Java Spring Security OAuth2:通过POST接受客户端凭证

时间:2018-09-19 20:35:44

标签: java spring spring-boot spring-security oauth-2.0

我有一个相当基本的Spring Boot设置,并且已经安装了Spring Security,并且成功地设置了OAuth2以保护我的API。

几天前,我遇到了一些麻烦,asked (and answered) a question遇到了我的/oauth/token终点的问题。我很快发现问题是我试图在POST请求的正文中发送客户端凭据,但是令牌端点在Spring Security中配置为接受客户端凭据(client_idsecret),而是通过HTTP基本身份验证。

我使用OAuth2 API的大部分经验都涉及在POST请求的正文中发送客户端凭据,我想知道是否可以配置Spring Security以相同的方式工作?

我尝试了几项不同的尝试,但均未成功,例如设置以下配置选项,但我觉得只能在配置OAuth2客户端时使用:

security.oauth2.client.clientAuthenticationScheme=form

这是我的授权服务器配置。

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
import org.springframework.security.oauth2.provider.token.TokenStore;

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
    @Autowired
    private TokenStore tokenStore;

    @Autowired
    private UserApprovalHandler userApprovalHandler;

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("client_id")
                .secret("secret")
                .authorizedGrantTypes("password", "authorization_code", "refresh_token")
                .scopes("read", "write")
                .accessTokenValiditySeconds(600)
                .refreshTokenValiditySeconds(3600);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(this.tokenStore)
                .userApprovalHandler(this.userApprovalHandler)
                .authenticationManager(this.authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) {
        security.tokenKeyAccess("permitAll()")
                .checkTokenAccess("isAuthenticated()")
                .passwordEncoder(this.passwordEncoder);
    }
}

1 个答案:

答案 0 :(得分:1)

正如@chrylis在评论中指出的那样,诀窍是在配置授权服务器时在AuthorizationServerSecurityConfigurer上使用allowFormAuthenticationForClients方法。就我而言,我在AuthorizationServerConfig类中有这个功能:

@Override
public void configure(AuthorizationServerSecurityConfigurer security) {
    security.tokenKeyAccess("permitAll()")
            .checkTokenAccess("isAuthenticated()")
            .passwordEncoder(this.passwordEncoder)
            .allowFormAuthenticationForClients();
}

这将允许通过标准参数传递客户端凭据,例如在POST请求的主体中(或在查询字符串中),尽管Spring倾向于通过加入client_idsecret和冒号(<client_id>:<secret>),以base-64编码结果,在结果前加上Basic并将其传递到Authorization标头中,因此最终结果是像这样的东西:

Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
相关问题
最新问题