|
对于最新的稳定版本,请使用 Spring Security 6.5.0! |
高级配置
OAuth 2.0 授权框架对协议端点的定义如下:
授权过程使用两个授权服务器终端节点(HTTP 资源):
-
授权端点:由客户端用于通过用户代理重定向从资源所有者处获取授权。
-
Token Endpoint:由客户端用于交换访问Tokens的授权,通常使用客户端身份验证。
以及一个客户端终端节点:
-
重定向端点:由授权服务器用于通过资源所有者用户代理将包含授权凭证的响应返回给客户端。
OpenID Connect Core 1.0 规范对 UserInfo 端点的定义如下:
UserInfo 端点是一种 OAuth 2.0 受保护的资源,它返回有关经过身份验证的最终用户的声明。 为了获取有关最终用户的请求声明,客户端使用通过 OpenID Connect 身份验证获取的访问Tokens向 UserInfo 终端节点发出请求。 这些声明通常由一个 JSON 对象表示,该对象包含声明的名称/值对集合。
ServerHttpSecurity.oauth2Login()提供了许多用于自定义 OAuth 2.0 登录的配置选项。
以下代码显示了可用于oauth2Login()DSL:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.oauth2Login(oauth2 -> oauth2
.authenticationConverter(this.authenticationConverter())
.authenticationMatcher(this.authenticationMatcher())
.authenticationManager(this.authenticationManager())
.authenticationSuccessHandler(this.authenticationSuccessHandler())
.authenticationFailureHandler(this.authenticationFailureHandler())
.clientRegistrationRepository(this.clientRegistrationRepository())
.authorizedClientRepository(this.authorizedClientRepository())
.authorizedClientService(this.authorizedClientService())
.authorizationRequestResolver(this.authorizationRequestResolver())
.authorizationRequestRepository(this.authorizationRequestRepository())
.securityContextRepository(this.securityContextRepository())
);
return http.build();
}
}@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login {
authenticationConverter = authenticationConverter()
authenticationMatcher = authenticationMatcher()
authenticationManager = authenticationManager()
authenticationSuccessHandler = authenticationSuccessHandler()
authenticationFailureHandler = authenticationFailureHandler()
clientRegistrationRepository = clientRegistrationRepository()
authorizedClientRepository = authorizedClientRepository()
authorizedClientService = authorizedClientService()
authorizationRequestResolver = authorizationRequestResolver()
authorizationRequestRepository = authorizationRequestRepository()
securityContextRepository = securityContextRepository()
}
}
return http.build()
}
}以下部分将更详细地介绍每个可用的配置选项:
OAuth 2.0 登录页面
默认情况下,OAuth 2.0 登录页面由LoginPageGeneratingWebFilter.
默认登录页面显示每个已配置的 OAuth 客户端及其ClientRegistration.clientName作为链接,该链接能够启动授权请求(或 OAuth 2.0 登录)。
为了LoginPageGeneratingWebFilter要显示已配置的 OAuth 客户端的链接,请选中已注册的ReactiveClientRegistrationRepository还需要实施Iterable<ClientRegistration>.
看InMemoryReactiveClientRegistrationRepository以供参考。 |
每个 OAuth 客户端的链接目标默认为以下内容:
"/oauth2/authorization/{registrationId}"
以下行显示了一个示例:
<a href="/oauth2/authorization/google">Google</a>要覆盖默认登录页面,请配置exceptionHandling().authenticationEntryPoint()和(可选)oauth2Login().authorizationRequestResolver().
下面的清单显示了一个示例:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.exceptionHandling(exceptionHandling -> exceptionHandling
.authenticationEntryPoint(new RedirectServerAuthenticationEntryPoint("/login/oauth2"))
)
.oauth2Login(oauth2 -> oauth2
.authorizationRequestResolver(this.authorizationRequestResolver())
);
return http.build();
}
private ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver() {
ServerWebExchangeMatcher authorizationRequestMatcher =
new PathPatternParserServerWebExchangeMatcher(
"/login/oauth2/authorization/{registrationId}");
return new DefaultServerOAuth2AuthorizationRequestResolver(
this.clientRegistrationRepository(), authorizationRequestMatcher);
}
...
}@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
exceptionHandling {
authenticationEntryPoint = RedirectServerAuthenticationEntryPoint("/login/oauth2")
}
oauth2Login {
authorizationRequestResolver = authorizationRequestResolver()
}
}
return http.build()
}
private fun authorizationRequestResolver(): ServerOAuth2AuthorizationRequestResolver {
val authorizationRequestMatcher: ServerWebExchangeMatcher = PathPatternParserServerWebExchangeMatcher(
"/login/oauth2/authorization/{registrationId}"
)
return DefaultServerOAuth2AuthorizationRequestResolver(
clientRegistrationRepository(), authorizationRequestMatcher
)
}
...
}您需要提供@Controller替换为@RequestMapping("/login/oauth2"),它能够呈现自定义登录页面。 |
|
如前所述,配置 以下行显示了一个示例: |
重定向端点
授权服务器使用重定向端点通过资源所有者用户代理将授权响应(包含授权凭证)返回给客户端。
| OAuth 2.0 登录利用授权码授予。 因此,授权凭证就是授权码。 |
默认的 Authorization Response 重定向端点是/login/oauth2/code/{registrationId}.
如果要自定义授权响应重定向端点,请对其进行配置,如以下示例所示:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.oauth2Login(oauth2 -> oauth2
.authenticationMatcher(new PathPatternParserServerWebExchangeMatcher("/login/oauth2/callback/{registrationId}"))
);
return http.build();
}
}@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login {
authenticationMatcher = PathPatternParserServerWebExchangeMatcher("/login/oauth2/callback/{registrationId}")
}
}
return http.build()
}
}|
您还需要确保 下面的清单显示了一个示例:
|
UserInfo 端点
UserInfo Endpoint 包括许多配置选项,如以下小节所述:
映射用户权限
在用户成功通过 OAuth 2.0 提供程序进行身份验证后,OAuth2User.getAuthorities()(或OidcUser.getAuthorities()) 包含从OAuth2UserRequest.getAccessToken().getScopes(),前缀为SCOPE_.
这些授予的权限可以映射到一组新的GrantedAuthority实例,该实例将提供给OAuth2AuthenticationToken完成身份验证时。
OAuth2AuthenticationToken.getAuthorities()用于授权请求,例如hasRole('USER')或hasRole('ADMIN'). |
在映射用户权限时,有几个选项可供选择:
使用 GrantedAuthoritiesMapper
这GrantedAuthoritiesMapper给定一个已授予权限列表,其中包含OAuth2UserAuthority和权限字符串OAUTH2_USER(或OidcUserAuthority和权限字符串OIDC_USER).
注册一个GrantedAuthoritiesMapper @Bean将其自动应用于配置,如以下示例所示:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
...
.oauth2Login(withDefaults());
return http.build();
}
@Bean
public GrantedAuthoritiesMapper userAuthoritiesMapper() {
return (authorities) -> {
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
authorities.forEach(authority -> {
if (OidcUserAuthority.class.isInstance(authority)) {
OidcUserAuthority oidcUserAuthority = (OidcUserAuthority)authority;
OidcIdToken idToken = oidcUserAuthority.getIdToken();
OidcUserInfo userInfo = oidcUserAuthority.getUserInfo();
// Map the claims found in idToken and/or userInfo
// to one or more GrantedAuthority's and add it to mappedAuthorities
} else if (OAuth2UserAuthority.class.isInstance(authority)) {
OAuth2UserAuthority oauth2UserAuthority = (OAuth2UserAuthority)authority;
Map<String, Object> userAttributes = oauth2UserAuthority.getAttributes();
// Map the attributes found in userAttributes
// to one or more GrantedAuthority's and add it to mappedAuthorities
}
});
return mappedAuthorities;
};
}
}@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login { }
}
return http.build()
}
@Bean
fun userAuthoritiesMapper(): GrantedAuthoritiesMapper = GrantedAuthoritiesMapper { authorities: Collection<GrantedAuthority> ->
val mappedAuthorities = emptySet<GrantedAuthority>()
authorities.forEach { authority ->
if (authority is OidcUserAuthority) {
val idToken = authority.idToken
val userInfo = authority.userInfo
// Map the claims found in idToken and/or userInfo
// to one or more GrantedAuthority's and add it to mappedAuthorities
} else if (authority is OAuth2UserAuthority) {
val userAttributes = authority.attributes
// Map the attributes found in userAttributes
// to one or more GrantedAuthority's and add it to mappedAuthorities
}
}
mappedAuthorities
}
}使用 ReactiveOAuth2UserService 的基于委托的策略
与使用GrantedAuthoritiesMapper,但是,它也更灵活,因为它允许您访问OAuth2UserRequest和OAuth2User(使用 OAuth 2.0 UserService 时)或OidcUserRequest和OidcUser(使用 OpenID Connect 1.0 UserService 时)。
这OAuth2UserRequest(以及OidcUserRequest) 允许您访问关联的OAuth2AccessToken,这在委托人需要先从受保护资源获取权限信息然后才能为用户映射自定义权限的情况下非常有用。
以下示例说明如何使用 OpenID Connect 1.0 UserService 实施和配置基于委派的策略:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
...
.oauth2Login(withDefaults());
return http.build();
}
@Bean
public ReactiveOAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
final OidcReactiveOAuth2UserService delegate = new OidcReactiveOAuth2UserService();
return (userRequest) -> {
// Delegate to the default implementation for loading a user
return delegate.loadUser(userRequest)
.flatMap((oidcUser) -> {
OAuth2AccessToken accessToken = userRequest.getAccessToken();
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
// TODO
// 1) Fetch the authority information from the protected resource using accessToken
// 2) Map the authority information to one or more GrantedAuthority's and add it to mappedAuthorities
// 3) Create a copy of oidcUser but use the mappedAuthorities instead
oidcUser = new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo());
return Mono.just(oidcUser);
});
};
}
}@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login { }
}
return http.build()
}
@Bean
fun oidcUserService(): ReactiveOAuth2UserService<OidcUserRequest, OidcUser> {
val delegate = OidcReactiveOAuth2UserService()
return ReactiveOAuth2UserService { userRequest ->
// Delegate to the default implementation for loading a user
delegate.loadUser(userRequest)
.flatMap { oidcUser ->
val accessToken = userRequest.accessToken
val mappedAuthorities = mutableSetOf<GrantedAuthority>()
// TODO
// 1) Fetch the authority information from the protected resource using accessToken
// 2) Map the authority information to one or more GrantedAuthority's and add it to mappedAuthorities
// 3) Create a copy of oidcUser but use the mappedAuthorities instead
val mappedOidcUser = DefaultOidcUser(mappedAuthorities, oidcUser.idToken, oidcUser.userInfo)
Mono.just(mappedOidcUser)
}
}
}
}OAuth 2.0 用户服务
DefaultReactiveOAuth2UserService是ReactiveOAuth2UserService支持标准 OAuth 2.0 提供程序的。
ReactiveOAuth2UserService从 UserInfo 端点获取最终用户(资源所有者)的用户属性(通过使用在授权流程中授予客户端的访问Tokens),并返回一个AuthenticatedPrincipal以OAuth2User. |
DefaultReactiveOAuth2UserService使用WebClient在 UserInfo Endpoint 请求 user 属性时。
如果您需要自定义 UserInfo 请求的预处理和/或 UserInfo 响应的后处理,则需要提供DefaultReactiveOAuth2UserService.setWebClient()使用自定义配置WebClient.
无论您是否自定义DefaultReactiveOAuth2UserService或提供您自己的ReactiveOAuth2UserService,您需要对其进行配置,如以下示例所示:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
...
.oauth2Login(withDefaults());
return http.build();
}
@Bean
public ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() {
...
}
}@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login { }
}
return http.build()
}
@Bean
fun oauth2UserService(): ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> {
// ...
}
}OpenID Connect 1.0 用户服务
OidcReactiveOAuth2UserService是ReactiveOAuth2UserService支持 OpenID Connect 1.0 提供程序的。
这OidcReactiveOAuth2UserService利用DefaultReactiveOAuth2UserService在 UserInfo Endpoint 请求 user 属性时。
如果您需要自定义 UserInfo 请求的预处理和/或 UserInfo 响应的后处理,则需要提供OidcReactiveOAuth2UserService.setOauth2UserService()使用自定义配置ReactiveOAuth2UserService.
无论您是否自定义OidcReactiveOAuth2UserService或提供您自己的ReactiveOAuth2UserService对于 OpenID Connect 1.0 提供程序,您需要对其进行配置,如以下示例所示:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
...
.oauth2Login(withDefaults());
return http.build();
}
@Bean
public ReactiveOAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
...
}
}@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login { }
}
return http.build()
}
@Bean
fun oidcUserService(): ReactiveOAuth2UserService<OidcUserRequest, OidcUser> {
// ...
}
}ID Token 签名验证
OpenID Connect 1.0 身份验证引入了 ID Tokens,这是一个安全Tokens,其中包含有关客户端使用时授权服务器对最终用户进行身份验证的声明。
ID Tokens表示为 JSON Web Tokens (JWT),并且必须使用 JSON Web 签名 (JWS) 进行签名。
这ReactiveOidcIdTokenDecoderFactory提供ReactiveJwtDecoder用于OidcIdToken签名验证。默认算法为RS256但在客户端注册期间分配时可能会有所不同。
对于这些情况,可以将解析程序配置为返回为特定客户端分配的预期 JWS 算法。
JWS 算法解析程序是一个Function接受ClientRegistration并返回预期的JwsAlgorithm对于客户,例如。SignatureAlgorithm.RS256或MacAlgorithm.HS256
以下代码显示了如何配置OidcIdTokenDecoderFactory @Bean默认为MacAlgorithm.HS256为了所有人ClientRegistration:
-
Java
-
Kotlin
@Bean
public ReactiveJwtDecoderFactory<ClientRegistration> idTokenDecoderFactory() {
ReactiveOidcIdTokenDecoderFactory idTokenDecoderFactory = new ReactiveOidcIdTokenDecoderFactory();
idTokenDecoderFactory.setJwsAlgorithmResolver(clientRegistration -> MacAlgorithm.HS256);
return idTokenDecoderFactory;
}@Bean
fun idTokenDecoderFactory(): ReactiveJwtDecoderFactory<ClientRegistration> {
val idTokenDecoderFactory = ReactiveOidcIdTokenDecoderFactory()
idTokenDecoderFactory.setJwsAlgorithmResolver { MacAlgorithm.HS256 }
return idTokenDecoderFactory
}对于基于 MAC 的算法,例如HS256,HS384或HS512这client-secret对应于client-id用作签名验证的对称密钥。 |
如果有多个ClientRegistration配置为 OpenID Connect 1.0 身份验证,则 JWS 算法解析程序可能会评估提供的ClientRegistration以确定要返回的算法。 |
OpenID Connect 1.0 注销
OpenID Connect 会话管理 1.0 允许使用客户端在提供商处注销最终用户。 可用的策略之一是 RP 发起的注销。
如果 OpenID Provider 同时支持会话管理和发现,则客户端可以获取end_session_endpoint URL从 OpenID 提供程序的发现元数据。
这可以通过配置ClientRegistration使用issuer-uri,如以下示例所示:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
...
provider:
okta:
issuer-uri: https://dev-1234.oktapreview.com…和OidcClientInitiatedServerLogoutSuccessHandler(实施 RP 启动的注销)可以按如下方式进行配置:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Autowired
private ReactiveClientRegistrationRepository clientRegistrationRepository;
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange(authorize -> authorize
.anyExchange().authenticated()
)
.oauth2Login(withDefaults())
.logout(logout -> logout
.logoutSuccessHandler(oidcLogoutSuccessHandler())
);
return http.build();
}
private ServerLogoutSuccessHandler oidcLogoutSuccessHandler() {
OidcClientInitiatedServerLogoutSuccessHandler oidcLogoutSuccessHandler =
new OidcClientInitiatedServerLogoutSuccessHandler(this.clientRegistrationRepository);
// Sets the location that the End-User's User Agent will be redirected to
// after the logout has been performed at the Provider
oidcLogoutSuccessHandler.setPostLogoutRedirectUri("{baseUrl}");
return oidcLogoutSuccessHandler;
}
}@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Autowired
private lateinit var clientRegistrationRepository: ReactiveClientRegistrationRepository
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
authorizeExchange {
authorize(anyExchange, authenticated)
}
oauth2Login { }
logout {
logoutSuccessHandler = oidcLogoutSuccessHandler()
}
}
return http.build()
}
private fun oidcLogoutSuccessHandler(): ServerLogoutSuccessHandler {
val oidcLogoutSuccessHandler = OidcClientInitiatedServerLogoutSuccessHandler(clientRegistrationRepository)
// Sets the location that the End-User's User Agent will be redirected to
// after the logout has been performed at the Provider
oidcLogoutSuccessHandler.setPostLogoutRedirectUri("{baseUrl}")
return oidcLogoutSuccessHandler
}
}
OidcClientInitiatedServerLogoutSuccessHandler支持{baseUrl}占 位 符。
如果使用,则应用程序的基 URL(如app.example.org将在请求时替换它。 |