仅在JWT令牌中添加附加信息,而不在OAuth2令牌中添加

时间:2017-06-19 10:25:52

标签: java spring-boot spring-security jwt spring-security-oauth2

在我的Spring启动应用程序中,我正在尝试配置Oauth2& JWT,它工作正常,但我想隐藏oauth2令牌的额外信息,因为它们是纯文本,并且相同的信息在JWT令牌中重复。

这是我的Oauth2ServerConfig:

    @Configuration
    public class OAuth2ServerConfiguration {

        @Configuration
        @EnableAuthorizationServer
        protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

            private final AuthenticationManager authenticationManager;

            private final OAuth2ApprovalRepository oAuth2ApprovalRepository;

            private final OAuth2CodeRepository oAuth2CodeRepository;

            private final OAuth2ClientDetailsRepository oAuth2ClientDetailsRepository;


            public AuthorizationServerConfiguration(@Qualifier("authenticationManagerBean") AuthenticationManager authenticationManager) {
                this.authenticationManager = authenticationManager;
            }

            @Bean
            public ApprovalStore approvalStore() {
                return new MyDBApprovalStore(oAuth2ApprovalRepository);
            }

            @Bean
            protected AuthorizationCodeServices authorizationCodeServices() {
                return new MyDBAuthorizationCodeServices(oAuth2CodeRepository);
            }


            @Override
            public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
                TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
                tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(), accessTokenConverter()));

                endpoints.authorizationCodeServices(authorizationCodeServices())
                    .approvalStore(approvalStore())
                    .tokenStore(tokenStore())
                    .tokenEnhancer(tokenEnhancerChain)
                    .authenticationManager(authenticationManager);
            }


            @Bean
            public TokenEnhancer tokenEnhancer() {
                return new CustomTokenEnhancer();
            }


            @Bean
            public TokenStore tokenStore() {
                return new JwtTokenStore(accessTokenConverter());
            }


            @Bean
            public JwtAccessTokenConverter accessTokenConverter() {
                JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
                converter.setSigningKey("123");
                return converter;
            }


            @Override
            public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
                clients.withClientDetails(new MyClientDetailsService(oAuth2ClientDetailsRepository));
            }
        }

    }

我的自定义信息添加:

    public class CustomTokenEnhancer implements TokenEnhancer {

        @Override
        public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
            Map<String, Object> additionalInfo = new HashMap<>();
            additionalInfo.put("organizationId", "123");
    ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);
            return accessToken;
        }
    }

这是我的身份验证WS调用的响应示例:

{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmdhbml6YXRpb25JZCI6IjEyMyIsImF1ZCI6WyJyZXNfYmh1YiJdLCJ1c2VyX25hbWUiOiJhZG1pbiIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSJdLCJleHAiOjE0OTc4NjkyNDMsImF1dGhvcml0aWVzIjpbIlJPTEVfQURNSU4iLCJST0xFX1VTRVIiXSwianRpIjoiOGNhYTZjN2YtNTU0Yy00OTZmLTkwYTUtZTA4MjAyM2I3ZTFlIiwiY2xpZW50X2lkIjoiYmh1YmFwcCJ9.B58c2_tmfuV_L1py8ZzOPuTK3OZAhVFviL9W1gxRoec",
"token_type": "bearer",
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmdhbml6YXRpb25JZCI6IjEyMyIsImF1ZCI6WyJyZXNfYmh1YiJdLCJ1c2VyX25hbWUiOiJhZG1pbiIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSJdLCJhdGkiOiI4Y2FhNmM3Zi01NTRjLTQ5NmYtOTBhNS1lMDgyMDIzYjdlMWUiLCJleHAiOjE0OTc4Njk0NDMsImF1dGhvcml0aWVzIjpbIlJPTEVfQURNSU4iLCJST0xFX1VTRVIiXSwianRpIjoiMGJjNWJhYzctMWI3Ny00OGFiLWI1N2MtNDM4ZjMyN2JmNGM2IiwiY2xpZW50X2lkIjoiYmh1YmFwcCJ9.DkQoCEX47PmmxOEj0n9kb2L5Yu6DqFgmUh7HBSTO_z4",
"expires_in": 1799,
"scope": "read write",
"organizationId": "123",
"jti": "8caa6c7f-554c-496f-90a5-e082023b7e1e"

}

我不想将此令牌的 organizationId 公开给外部世界,并希望在 JWT令牌(access_token)中对此信息进行编码。

如何使用Spring Boot,OAuth2,JWT实现它?

2 个答案:

答案 0 :(得分:1)

如果连接是通过HTTPS(应该是),那么信息将不会暴露给外部世界(只是请求它的客户端)。

在任何情况下,您拥有的访问令牌只是一个JWS(它没有加密),因此如果您将信息放在那里(它只是Base64编码),信息就不会被隐藏

答案 1 :(得分:1)

我在这里找到了解决方案:

Spring OAuth 2 + JWT Inlcuding additional info JUST in access token

我还更改了configure方法... 

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
  TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
  tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer())); 
  endpoints
    .tokenStore(tokenStore())
    .tokenEnhancer(tokenEnhancerChain)
    .reuseRefreshTokens(false)
    .userDetailsService(userDetailsService)
    .authenticationManager(authenticationManager);
}
相关问题
最新问题