应或 Client Read Error 响应。 |
| 默认情况下,OpenID Connect 1.0 客户端注册终端节点处于禁用状态,因为许多部署不需要动态客户端注册。 |
OidcClientRegistrationEndpointConfigurer配置OidcClientRegistrationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcClientRegistrationEndpointFilter是Filter处理客户端注册请求并返回 OidcClientRegistration 响应。
OidcClientRegistrationEndpointFilter还会处理 Client Read 请求并返回 OidcClientRegistration 响应。 |
OidcClientRegistrationEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 一个OidcClientRegistrationAuthenticationConverter. -
AuthenticationManager— 一个AuthenticationManager组成OidcClientRegistrationAuthenticationProvider和OidcClientConfigurationAuthenticationProvider. -
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OidcClientRegistrationAuthenticationToken并返回OidcClientRegistration响应。 -
AuthenticationFailureHandler— 使用OAuth2Error与OAuth2AuthenticationException并返回OAuth2Error响应。
OpenID Connect 1.0 客户端注册终端节点是受 OAuth2 保护的资源,它要求在客户端注册(或客户端读取)请求中将访问令牌作为持有者令牌发送。
OAuth2 资源服务器支持是自动配置的,但是,一个JwtDecoder @Bean对于 OpenID Connect 1.0 客户端注册终端节点是必需的。 |
客户端注册请求中的访问令牌需要 OAuth2 范围client.create. |
客户端读取请求中的访问令牌需要 OAuth2 范围client.read. |