|
此版本仍在开发中,尚未被视为稳定版本。对于最新的稳定版本,请使用 Spring Security 6.4.1! |
核心接口 / 类
客户注册
ClientRegistration是向 OAuth 2.0 或 OpenID Connect 1.0 提供者注册的客户端的表示形式。
客户端注册包含客户端 ID、客户端密钥、授权授权类型、重定向 URI、范围、授权 URI、令牌 URI 和其他详细信息等信息。
ClientRegistration其属性定义如下:
public final class ClientRegistration {
private String registrationId; (1)
private String clientId; (2)
private String clientSecret; (3)
private ClientAuthenticationMethod clientAuthenticationMethod; (4)
private AuthorizationGrantType authorizationGrantType; (5)
private String redirectUri; (6)
private Set<String> scopes; (7)
private ProviderDetails providerDetails;
private String clientName; (8)
public class ProviderDetails {
private String authorizationUri; (9)
private String tokenUri; (10)
private UserInfoEndpoint userInfoEndpoint;
private String jwkSetUri; (11)
private String issuerUri; (12)
private Map<String, Object> configurationMetadata; (13)
public class UserInfoEndpoint {
private String uri; (14)
private AuthenticationMethod authenticationMethod; (15)
private String userNameAttributeName; (16)
}
}
}| 1 | registrationId:唯一标识ClientRegistration. |
| 2 | clientId:客户端标识符。 |
| 3 | clientSecret:客户端密钥。 |
| 4 | clientAuthenticationMethod:用于向 Provider 验证 Client 的方法。
支持的值为 client_secret_basic、client_secret_post、private_key_jwt、client_secret_jwt 和 none(公共客户端)。 |
| 5 | authorizationGrantType:OAuth 2.0 授权框架定义了四种授权授权类型。
支持的值为authorization_code,client_credentials,password以及扩展授权类型urn:ietf:params:oauth:grant-type:jwt-bearer. |
| 6 | redirectUri:客户端注册的重定向 URI,授权服务器重定向最终用户的用户代理
更改为最终用户对客户端进行身份验证和授权访问后。 |
| 7 | scopes:客户端在授权请求流程中请求的范围,例如 openid、email 或 profile。 |
| 8 | clientName:用于客户端的描述性名称。
该名称可能在某些情况下使用,例如在自动生成的登录页面中显示客户端的名称时。 |
| 9 | authorizationUri:授权服务器的授权端点 URI。 |
| 10 | tokenUri:授权服务器的令牌端点 URI。 |
| 11 | jwkSetUri:用于从授权服务器检索 JSON Web 密钥 (JWK) 集的 URI,
其中包含用于验证 ID 令牌的 JSON Web 签名 (JWS) 的加密密钥,以及可选的 UserInfo 响应。 |
| 12 | issuerUri:返回 OpenID Connect 1.0 提供者或 OAuth 2.0 授权服务器的颁发者标识符 URI。 |
| 13 | configurationMetadata:OpenID Provider 配置信息。
仅当 Spring Boot 2.x 属性spring.security.oauth2.client.provider.[providerId].issuerUri已配置。 |
| 14 | (userInfoEndpoint)uri:用于访问经过身份验证的最终用户的声明/属性的 UserInfo 端点 URI。 |
| 15 | (userInfoEndpoint)authenticationMethod:将 Access Token 发送到 UserInfo Endpoint 时使用的身份验证方法。
支持的值为 header、form 和 query。 |
| 16 | userNameAttributeName:UserInfo 响应中返回的属性名称,该属性引用最终用户的 Name 或 Identifier。 |
ClientRegistrations提供了配置ClientRegistration这样,从下面的例子中可以看出:
-
Java
-
Kotlin
ClientRegistration clientRegistration =
ClientRegistrations.fromIssuerLocation("https://idp.example.com/issuer").build();val clientRegistration = ClientRegistrations.fromIssuerLocation("https://idp.example.com/issuer").build()上面的代码将按顺序查询idp.example.com/issuer/.well-known/openid-configuration然后idp.example.com/.well-known/openid-configuration/issuer,最后idp.example.com/.well-known/oauth-authorization-server/issuer,在第一个位置停止以返回 200 响应。
作为替代方法,您可以使用ClientRegistrations.fromOidcIssuerLocation()以仅查询 OpenID Connect Provider 的 Configuration 终端节点。
ReactiveClientRegistrationRepository 存储库
这ReactiveClientRegistrationRepository用作 OAuth 2.0 / OpenID Connect 1.0 的存储库ClientRegistration(s) 的
| 客户端注册信息最终由关联的 Authorization Server 存储和拥有。 此存储库提供了检索主客户端注册信息子集的功能,该子集与 Authorization Server 一起存储。 |
Spring Boot 2.x 自动配置绑定spring.security.oauth2.client.registration.[registrationId]添加到ClientRegistration然后组合每个ClientRegistration实例中的ReactiveClientRegistrationRepository.
的默认实现ReactiveClientRegistrationRepository是InMemoryReactiveClientRegistrationRepository. |
自动配置还会注册ReactiveClientRegistrationRepository作为@Bean在ApplicationContext以便它可用于依赖项注入(如果应用程序需要)。
下面的清单显示了一个示例:
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private ReactiveClientRegistrationRepository clientRegistrationRepository;
@GetMapping("/")
public Mono<String> index() {
return this.clientRegistrationRepository.findByRegistrationId("okta")
...
.thenReturn("index");
}
}@Controller
class OAuth2ClientController {
@Autowired
private lateinit var clientRegistrationRepository: ReactiveClientRegistrationRepository
@GetMapping("/")
fun index(): Mono<String> {
return this.clientRegistrationRepository.findByRegistrationId("okta")
...
.thenReturn("index")
}
}OAuth2AuthorizedClient
OAuth2AuthorizedClient是授权客户端的表示形式。
当最终用户(资源所有者)已向客户端授予访问其受保护资源的授权时,客户端被视为已获得授权。
OAuth2AuthorizedClient用于将OAuth2AccessToken(并且可选OAuth2RefreshToken) 转换为ClientRegistration(客户端)和资源所有者,后者是Principal授予授权的最终用户。
服务器OAuth2AuthorizedClientRepository / ReactiveOAuth2AuthorizedClientService
ServerOAuth2AuthorizedClientRepository负责持久化OAuth2AuthorizedClient(s) 在 Web 请求之间。
鉴于ReactiveOAuth2AuthorizedClientService是管理OAuth2AuthorizedClient(s) 在应用程序级别。
从开发人员的角度来看,ServerOAuth2AuthorizedClientRepository或ReactiveOAuth2AuthorizedClientService提供查找OAuth2AccessToken与客户端关联,以便可以使用它来启动受保护的资源请求。
下面的清单显示了一个示例:
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private ReactiveOAuth2AuthorizedClientService authorizedClientService;
@GetMapping("/")
public Mono<String> index(Authentication authentication) {
return this.authorizedClientService.loadAuthorizedClient("okta", authentication.getName())
.map(OAuth2AuthorizedClient::getAccessToken)
...
.thenReturn("index");
}
}@Controller
class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientService: ReactiveOAuth2AuthorizedClientService
@GetMapping("/")
fun index(authentication: Authentication): Mono<String> {
return this.authorizedClientService.loadAuthorizedClient<OAuth2AuthorizedClient>("okta", authentication.name)
.map { it.accessToken }
...
.thenReturn("index")
}
}Spring Boot 2.x 自动配置会注册一个ServerOAuth2AuthorizedClientRepository和/或ReactiveOAuth2AuthorizedClientService @Bean在ApplicationContext.
但是,应用程序可以选择替代并注册自定义ServerOAuth2AuthorizedClientRepository或ReactiveOAuth2AuthorizedClientService @Bean. |
的默认实现ReactiveOAuth2AuthorizedClientService是InMemoryReactiveOAuth2AuthorizedClientService,其中存储OAuth2AuthorizedClient(s) 在内存中。
或者,R2DBC 实现R2dbcReactiveOAuth2AuthorizedClientService可以配置为持久化OAuth2AuthorizedClient(s) 在数据库中。
R2dbcReactiveOAuth2AuthorizedClientService取决于 OAuth 2.0 客户端架构中描述的表定义。 |
响应式OAuth2AuthorizedClientManager / 响应式OAuth2AuthorizedClientProvider
这ReactiveOAuth2AuthorizedClientManager负责OAuth2AuthorizedClient(s) 的
主要职责包括:
-
授权(或重新授权)OAuth 2.0 客户端,使用
ReactiveOAuth2AuthorizedClientProvider. -
委托
OAuth2AuthorizedClient,通常使用ReactiveOAuth2AuthorizedClientService或ServerOAuth2AuthorizedClientRepository. -
委托给
ReactiveOAuth2AuthorizationSuccessHandler当 OAuth 2.0 客户端成功获得授权(或重新授权)时。 -
委托给
ReactiveOAuth2AuthorizationFailureHandler当 OAuth 2.0 客户端无法授权(或重新授权)时。
一个ReactiveOAuth2AuthorizedClientProvider实施授权(或重新授权)OAuth 2.0 客户端的策略。
实现通常会实现授权授权类型,例如。authorization_code,client_credentials等。
的默认实现ReactiveOAuth2AuthorizedClientManager是DefaultReactiveOAuth2AuthorizedClientManager,它与ReactiveOAuth2AuthorizedClientProvider这可能支持使用基于委托的组合的多种授权授权类型。
这ReactiveOAuth2AuthorizedClientProviderBuilder可用于配置和构建基于委派的组合。
以下代码显示了如何配置和构建ReactiveOAuth2AuthorizedClientProvider复合组件,它为authorization_code,refresh_token,client_credentials和password授权授权类型:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken()
.clientCredentials()
.password()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken()
.clientCredentials()
.password()
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}授权尝试成功后,DefaultReactiveOAuth2AuthorizedClientManager将委托给ReactiveOAuth2AuthorizationSuccessHandler,它(默认情况下)将保存OAuth2AuthorizedClient通过ServerOAuth2AuthorizedClientRepository.
在重新授权失败的情况下,例如。刷新令牌不再有效,则之前保存的OAuth2AuthorizedClient将从ServerOAuth2AuthorizedClientRepository通过RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler.
默认行为可以通过setAuthorizationSuccessHandler(ReactiveOAuth2AuthorizationSuccessHandler)和setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler).
这DefaultReactiveOAuth2AuthorizedClientManager还与contextAttributesMapper的类型Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>>,它负责从OAuth2AuthorizeRequest更改为Map要关联的OAuth2AuthorizationContext.
当您需要提供ReactiveOAuth2AuthorizedClientProvider具有必需(支持)属性,例如。这PasswordReactiveOAuth2AuthorizedClientProvider需要资源所有者的username和password可用于OAuth2AuthorizationContext.getAttributes().
以下代码显示了contextAttributesMapper:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper());
return authorizedClientManager;
}
private Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>> contextAttributesMapper() {
return authorizeRequest -> {
Map<String, Object> contextAttributes = Collections.emptyMap();
ServerWebExchange exchange = authorizeRequest.getAttribute(ServerWebExchange.class.getName());
ServerHttpRequest request = exchange.getRequest();
String username = request.getQueryParams().getFirst(OAuth2ParameterNames.USERNAME);
String password = request.getQueryParams().getFirst(OAuth2ParameterNames.PASSWORD);
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = new HashMap<>();
// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username);
contextAttributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password);
}
return Mono.just(contextAttributes);
};
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper())
return authorizedClientManager
}
private fun contextAttributesMapper(): Function<OAuth2AuthorizeRequest, Mono<MutableMap<String, Any>>> {
return Function { authorizeRequest ->
var contextAttributes: MutableMap<String, Any> = mutableMapOf()
val exchange: ServerWebExchange = authorizeRequest.getAttribute(ServerWebExchange::class.java.name)!!
val request: ServerHttpRequest = exchange.request
val username: String? = request.queryParams.getFirst(OAuth2ParameterNames.USERNAME)
val password: String? = request.queryParams.getFirst(OAuth2ParameterNames.PASSWORD)
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = hashMapOf()
// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes[OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME] = username!!
contextAttributes[OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME] = password!!
}
Mono.just(contextAttributes)
}
}这DefaultReactiveOAuth2AuthorizedClientManager旨在在ServerWebExchange.
在ServerWebExchangecontext, 使用AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager相反。
服务应用程序是何时使用AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager.
服务应用程序通常在后台运行,无需任何用户交互,并且通常在系统级账户(而不是用户账户)下运行。
配置了client_credentials授权类型可以被视为一种服务应用程序类型。
以下代码显示了如何配置AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager,它为client_credentials资助类型:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ReactiveOAuth2AuthorizedClientService authorizedClientService) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientService);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientService: ReactiveOAuth2AuthorizedClientService): ReactiveOAuth2AuthorizedClientManager {
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build()
val authorizedClientManager = AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientService)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}