Question

我在覆盖TokenEndpoint类中的/oauth/token的基本身份验证时遇到了一些麻烦。我基本上想添加凭据的自定义验证（client_id和client_secret）。

这是授权服务器的配置。

@Configuration
@EnableOAuth2Client
@EnableAuthorizationServer
public class OAuth2Configuration extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private ClientDetailsService serviceProviderClientDetailsService;

    @Autowired
    private TokenEnhancer tokenEnhancer;

    @Autowired
    private TokenStore tokenStore;

    @Autowired
    private AuthorizationCodeServices authorizationCodeServices;

    @Autowired
    private OidcWebResponseExceptionTranslator oidcWebResponseExceptionTranslator;

    @Autowired
    private OidcMnoOAuth2RequestValidator oidcOAuth2RequestValidator;

    @Override
    public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
        clients.withClientDetails(serviceProviderClientDetailsService);
    }

    @Override
    public void configure(final AuthorizationServerEndpointsConfigurer endpoints) {
        endpoints.tokenEnhancer(tokenEnhancer);
        endpoints.exceptionTranslator(oidcWebResponseExceptionTranslator);
        endpoints.authorizationCodeServices(authorizationCodeServices);
        endpoints.tokenStore(tokenStore);
        endpoints.setClientDetailsService(serviceProviderClientDetailsService);
        endpoints.tokenGranter(oidcAuthorizationCodeTokenGranter());
        endpoints.requestValidator(oidcOAuth2RequestValidator);

    }
    @Override
    public void configure(final AuthorizationServerSecurityConfigurer oauthServer) {
        oauthServer.allowFormAuthenticationForClients();
    }

    @Bean
    public OidcAuthorizationCodeTokenGranter oidcAuthorizationCodeTokenGranter() {
        return new OidcAuthorizationCodeTokenGranter();
    }

}

谢谢！

Answer 1

要向客户或用户凭证添加自定义验证，您可以增加DaoAuthenticationProvider并分配适当的用户详细信息服务。覆盖其additionalAuthenticationChecks(...)方法以添加自定义行为。

public class AugmentedDaoAuthenticationProvider extends DaoAuthenticationProvider {

@Override
protected void additionalAuthenticationChecks(final UserDetails userDetails, final UsernamePasswordAuthenticationToken authentication) {
    final User user = userDao.findByUsername(userDetails.getUsername())
                             .orElseThrow(() -> new BadCredentialsException("Incorrect username or password."));

    // custom authentication logic

    // Perform the actual authentication.
    super.additionalAuthenticationChecks(userDetails, authentication);

初始化Bean并分配适当的用户详细信息服务：如果对用户凭据进行了其他身份验证检查，则分配UserDetailsService，对于客户端凭据，分配ClientDetailsUserDetailsService

<bean id="clientAuthenticationProvider" class="com.test.AugmentedDaoAuthenticationProvider">
    <property name="userDetailsService" ref="clientDetailsUserDetailsService"/>

在评论部分中解决问题：

ClientDetailsUserDetailsService实现UserDetailsService，并且它具有一个以ClientDetailsService作为参数的构造函数。 Bean初始化如下：

<bean id="clientDetailsUserDetailsService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <constructor-arg name="clientDetailsService" ref="serviceProviderClientDetailsService"/>
</bean>

然后您可以将此clientDetailsUserDetailsService引用到您的自定义DaoAuthenticationProvider。

覆盖/ oauth / token端点的基本身份验证

1 个答案: