使用PKCE的springdoc-openapi-ui OAuth 2.0授权代码流

时间:2020-07-17 09:05:16

标签: java spring spring-boot spring-security springdoc

我正在使用带有springdoc-openapi-ui-1.4.3的招摇工具

@SecurityRequirement(name = "security_auth")
public class ProductController {}

设置安全模式

@SecurityScheme(name = "security_auth", type = SecuritySchemeType.OAUTH2,
        flows = @OAuthFlows(authorizationCode = @OAuthFlow(
                authorizationUrl = "${springdoc.oAuthFlow.authorizationUrl}"
                , tokenUrl = "${springdoc.oAuthFlow.tokenUrl}",scopes = {
                @OAuthScope(name = "IdentityPortal.API", description = "IdentityPortal.API")})))
public class OpenApiConfig {}

安全配置

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {// @formatter:off
        http
                .authorizeRequests()
                .antMatchers("/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html")
                .permitAll()
                .antMatchers(HttpMethod.GET, "/user/info", "/api/foos/**")
                .hasAuthority("SCOPE_read")
                .antMatchers(HttpMethod.POST, "/api/foos")
                .hasAuthority("SCOPE_write")
                .anyRequest()
                .authenticated()
                .and()
                .oauth2ResourceServer()
                .jwt();
    }
}

具有依赖性

implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
implementation 'org.springdoc:springdoc-openapi-ui:1.4.3'
implementation 'org.springdoc:springdoc-openapi-security:1.4.3'
implementation "org.springframework.boot:spring-boot-starter-security"

配置设置

spring:
  profiles:
    active: dev

####### resource server configuration properties
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://localhost:5001
          jwk-set-uri: https://localhost:5001/connect/token
springdoc:
  swagger-ui:
    oauth:
      clientId: Local
      usepkcewithauthorizationcodegrant: true
  oAuthFlow:
    authorizationUrl: https://localhost:5001
    tokenUrl: https://localhost:5001/connect/token

在庄重的用户界面中,clientId为空,并且存在客户端机密,因为授权代码+ PKCE流客户端机密不应该存在

enter image description here

2 个答案:

答案 0 :(得分:1)

您的属性语法

usepkcewithauthorizationcodegrant

不正确:

这是PKCE的正确财产:

springdoc.swagger-ui.oauth.use-pkce-with-authorization-code-grant=true

要填写客户ID,只需使用:

springdoc.swagger-ui.oauth.client-id=yourSPAClientId

关于您可以隐藏的现有机密文件的说明。这看起来像是对swagger-ui的增强。

您应该提交swagger-ui项目的增强功能:

答案 1 :(得分:0)

你问这个问题已经有一段时间了,但我会回答其他人的信息。主要问题是 UI 的误导性实现。您被迫在配置中使用授权码流,因为缺少带有 PKCE 的授权码。所以你必须使用授权码(因为你需要提供授权和令牌 url)并在 yaml 中放置一个虚拟秘密。示例如下。

@SecurityScheme(name = "security_auth", type = SecuritySchemeType.OAUTH2,
        flows = @OAuthFlows(authorizationCode = @OAuthFlow(
                authorizationUrl = "${springdoc.oAuthFlow.authorizationUrl}"
                , tokenUrl = "${springdoc.oAuthFlow.tokenUrl}")))
public class OpenApiConfig {}

如果您想使用 PKCE 而不是纯隐式设置正确属性(如@brianbro 所指出的)和一个虚拟秘密:

springdoc.swagger-ui.oauth.use-pkce-with-authorization-code-grant=true
springdoc.swagger-ui.oauth.clent-secret=justFillerBecausePKCEisUsed

最后一点,如果您想预填充 client_id 使用配置:

springdoc.swagger-ui.oauth.client-id=YourClientId
相关问题
最新问题