Spring Boot OAuth2带有加密的JWT访问令牌

时间:2016-09-28 08:39:21

标签: spring spring-security spring-boot jwt spring-security-oauth2

在我的Spring Bott应用程序中,我已经使用授权/资源服务器配置了自己的OAuth2。

我已经实现了以下JwtAccessTokenConverter:

@Bean
public JwtAccessTokenConverter accessTokenConverter() {
    JwtAccessTokenConverter converter = new JwtAccessTokenConverter() {

        @Override
        public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
            DBUserDetails user = (DBUserDetails) authentication.getUserAuthentication().getPrincipal();
            final Map<String, Object> additionalInfo = new HashMap<>();
            additionalInfo.put("user_id", user.getUser().getId());
            ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);
            OAuth2AccessToken enhancedToken = super.enhance(accessToken, authentication);
            return enhancedToken;
        }

    };

    converter.setSigningKey("123");

    DefaultAccessTokenConverter accessTokenConverter = new DefaultAccessTokenConverter();
    DefaultUserAuthenticationConverter userTokenConverter = new DefaultUserAuthenticationConverter();
    userTokenConverter.setUserDetailsService(userDetailsService);
    accessTokenConverter.setUserTokenConverter(userTokenConverter);

    converter.setAccessTokenConverter(accessTokenConverter);

    return converter;
}

现在我的应用程序生成以下标记,例如:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxNzgzNTEsInVzZXJfbmFtZSI6ImFkbWluIiwic2NvcGUiOlsicmVhZCIsIndyaXRlIl0sImV4cCI6MTQ3NTA5NDA4NSwiYXV0aG9yaXRpZXMiOlsiUEVSTUlTU0lPTl9ERUxFVEVfT1dOX0NSSVRFUklPTiIsIlBFUk1JU1NJT05fREVMRVRFX09XTl9DT01NRU5UIiwiUEVSTUlTU0lPTl9VUERBVEVfT1dOX0NSSVRFUklPTiIsIlBFUk1JU1NJT05fVVBEQVRFX0FOWV9DUklURVJJT04iLCJQRVJNSVNTSU9OX0RFTEVURV9PV05fQ1JJVEVSSU9OX0dST1VQIiwiUEVSTUlTU0lPTl9ERUxFVEVfQU5ZX0RFQ0lTSU9OIiwiUEVSTUlTU0lPTl9DUkVBVEVfVk9URSIsIlBFUk1JU1NJT05fREVMRVRFX0FOWV9DUklURVJJT04iLCJQRVJNSVNTSU9OX0NSRUFURV9DUklURVJJT05fR1JPVVAiLCJQRVJNSVNTSU9OX0RFTEVURV9PV05fREVDSVNJT04iLCJQRVJNSVNTSU9OX0NSRUFURV9ERUNJU0lPTiIsIlBFUk1JU1NJT05fREVMRVRFX0FOWV9DUklURVJJT05fR1JPVVAiLCJQRVJNSVNTSU9OX0RFTEVURV9BTllfVk9URSIsIlBFUk1JU1NJT05fREVMRVRFX09XTl9WT1RFIiwiUEVSTUlTU0lPTl9VUERBVEVfT1dOX0NSSVRFUklPTl9HUk9VUCIsIlBFUk1JU1NJT05fVVBEQVRFX0FOWV9DUklURVJJT05fR1JPVVAiLCJQRVJNSVNTSU9OX1VQREFURV9BTllfQ09NTUVOVCIsIlBFUk1JU1NJT05fVVBEQVRFX09XTl9DT01NRU5UIiwiUEVSTUlTU0lPTl9VUERBVEVfQU5ZX0RFQ0lTSU9OIiwiUEVSTUlTU0lPTl9BUFBFTkRfREVDSVNJT04iLCJQRVJNSVNTSU9OX1VQREFURV9PV05fVk9URSIsIlBFUk1JU1NJT05fVVBEQVRFX0FOWV9WT1RFIiwiUEVSTUlTU0lPTl9ERUxFVEVfQU5ZX0NPTU1FTlQiLCJQRVJNSVNTSU9OX1VQREFURV9PV05fREVDSVNJT04iLCJQRVJNSVNTSU9OX0NSRUFURV9DT01NRU5UIiwiUEVSTUlTU0lPTl9DUkVBVEVfQ1JJVEVSSU9OIiwiUEVSTUlTU0lPTl9SRUFEX0FDVFVBVE9SX0RBVEEiXSwianRpIjoiMWU3OGMzMGYtNTY0ZS00NjliLWE1MmMtODlhOGM4YzFiZmY2IiwiY2xpZW50X2lkIjoiZGVjaXNpb253YW50ZWRfY2xpZW50X2lkIn0.Cnj_7b3FAanmL0Y-_kxcH2f4yjLFHOw-4NOVr67WZ88

此令牌可以使用JWT调试器https://jwt.io/

进行解码

我不想将此令牌的内部暴露给外部世界,并希望以某种方式对此令牌进行编码。

如何使用Spring Boot,OAuth2,JWT实现它?

1 个答案:

答案 0 :(得分:2)

我尝试此操作,它对我有用:https://gist.github.com/salgmachine/352799a6052b02901982dcbf85d30346

创建自定义JwtAccessTokenConverter

public class JwtJweAccessTokenConverter extends JwtAccessTokenConverter {

    RSAKey recipientJWK, recipientPublicJWK;

    public JwtJweAccessTokenConverter() {
        try {
            recipientJWK = new RSAKeyGenerator(2048).keyID("456").keyUse(KeyUse.ENCRYPTION).generate();
            recipientPublicJWK = recipientJWK.toPublicJWK();
        } catch (JOSEException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
    }

    @Override
    protected String encode(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
        String jwt = super.encode(accessToken, authentication);

        try {
            // jwt is already signed at this point (by JwtAccessTokenConverter)
            SignedJWT parsed = SignedJWT.parse(jwt);

            // Create JWE object with signed JWT as payload
            JWEObject jweObject = new JWEObject(
                    new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM).contentType("JWT") // required
                                                                                                                    // to
                                                                                                                    // indicate
                                                                                                                    // nested
                                                                                                                    // JWT
                            .build(),
                    new Payload(parsed));

            // Encrypt with the recipient's public key
            jweObject.encrypt(new RSAEncrypter(recipientPublicJWK));

            // Serialise to JWE compact form
            String jweString = jweObject.serialize();

            return jweString;
        } catch (Exception e) {
            e.printStackTrace();
        }

        return jwt;
    }

    @Override
    protected Map<String, Object> decode(String token) {
        try {
            // basically treat the incoming token as an encrypted JWT
            EncryptedJWT parse = EncryptedJWT.parse(token);
            // decrypt it
            RSADecrypter dec = new RSADecrypter(recipientJWK);
            parse.decrypt(dec);
            // content of the encrypted token is a signed JWT (signed by
            // JwtAccessTokenConverter)
            SignedJWT signedJWT = parse.getPayload().toSignedJWT();
            // pass on the serialized, signed JWT to JwtAccessTokenConverter
            return super.decode(signedJWT.serialize());

        } catch (ParseException e) {
            e.printStackTrace();
        } catch (JOSEException e) {
            e.printStackTrace();
        }

        return super.decode(token);
    }
}

并配置Oauth2 Auth服务器和资源以使用自定义JwtAccessTokenConverter

@Bean
public TokenStore tokenStore() {

    return new JwtTokenStore(accessTokenConverter());
}

@Bean
public JwtAccessTokenConverter accessTokenConverter() {
    final JwtAccessTokenConverter converter = new JwtJweAccessTokenConverter();
    final KeyStoreKeyFactory keyStoreKeyFactory = new KeyStoreKeyFactory(new ClassPathResource("mytest.jks"),
            "mypass".toCharArray());
    converter.setKeyPair(keyStoreKeyFactory.getKeyPair("mytest"));
    return converter;
}

检查github链接以获取完整的代码示例