使用访问令牌的SpringBoot oauth2身份验证

Question

我正在通过将Oauth2指向密钥时钟服务器来构建Spring Boot应用程序。

source("&/my_function.r")

在UI登录页面上可以正常工作，但是某些用户直接从密钥克隆服务器获取令牌，然后尝试使用获取的令牌来访问API。 sprint oauth2 ..是否可能出现这种情况？如果是，如何将令牌传递到REST端点。

我尝试了Bearer / Token / Basic Auth标头。

请求

spring:
  security:
    oauth2:
      client:
        registration:
          keycloak:
            client-id: Sandbox-OIDC
            client-secret: <>
            client-name: Auth Server
            scope: user_info
            provider: keycloak
            redirect-uri-template: http://localhost:8000/oauth2
            client-authentication-method: basic
            authorization-grant-type: authorization_code
        provider:
          keycloak:
            token-uri: https://sample.com/auth/realms/Sandbox/protocol/openid-connect/token
            authorization-uri: https://sample.com/auth/realms/Sandbox/protocol/openid-connect/auth
            user-info-uri: https://sample.com/auth/realms/Sandbox/protocol/openid-connect/userinfo
            user-name-attribute: name

网络安全配置（已更新）

curl -i -L -H "Authorization: Token $ACCESS_TOKEN" http://localhost:8000/oauth2
HTTP/1.1 302 
Set-Cookie: JSESSIONID=472D23F09ECF5A5F883DE218F91A508C; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://localhost:8000/login?error
Content-Length: 0
Date: Wed, 02 Sep 2020 03:32:52 GMT

HTTP/1.1 200 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Length: 927
Date: Wed, 02 Sep 2020 03:32:52 GMT

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="description" content="">
    <meta name="author" content="">
    <title>Please sign in</title>
    <link href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M" crossorigin="anonymous">
    <link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet" crossorigin="anonymous"/>
  </head>
  <body>
     <div class="container">
<h2 class="form-signin-heading">Login with OAuth 2.0</h2><div class="alert alert-danger" role="alert">Invalid credentials</div><table class="table table-striped">
 <tr><td><a href="/oauth2/authorization/keycloak">Auth Server</a></td></tr>
</table>
</div>
</body></html>