将Spring SAML与Oauth2令牌集成以进行REST API访问
使用Spring SAML Extension我可以配置SAML身份验证并能够将断言恢复到SP, 遵循link,
现在,它将返回到此" / landing",并在SAMLUserDetailsService和SAMLAuthenticationProvider中获取断言和身份验证对象,在SAMLUserDetailsService中填充UserDetails对象。
@Bean
public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler =
new SavedRequestAwareAuthenticationSuccessHandler();
successRedirectHandler.setDefaultTargetUrl("/landing");
return successRedirectHandler;
}
现在我的问题是,如何生成Auth令牌?从这一点来看,没有太多细节可用 到目前为止我试过, 创建自定义过滤器,拦截" / landing"并尝试将URL修改为/ oauth / token?grant_type = urn:ietf:params:oauth:grant-type:saml2-bearer& assertion = AssertionToBase64Url(followed), 但无法生成令牌。 我目前的配置,带有oauth实现的Spring安全性和spring saml也是独立工作的,所以现在我想联合使用这两个功能。
我的ResourceServerConfiguration.java
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "my_rest_api";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID).stateless(false);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.
anonymous().disable()
.requestMatchers().antMatchers("/user/**")
.and().authorizeRequests()
.antMatchers("/user/**").access("hasRole('ADMIN')")
.and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
}
我的AuthorizationServerConfiguration.java
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
private static String REALM="MY_OAUTH_REALM";
@Autowired
private TokenStore tokenStore;
@Autowired
private UserApprovalHandler userApprovalHandler;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("my-trusted-client")
.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "trust")
.secret("secret")
.accessTokenValiditySeconds(120).//Access token is only valid for 2 minutes.
refreshTokenValiditySeconds(600);//Refresh token is only valid for 10 minutes.
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
.authenticationManager(authenticationManager);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.realm(REALM+"/client");
}
}
任何人都可以建议,如何整合这个,以便进行身份验证 从IDP成功断言(授权部分完成)后,IDP将返回到SP,将生成一个auth访问,刷新令牌,该令牌用户可以访问api。任何人都可以提供某种解决方案......
答案 0 :(得分:0)
前段时间我遇到了同样的挑战,在搞清楚之后我写了一篇文章(这里不能发布......)。基本上,您的oAuth授权服务器是一个“桥梁”,可以使您的SAML后端适应oAuth,反之亦然......在此处找到它:
How-to-integrate-Spring-oAuth-with-Spring-SAML
GitHub中还有一个包含所有来源的回购,例如:
https://github.com/OhadR/spring-oAuth2-SAML-integration
我知道它只是链接,但又一次 - 文章太长而详细。