1- OAuth2AuthenticationToken和OAuth2Authentication有什么区别?
2-在我的Spring Boot客户端Web应用程序中,我已经使用依赖项“ spring-boot-starter-oauth2-client”通过授权服务器实现(单点登录)sso,因此客户端应用程序中的主体是OAuth2AuthenticationToken。是吗?
3-我无法使用@PreAuthorize(#oauth2.hasScope('xxx')),因为它在OAuth2Authentication上有效,而不在OAuth2AuthenticationToken上有效,为什么? 但是,当我使用@PreAuthorize(hasRole('SomeRole'))时,效果很好。
4-这里是身份验证对象(委托人)的示例
{
"authorities": [
{
"authority": "ROLE_USER",
"attributes": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null,
"tokenValue": "184dd32f-7c70-4bf5-9d7f-43c8d565f996",
"tokenType": "Bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "A9ADB8153471994D338F0FDEAF98FF07"
},
"authenticated": true,
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"credentials": null,
"name": "bob"
},
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"oauth2Request": {
"clientId": "demo",
"scope": [
"demo_scope"
],
"requestParameters": {
"code": "yymxbk",
"grant_type": "authorization_code",
"scope": "demo_scope",
"response_type": "code",
"state": "osBji_UdByl9XG5O4Jy3lavSHSiU1FRo-knhY7gTsI8=",
"redirect_uri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"client_id": "demo"
},
"resourceIds": [
"demo_resource",
"auth_resource"
],
"authorities": [
{
"authority": "demo_auth"
}
],
"approved": true,
"refresh": false,
"redirectUri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"responseTypes": [
"code"
],
"extensions": {},
"grantType": "authorization_code",
"refreshTokenRequest": null
},
"credentials": "",
"clientOnly": false,
"name": "bob"
}
}
],
"details": null,
"authenticated": true,
"principal": {
"authorities": [
{
"authority": "ROLE_USER",
"attributes": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null,
"tokenValue": "184dd32f-7c70-4bf5-9d7f-43c8d565f996",
"tokenType": "Bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "A9ADB8153471994D338F0FDEAF98FF07"
},
"authenticated": true,
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"credentials": null,
"name": "bob"
},
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"oauth2Request": {
"clientId": "demo",
"scope": [
"demo_scope"
],
"requestParameters": {
"code": "yymxbk",
"grant_type": "authorization_code",
"scope": "demo_scope",
"response_type": "code",
"state": "osBji_UdByl9XG5O4Jy3lavSHSiU1FRo-knhY7gTsI8=",
"redirect_uri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"client_id": "demo"
},
"resourceIds": [
"demo_resource",
"auth_resource"
],
"authorities": [
{
"authority": "demo_auth"
}
],
"approved": true,
"refresh": false,
"redirectUri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"responseTypes": [
"code"
],
"extensions": {},
"grantType": "authorization_code",
"refreshTokenRequest": null
},
"credentials": "",
"clientOnly": false,
"name": "bob"
}
}
],
"attributes": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null,
"tokenValue": "184dd32f-7c70-4bf5-9d7f-43c8d565f996",
"tokenType": "Bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "A9ADB8153471994D338F0FDEAF98FF07"
},
"authenticated": true,
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"credentials": null,
"name": "bob"
},
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"oauth2Request": {
"clientId": "demo",
"scope": [
"demo_scope"
],
"requestParameters": {
"code": "yymxbk",
"grant_type": "authorization_code",
"scope": "demo_scope",
"response_type": "code",
"state": "osBji_UdByl9XG5O4Jy3lavSHSiU1FRo-knhY7gTsI8=",
"redirect_uri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"client_id": "demo"
},
"resourceIds": [
"demo_resource",
"auth_resource"
],
"authorities": [
{
"authority": "demo_auth"
}
],
"approved": true,
"refresh": false,
"redirectUri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"responseTypes": [
"code"
],
"extensions": {},
"grantType": "authorization_code",
"refreshTokenRequest": null
},
"credentials": "",
"clientOnly": false,
"name": "bob"
},
"name": "bob"
},
"authorizedClientRegistrationId": "custom-client",
"credentials": "",
"name": "bob"
}
这些字段是什么?为什么会有一些冗余信息?为什么会有多个具有不同值的权限?
5-如果我打算在Authorization Server中使用JWT,是否需要在客户端应用程序中进行任何更改?
谢谢