此版本仍在开发中,尚不被认为是稳定的。对于最新的稳定版本,请使用 Spring Authorization Server 1.5.2spring-doc.cadn.net.cn

协议端点

OAuth2 授权端点

OAuth2AuthorizationEndpointConfigurer提供自定义 OAuth2 授权端点的功能。 它定义了扩展点,允许您自定义 OAuth2 授权请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2AuthorizationEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.authorizationEndpoint(authorizationEndpoint ->
					authorizationEndpoint
        				.authorizationRequestConverter(authorizationRequestConverter)   (1)
                        .authorizationRequestConverters(authorizationRequestConvertersConsumer) (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .authorizationResponseHandler(authorizationResponseHandler) (5)
                        .errorResponseHandler(errorResponseHandler) (6)
                        .consentPage("/oauth2/v1/authorize")    (7)
				)
		);

	return http.build();
}
1 authorizationRequestConverter():添加一个AuthenticationConverter (预处理器)尝试从HttpServletRequest设置为OAuth2AuthorizationCodeRequestAuthenticationTokenOAuth2AuthorizationConsentAuthenticationToken.
2 authorizationRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OAuth2AuthorizationCodeRequestAuthenticationTokenOAuth2AuthorizationConsentAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 authorizationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OAuth2AuthorizationCodeRequestAuthenticationToken并返回 OAuth2AuthorizationResponse
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthorizationCodeRequestAuthenticationException并返回 OAuth2Error 响应
7 consentPage():这URI的自定义同意页,以将资源所有者重定向到授权请求流期间是否需要同意。

OAuth2AuthorizationEndpointConfigurer配置OAuth2AuthorizationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2AuthorizationEndpointFilterFilter处理 OAuth2 授权请求(和同意)。spring-doc.cadn.net.cn

OAuth2AuthorizationEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 一个DelegatingAuthenticationConverterOAuth2AuthorizationCodeRequestAuthenticationConverterOAuth2AuthorizationConsentAuthenticationConverter.spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOAuth2AuthorizationCodeRequestAuthenticationProviderOAuth2AuthorizationConsentAuthenticationProvider.spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 处理“已验证”的内部实现OAuth2AuthorizationCodeRequestAuthenticationToken并返回OAuth2AuthorizationResponse.spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 使用OAuth2ErrorOAuth2AuthorizationCodeRequestAuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

自定义授权请求验证

OAuth2AuthorizationCodeRequestAuthenticationValidator是用于验证授权代码授予中使用的特定 OAuth2 授权请求参数的默认验证器。 默认实现验证redirect_uriscope参数。 如果验证失败,则OAuth2AuthorizationCodeRequestAuthenticationException被抛出。spring-doc.cadn.net.cn

OAuth2AuthorizationCodeRequestAuthenticationProvider提供了通过提供类型Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext>setAuthenticationValidator().spring-doc.cadn.net.cn

OAuth2AuthorizationCodeRequestAuthenticationContext持有OAuth2AuthorizationCodeRequestAuthenticationToken,其中包含 OAuth2 授权请求参数。
如果验证失败,身份验证验证器必须抛出OAuth2AuthorizationCodeRequestAuthenticationException.

开发生命周期阶段的一个常见用例是允许localhostredirect_uri参数。spring-doc.cadn.net.cn

以下示例演示如何配置OAuth2AuthorizationCodeRequestAuthenticationProvider使用自定义身份验证验证器,允许localhostredirect_uri参数:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.authorizationEndpoint(authorizationEndpoint ->
					authorizationEndpoint
                        .authenticationProviders(configureAuthenticationValidator())
				)
		);

	return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
	return (authenticationProviders) ->
		authenticationProviders.forEach((authenticationProvider) -> {
			if (authenticationProvider instanceof OAuth2AuthorizationCodeRequestAuthenticationProvider) {
				Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
					// Override default redirect_uri validator
					new CustomRedirectUriValidator()
						// Reuse default scope validator
						.andThen(OAuth2AuthorizationCodeRequestAuthenticationValidator.DEFAULT_SCOPE_VALIDATOR);

				((OAuth2AuthorizationCodeRequestAuthenticationProvider) authenticationProvider)
					.setAuthenticationValidator(authenticationValidator);
			}
		});
}

static class CustomRedirectUriValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {

	@Override
	public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
		OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
			authenticationContext.getAuthentication();
		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
		String requestedRedirectUri = authorizationCodeRequestAuthentication.getRedirectUri();

		// Use exact string matching when comparing client redirect URIs against pre-registered URIs
		if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
			OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
			throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
		}
	}
}

OAuth2 推送授权请求终结点

OAuth2PushedAuthorizationRequestEndpointConfigurer提供自定义 OAuth2 推送授权请求终结点的功能。 它定义了扩展点,允许您自定义 OAuth2 推送授权请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2PushedAuthorizationRequestEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.pushedAuthorizationRequestEndpoint(pushedAuthorizationRequestEndpoint ->
					pushedAuthorizationRequestEndpoint
        				.pushedAuthorizationRequestConverter(pushedAuthorizationRequestConverter)   (1)
                        .pushedAuthorizationRequestConverters(pushedAuthorizationRequestConvertersConsumer) (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .pushedAuthorizationResponseHandler(pushedAuthorizationResponseHandler) (5)
                        .errorResponseHandler(errorResponseHandler) (6)
				)
		);

	return http.build();
}
1 pushedAuthorizationRequestConverter():添加一个AuthenticationConverter (预处理器)尝试HttpServletRequest设置为OAuth2PushedAuthorizationRequestAuthenticationToken.
2 pushedAuthorizationRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OAuth2PushedAuthorizationRequestAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 pushedAuthorizationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OAuth2PushedAuthorizationRequestAuthenticationToken并返回 OAuth2 推送的授权响应
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 OAuth2Error 响应

OAuth2PushedAuthorizationRequestEndpointConfigurer配置OAuth2PushedAuthorizationRequestEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2PushedAuthorizationRequestEndpointFilterFilter处理 OAuth2 推送的授权请求。spring-doc.cadn.net.cn

OAuth2PushedAuthorizationRequestEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 一个DelegatingAuthenticationConverterOAuth2AuthorizationCodeRequestAuthenticationConverter.spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOAuth2PushedAuthorizationRequestAuthenticationProvider.spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 处理“已验证”的内部实现OAuth2PushedAuthorizationRequestAuthenticationToken并返回 OAuth2 推送的授权响应。spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

自定义推送的授权请求验证

OAuth2AuthorizationCodeRequestAuthenticationValidator是用于验证授权代码授予中使用的特定 OAuth2 推送授权请求参数的默认验证器。 默认实现验证redirect_uriscope参数。 如果验证失败,则OAuth2AuthorizationCodeRequestAuthenticationException被抛出。spring-doc.cadn.net.cn

OAuth2PushedAuthorizationRequestAuthenticationProvider通过提供类型为Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext>setAuthenticationValidator().spring-doc.cadn.net.cn

OAuth2AuthorizationCodeRequestAuthenticationContext持有OAuth2AuthorizationCodeRequestAuthenticationToken,其中包含 OAuth2 推送的授权请求参数。
如果验证失败,身份验证验证器必须抛出OAuth2AuthorizationCodeRequestAuthenticationException.

开发生命周期阶段的一个常见用例是允许localhostredirect_uri参数。spring-doc.cadn.net.cn

以下示例演示如何配置OAuth2PushedAuthorizationRequestAuthenticationProvider使用自定义身份验证验证器,允许localhostredirect_uri参数:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.pushedAuthorizationRequestEndpoint(pushedAuthorizationRequestEndpoint ->
					pushedAuthorizationRequestEndpoint
                        .authenticationProviders(configureAuthenticationValidator())
				)
		);

	return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
	return (authenticationProviders) ->
		authenticationProviders.forEach((authenticationProvider) -> {
			if (authenticationProvider instanceof OAuth2PushedAuthorizationRequestAuthenticationProvider) {
				Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
					// Override default redirect_uri validator
					new CustomRedirectUriValidator()
						// Reuse default scope validator
						.andThen(OAuth2AuthorizationCodeRequestAuthenticationValidator.DEFAULT_SCOPE_VALIDATOR);

				((OAuth2PushedAuthorizationRequestAuthenticationProvider) authenticationProvider)
					.setAuthenticationValidator(authenticationValidator);
			}
		});
}

static class CustomRedirectUriValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {

	@Override
	public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
		OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
			authenticationContext.getAuthentication();
		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
		String requestedRedirectUri = authorizationCodeRequestAuthentication.getRedirectUri();

		// Use exact string matching when comparing client redirect URIs against pre-registered URIs
		if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
			OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
			throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
		}
	}
}

OAuth2 设备授权终结点

OAuth2DeviceAuthorizationEndpointConfigurer提供自定义 OAuth2 设备授权终结点的功能。 它定义了扩展点,允许您自定义 OAuth2 设备授权请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2DeviceAuthorizationEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.deviceAuthorizationEndpoint(deviceAuthorizationEndpoint ->
                    deviceAuthorizationEndpoint
                        .deviceAuthorizationRequestConverter(deviceAuthorizationRequestConverter)   (1)
                        .deviceAuthorizationRequestConverters(deviceAuthorizationRequestConvertersConsumer) (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .deviceAuthorizationResponseHandler(deviceAuthorizationResponseHandler) (5)
                        .errorResponseHandler(errorResponseHandler) (6)
                        .verificationUri("/oauth2/v1/device_verification")  (7)
				)
		);

	return http.build();
}
1 deviceAuthorizationRequestConverter():添加一个AuthenticationConverter (预处理器)尝试HttpServletRequest设置为OAuth2DeviceAuthorizationRequestAuthenticationToken.
2 deviceAuthorizationRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OAuth2DeviceAuthorizationRequestAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 deviceAuthorizationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OAuth2DeviceAuthorizationRequestAuthenticationToken并返回 OAuth2DeviceAuthorizationResponse
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 OAuth2Error 响应
7 verificationUri():这URI的自定义最终用户验证页面,以将资源所有者定向到辅助设备上。

OAuth2DeviceAuthorizationEndpointConfigurer配置OAuth2DeviceAuthorizationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2DeviceAuthorizationEndpointFilterFilter处理 OAuth2 设备授权请求。spring-doc.cadn.net.cn

OAuth2DeviceAuthorizationEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 一个OAuth2DeviceAuthorizationRequestAuthenticationConverter.spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOAuth2DeviceAuthorizationRequestAuthenticationProvider.spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 处理“已验证”的内部实现OAuth2DeviceAuthorizationRequestAuthenticationToken并返回OAuth2DeviceAuthorizationResponse.spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

OAuth2 设备验证终结点

OAuth2DeviceVerificationEndpointConfigurer提供自定义 OAuth2 设备验证终结点(或“用户交互”)的功能。它定义了扩展点,允许您自定义 OAuth2 设备验证请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2DeviceVerificationEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.deviceVerificationEndpoint(deviceVerificationEndpoint ->
                    deviceVerificationEndpoint
                        .deviceVerificationRequestConverter(deviceVerificationRequestConverter) (1)
                        .deviceVerificationRequestConverters(deviceVerificationRequestConvertersConsumer)   (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .deviceVerificationResponseHandler(deviceVerificationResponseHandler)   (5)
                        .errorResponseHandler(errorResponseHandler) (6)
                        .consentPage("/oauth2/v1/consent")  (7)
				)
		);

	return http.build();
}
1 deviceVerificationRequestConverter():添加一个AuthenticationConverter (预处理器)在尝试从HttpServletRequest设置为OAuth2DeviceVerificationAuthenticationTokenOAuth2DeviceAuthorizationConsentAuthenticationToken.
2 deviceVerificationRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OAuth2DeviceVerificationAuthenticationTokenOAuth2DeviceAuthorizationConsentAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 deviceVerificationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OAuth2DeviceVerificationAuthenticationToken并指示资源所有者返回其设备。
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回错误响应。
7 consentPage():这URI的自定义同意页,以将资源所有者重定向到在设备验证请求流期间需要同意。

OAuth2DeviceVerificationEndpointConfigurer配置OAuth2DeviceVerificationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2DeviceVerificationEndpointFilterFilter处理 OAuth2 设备验证请求(和同意)。spring-doc.cadn.net.cn

OAuth2DeviceVerificationEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 一个DelegatingAuthenticationConverterOAuth2DeviceVerificationAuthenticationConverterOAuth2DeviceAuthorizationConsentAuthenticationConverter.spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOAuth2DeviceVerificationAuthenticationProviderOAuth2DeviceAuthorizationConsentAuthenticationProvider.spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 一个SimpleUrlAuthenticationSuccessHandler处理“已验证”OAuth2DeviceVerificationAuthenticationToken并将用户重定向到成功页面(/?success).spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 使用OAuth2ErrorOAuth2AuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

OAuth2 Tokens端点

OAuth2TokenEndpointConfigurer提供自定义 OAuth2 Tokens端点的功能。 它定义了扩展点,允许您自定义 OAuth2 访问Tokens请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2TokenEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.tokenEndpoint(tokenEndpoint ->
                    tokenEndpoint
                        .accessTokenRequestConverter(accessTokenRequestConverter)   (1)
                        .accessTokenRequestConverters(accessTokenRequestConvertersConsumer) (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .accessTokenResponseHandler(accessTokenResponseHandler) (5)
                        .errorResponseHandler(errorResponseHandler) (6)
				)
		);

	return http.build();
}
1 accessTokenRequestConverter():添加一个AuthenticationConverter (预处理器)尝试HttpServletRequest设置为OAuth2AuthorizationGrantAuthenticationToken.
2 accessTokenRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OAuth2AuthorizationGrantAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 accessTokenResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理OAuth2AccessTokenAuthenticationToken并返回OAuth2AccessTokenResponse.
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 OAuth2Error 响应

OAuth2TokenEndpointConfigurer配置OAuth2TokenEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2TokenEndpointFilterFilter处理 OAuth2 访问Tokens请求。spring-doc.cadn.net.cn

支持的授权授予类型包括authorization_code,refresh_token,client_credentials,urn:ietf:params:oauth:grant-type:device_codeurn:ietf:params:oauth:grant-type:token-exchange.spring-doc.cadn.net.cn

OAuth2TokenEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 一个DelegatingAuthenticationConverterOAuth2AuthorizationCodeAuthenticationConverter,OAuth2RefreshTokenAuthenticationConverter,OAuth2ClientCredentialsAuthenticationConverter,OAuth2DeviceCodeAuthenticationConverterOAuth2TokenExchangeAuthenticationConverter.spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOAuth2AuthorizationCodeAuthenticationProvider,OAuth2RefreshTokenAuthenticationProvider,OAuth2ClientCredentialsAuthenticationProvider,OAuth2DeviceCodeAuthenticationProviderOAuth2TokenExchangeAuthenticationProvider.spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 一个OAuth2AccessTokenResponseAuthenticationSuccessHandler.spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

自定义客户端凭据授予请求验证

OAuth2ClientCredentialsAuthenticationValidator是用于验证特定 OAuth2 客户端凭据授予请求参数的默认验证器。 默认实现验证scope参数。 如果验证失败,则OAuth2AuthenticationException被抛出。spring-doc.cadn.net.cn

OAuth2ClientCredentialsAuthenticationProvider通过提供类型为Consumer<OAuth2ClientCredentialsAuthenticationContext>setAuthenticationValidator().spring-doc.cadn.net.cn

OAuth2ClientCredentialsAuthenticationContext持有OAuth2ClientCredentialsAuthenticationToken,其中包含 OAuth2 客户端凭据授予请求参数。
如果验证失败,身份验证验证器必须抛出OAuth2AuthenticationException.

以下示例演示如何配置OAuth2ClientCredentialsAuthenticationProvider使用自定义身份验证验证器来覆盖默认的scope验证:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.tokenEndpoint(tokenEndpoint ->
                    tokenEndpoint
                        .authenticationProviders(configureAuthenticationValidator())
				)
		);

	return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
	return (authenticationProviders) ->
		authenticationProviders.forEach((authenticationProvider) -> {
			if (authenticationProvider instanceof OAuth2ClientCredentialsAuthenticationProvider) {
				Consumer<OAuth2ClientCredentialsAuthenticationContext> authenticationValidator =
					new CustomScopeValidator();

				// Override default scope validation
				((OAuth2ClientCredentialsAuthenticationProvider) authenticationProvider)
					.setAuthenticationValidator(authenticationValidator);
			}
		});
}

static class CustomScopeValidator implements Consumer<OAuth2ClientCredentialsAuthenticationContext> {

	@Override
	public void accept(OAuth2ClientCredentialsAuthenticationContext authenticationContext) {
		OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthentication =
			authenticationContext.getAuthentication();

		Set<String> requestedScopes = clientCredentialsAuthentication.getScopes();
		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
		Set<String> allowedScopes = registeredClient.getScopes();

        // TODO Implement scope validation

	}
}

DPoP 绑定的访问Tokens

RFC 9449 OAuth 2.0 演示拥有证明 (DPoP) 是一种用于约束访问Tokens的发送方级机制。spring-doc.cadn.net.cn

DPoP 的主要目标是防止未经授权或非法的客户端使用泄露或被盗的访问Tokens,方法是在授权服务器颁发时将访问Tokens绑定到公钥,并要求客户端在资源服务器上使用访问Tokens时证明拥有相应的私钥。spring-doc.cadn.net.cn

通过 DPoP 受发送方约束的访问Tokens与典型的持有者Tokens形成鲜明对比,后者可供拥有访问Tokens的任何客户端使用。spring-doc.cadn.net.cn

DPoP 引入了 DPoP 证明的概念,它是由客户端创建并在 HTTP 请求中作为标头发送的 JWT。 客户端使用 DPoP 证明来证明拥有与某个公钥相对应的私钥。spring-doc.cadn.net.cn

当客户端发起访问Tokens请求时,它会在 HTTP 标头中将 DPoP 证明附加到请求中。 授权服务器将访问Tokens绑定(发送方约束)到 DPoP 证明中关联的公钥。spring-doc.cadn.net.cn

当客户端发起受保护的资源请求时,它会再次在 HTTP 标头中将 DPoP 证明附加到请求。spring-doc.cadn.net.cn

资源服务器直接在访问Tokens (JWT) 中或通过 OAuth2 Tokens自检端点获取有关绑定到访问Tokens的公钥的信息。 然后,资源服务器验证绑定到访问Tokens的公钥是否与 DPoP 证明中的公钥匹配。 它还验证 DPoP 证明中的访问Tokens哈希是否与请求中的访问Tokens匹配。spring-doc.cadn.net.cn

DPoP 访问Tokens请求

要使用 DPoP 请求绑定到公钥的访问Tokens,客户端必须在DPoP标头。 这适用于所有访问Tokens请求,无论授权授予类型如何(例如authorization_code,refresh_token,client_credentials等)。spring-doc.cadn.net.cn

以下 HTTP 请求显示了authorization_code访问Tokens请求,并在DPoP页眉:spring-doc.cadn.net.cn

POST /oauth2/token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
DPoP: eyJraWQiOiJyc2EtandrLWtpZCIsInR5cCI6ImRwb3Arand0IiwiYWxnIjoiUlMyNTYiLCJqd2siOnsia3R5IjoiUlNBIiwiZSI6IkFRQUIiLCJraWQiOiJyc2EtandrLWtpZCIsIm4iOiIzRmxxSnI1VFJza0lRSWdkRTNEZDdEOWxib1dkY1RVVDhhLWZKUjdNQXZRbTdYWE5vWWttM3Y3TVFMMU5ZdER2TDJsOENBbmMwV2RTVElOVTZJUnZjNUtxbzJRNGNzTlg5U0hPbUVmem9ST2pRcWFoRWN2ZTFqQlhsdW9DWGRZdVlweDRfMXRmUmdHNmlpNFVoeGg2aUk4cU5NSlFYLWZMZnFoYmZZZnhCUVZSUHl3QmtBYklQNHgxRUFzYkM2RlNObWtoQ3hpTU5xRWd4YUlwWThDMmtKZEpfWklWLVdXNG5vRGR6cEtxSGN3bUI4RnNydW1sVllfRE5WdlVTRElpcGlxOVBiUDRIOTlUWE4xbzc0Nm9SYU5hMDdycTFob0NnTVNTeS04NVNhZ0NveGxteUUtRC1vZjlTc01ZOE9sOXQwcmR6cG9iQnVoeUpfbzVkZnZqS3cifX0.eyJodG0iOiJQT1NUIiwiaHR1IjoiaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20vb2F1dGgyL3Rva2VuIiwiaWF0IjoxNzQ2ODA2MzA1LCJqdGkiOiI0YjIzNDBkMi1hOTFmLTQwYTUtYmFhOS1kZDRlNWRlYWM4NjcifQ.wq8gJ_G6vpiEinfaY3WhereqCCLoeJOG8tnWBBAzRWx9F1KU5yAAWq-ZVCk_k07-h6DIqz2wgv6y9dVbNpRYwNwDUeik9qLRsC60M8YW7EFVyI3n_NpujLwzZeub_nDYMVnyn4ii0NaZrYHtoGXOlswQfS_-ET-jpC0XWm5nBZsCdUEXjOYtwaACC6Js-pyNwKmSLp5SKIk11jZUR5xIIopaQy521y9qJHhGRwzj8DQGsP7wMZ98UFL0E--1c-hh4rTy8PMeWCqRHdwjj_ry_eTe0DJFcxxYQdeL7-0_0CIO4Ayx5WHEpcUOIzBRoN32RsNpDZc-5slDNj9ku004DA

grant_type=authorization_code\
&client_id=s6BhdRkqt\
&code=SplxlOBeZQQYbYS6WxSbIA\
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb\
&code_verifier=bEaL42izcC-o-xBk0K2vuJ6U-y1p9r_wW2dFWIWgjz-

下面显示了 DPoP 证明 JWT 标头和声明的表示形式:spring-doc.cadn.net.cn

{
  "typ": "dpop+jwt",
  "alg": "RS256",
  "jwk": {
    "kty": "RSA",
    "e": "AQAB",
    "n": "3FlqJr5TRskIQIgdE3Dd7D9lboWdcTUT8a-fJR7MAvQm7XXNoYkm3v7MQL1NYtDvL2l8CAnc0WdSTINU6IRvc5Kqo2Q4csNX9SHOmEfzoROjQqahEcve1jBXluoCXdYuYpx4_1tfRgG6ii4Uhxh6iI8qNMJQX-fLfqhbfYfxBQVRPywBkAbIP4x1EAsbC6FSNmkhCxiMNqEgxaIpY8C2kJdJ_ZIV-WW4noDdzpKqHcwmB8FsrumlVY_DNVvUSDIipiq9PbP4H99TXN1o746oRaNa07rq1hoCgMSSy-85SagCoxlmyE-D-of9SsMY8Ol9t0rdzpobBuhyJ_o5dfvjKw"
  }
}
{
  "htm": "POST",
  "htu": "https://server.example.com/oauth2/token",
  "iat": 1746806305,
  "jti": "4b2340d2-a91f-40a5-baa9-dd4e5deac867"
}

以下代码显示了如何生成 DPoP 证明 JWT 的示例:spring-doc.cadn.net.cn

RSAKey rsaKey = ...
JWKSource<SecurityContext> jwkSource = (jwkSelector, securityContext) -> jwkSelector
		.select(new JWKSet(rsaKey));
NimbusJwtEncoder jwtEncoder = new NimbusJwtEncoder(jwkSource);

JwsHeader jwsHeader = JwsHeader.with(SignatureAlgorithm.RS256)
		.type("dpop+jwt")
		.jwk(rsaKey.toPublicJWK().toJSONObject())
		.build();
JwtClaimsSet claims = JwtClaimsSet.builder()
		.issuedAt(Instant.now())
		.claim("htm", "POST")
		.claim("htu", "https://server.example.com/oauth2/token")
		.id(UUID.randomUUID().toString())
		.build();

Jwt dPoPProof = jwtEncoder.encode(JwtEncoderParameters.from(jwsHeader, claims));

授权服务器成功验证 DPoP 证明后,DPoP 证明中的公钥将绑定(发送方约束)到颁发的访问Tokens。spring-doc.cadn.net.cn

以下访问Tokens响应显示了token_type参数设置为DPoP向客户端发出访问Tokens绑定到其 DPoP 证明公钥的信号:spring-doc.cadn.net.cn

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
 "access_token": "Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU",
 "token_type": "DPoP",
 "expires_in": 2677
}

公钥确认

资源服务器必须能够识别访问Tokens是否与 DPoP 绑定,并验证与 DPoP 证明的公钥的绑定。 绑定是通过以资源服务器可以访问的方式将公钥与访问Tokens相关联来完成的,例如直接 (JWT) 或通过Tokens自省将公钥哈希嵌入到访问Tokens中。spring-doc.cadn.net.cn

当访问Tokens表示为 JWT 时,公钥哈希包含在jkt确认方式 (cnf) 声明。spring-doc.cadn.net.cn

以下示例显示了包含cnf声明jkt声明,即 DPoP 证明公钥的 JWK SHA-256 指纹:spring-doc.cadn.net.cn

{
  "sub":"[email protected]",
  "iss":"https://server.example.com",
  "nbf":1562262611,
  "exp":1562266216,
  "cnf":
  {
    "jkt":"CQMknzRoZ5YUi7vS58jck1q8TmZT8wiIiXrCN1Ny4VU"
  }
}

OAuth2 Tokens自检端点

OAuth2TokenIntrospectionEndpointConfigurer提供了自定义 OAuth2 Tokens自检端点的功能。 它定义了扩展点,允许您自定义 OAuth2 自检请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2TokenIntrospectionEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.tokenIntrospectionEndpoint(tokenIntrospectionEndpoint ->
                    tokenIntrospectionEndpoint
                        .introspectionRequestConverter(introspectionRequestConverter)   (1)
                        .introspectionRequestConverters(introspectionRequestConvertersConsumer) (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .introspectionResponseHandler(introspectionResponseHandler) (5)
                        .errorResponseHandler(errorResponseHandler) (6)
				)
		);

	return http.build();
}
1 introspectionRequestConverter():添加一个AuthenticationConverter (预处理器)在尝试从HttpServletRequest设置为OAuth2TokenIntrospectionAuthenticationToken.
2 introspectionRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OAuth2TokenIntrospectionAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 introspectionResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OAuth2TokenIntrospectionAuthenticationToken并返回 OAuth2TokenIntrospection 响应
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 OAuth2Error 响应

OAuth2TokenIntrospectionEndpointConfigurer配置OAuth2TokenIntrospectionEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2TokenIntrospectionEndpointFilterFilter处理 OAuth2 内省请求。spring-doc.cadn.net.cn

OAuth2TokenIntrospectionEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 一个OAuth2TokenIntrospectionAuthenticationConverter.spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOAuth2TokenIntrospectionAuthenticationProvider.spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 处理“已验证”的内部实现OAuth2TokenIntrospectionAuthenticationToken并返回OAuth2TokenIntrospection响应。spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

OAuth2 Tokens吊销终结点

OAuth2TokenRevocationEndpointConfigurer提供自定义 OAuth2 Tokens吊销端点的功能。它定义了扩展点,允许您自定义 OAuth2 吊销请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2TokenRevocationEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.tokenRevocationEndpoint(tokenRevocationEndpoint ->
                    tokenRevocationEndpoint
                        .revocationRequestConverter(revocationRequestConverter) (1)
                        .revocationRequestConverters(revocationRequestConvertersConsumer)   (2)
                        .authenticationProvider(authenticationProvider) (3)
                        .authenticationProviders(authenticationProvidersConsumer)   (4)
                        .revocationResponseHandler(revocationResponseHandler)   (5)
                        .errorResponseHandler(errorResponseHandler) (6)
				)
		);

	return http.build();
}
1 revocationRequestConverter():添加一个AuthenticationConverter (预处理器)当尝试从HttpServletRequest设置为OAuth2TokenRevocationAuthenticationToken.
2 revocationRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OAuth2TokenRevocationAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 revocationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OAuth2TokenRevocationAuthenticationToken并返回 OAuth2 吊销响应
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 OAuth2Error 响应

OAuth2TokenRevocationEndpointConfigurer配置OAuth2TokenRevocationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2TokenRevocationEndpointFilterFilter处理 OAuth2 吊销请求。spring-doc.cadn.net.cn

OAuth2TokenRevocationEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 一个OAuth2TokenRevocationAuthenticationConverter.spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOAuth2TokenRevocationAuthenticationProvider.spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 处理“已验证”的内部实现OAuth2TokenRevocationAuthenticationToken并返回 OAuth2 吊销响应。spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

OAuth2 授权服务器元数据终结点

OAuth2AuthorizationServerMetadataEndpointConfigurer提供了自定义 OAuth2 授权服务器元数据端点的功能。 它定义了一个扩展点,用于自定义 OAuth2 授权服务器元数据响应spring-doc.cadn.net.cn

OAuth2AuthorizationServerMetadataEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
				.authorizationServerMetadataEndpoint(authorizationServerMetadataEndpoint ->
                    authorizationServerMetadataEndpoint
                        .authorizationServerMetadataCustomizer(authorizationServerMetadataCustomizer)   (1)
				)
		);

	return http.build();
}
1 authorizationServerMetadataCustomizer():这Consumer提供对OAuth2AuthorizationServerMetadata.Builder允许自定义授权服务器配置的声明。

OAuth2AuthorizationServerMetadataEndpointConfigurer配置OAuth2AuthorizationServerMetadataEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2AuthorizationServerMetadataEndpointFilterFilter返回 OAuth2AuthorizationServerMetadata 响应spring-doc.cadn.net.cn

JWK 设置端点

OAuth2AuthorizationServerConfigurer提供对 JWK Set 端点的支持。spring-doc.cadn.net.cn

OAuth2AuthorizationServerConfigurer配置NimbusJwkSetEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.NimbusJwkSetEndpointFilterFilter返回 JWK 集spring-doc.cadn.net.cn

JWKSource<SecurityContext> @Bean已注册。

OpenID Connect 1.0 提供程序配置端点

OidcProviderConfigurationEndpointConfigurer提供自定义 OpenID Connect 1.0 提供程序配置端点的功能。 它定义了一个扩展点,允许您自定义 OpenID 提供程序配置响应spring-doc.cadn.net.cn

OidcProviderConfigurationEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
                .oidc(oidc ->
                    oidc
                        .providerConfigurationEndpoint(providerConfigurationEndpoint ->
                            providerConfigurationEndpoint
                                .providerConfigurationCustomizer(providerConfigurationCustomizer)   (1)
                        )
                )
		);

	return http.build();
}
1 providerConfigurationCustomizer():这Consumer提供对OidcProviderConfiguration.Builder允许自定义 OpenID 提供程序配置的声明。

OidcProviderConfigurationEndpointConfigurer配置OidcProviderConfigurationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcProviderConfigurationEndpointFilterFilter返回 OidcProviderConfiguration 响应spring-doc.cadn.net.cn

OpenID Connect 1.0 注销端点

OidcLogoutEndpointConfigurer提供了自定义 OpenID Connect 1.0 注销端点的功能。 它定义了扩展点,允许您自定义 RP 发起的注销请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OidcLogoutEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
                .oidc(oidc ->
                    oidc
                        .logoutEndpoint(logoutEndpoint ->
                            logoutEndpoint
                                .logoutRequestConverter(logoutRequestConverter) (1)
                                .logoutRequestConverters(logoutRequestConvertersConsumer)   (2)
                                .authenticationProvider(authenticationProvider) (3)
                                .authenticationProviders(authenticationProvidersConsumer)   (4)
                                .logoutResponseHandler(logoutResponseHandler)   (5)
                                .errorResponseHandler(errorResponseHandler) (6)
                        )
                )
		);

	return http.build();
}
1 logoutRequestConverter():添加一个AuthenticationConverter (预处理器)在尝试从HttpServletRequest设置为OidcLogoutAuthenticationToken.
2 logoutRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OidcLogoutAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 logoutResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OidcLogoutAuthenticationToken并执行注销。
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回错误响应。

OidcLogoutEndpointConfigurer配置OidcLogoutEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcLogoutEndpointFilterFilter处理 RP 发起的注销请求并执行最终用户的注销。spring-doc.cadn.net.cn

OidcLogoutEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

OidcLogoutAuthenticationProvider使用SessionRegistry查找SessionInformation与请求注销的最终用户关联的实例。
OidcClientInitiatedLogoutSuccessHandler是 Spring Security 的 OAuth2 客户端支持配置 OpenID Connect 1.0 RP-Initiated Logout 的相应配置。

自定义注销请求验证

OidcLogoutAuthenticationValidator是用于验证特定 OpenID Connect RP 发起的注销请求参数的默认验证器。默认实现验证post_logout_redirect_uri参数。 如果验证失败,则OAuth2AuthenticationException被抛出。spring-doc.cadn.net.cn

OidcLogoutAuthenticationProvider通过提供类型Consumer<OidcLogoutAuthenticationContext>setAuthenticationValidator().spring-doc.cadn.net.cn

OidcLogoutAuthenticationContext持有OidcLogoutAuthenticationToken,其中包含注销请求参数。
如果验证失败,身份验证验证器必须抛出OAuth2AuthenticationException.

以下示例演示如何配置OidcLogoutAuthenticationProvider使用自定义身份验证验证器:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
                .oidc(oidc ->
                    oidc
                        .logoutEndpoint(logoutEndpoint ->
                            logoutEndpoint
                                .authenticationProviders(configureAuthenticationValidator())
                        )
                )
		);

	return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
	return (authenticationProviders) ->
			authenticationProviders.forEach((authenticationProvider) -> {
				if (authenticationProvider instanceof OidcLogoutAuthenticationProvider oidcLogoutAuthenticationProvider) {
					Consumer<OidcLogoutAuthenticationContext> authenticationValidator = new CustomPostLogoutRedirectUriValidator();
					oidcLogoutAuthenticationProvider.setAuthenticationValidator(authenticationValidator);
				}
			});
}

static class CustomPostLogoutRedirectUriValidator implements Consumer<OidcLogoutAuthenticationContext> {

	@Override
	public void accept(OidcLogoutAuthenticationContext authenticationContext) {
		OidcLogoutAuthenticationToken oidcLogoutAuthentication =
				authenticationContext.getAuthentication();
		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();

		// TODO

	}
}

OpenID Connect 1.0 用户信息端点

OidcUserInfoEndpointConfigurer提供自定义 OpenID Connect 1.0 UserInfo 端点的功能。它定义了扩展点,允许您自定义 UserInfo 请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OidcUserInfoEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
                .oidc(oidc ->
                    oidc
                        .userInfoEndpoint(userInfoEndpoint ->
                            userInfoEndpoint
                                .userInfoRequestConverter(userInfoRequestConverter) (1)
                                .userInfoRequestConverters(userInfoRequestConvertersConsumer)   (2)
                                .authenticationProvider(authenticationProvider) (3)
                                .authenticationProviders(authenticationProvidersConsumer)   (4)
                                .userInfoResponseHandler(userInfoResponseHandler)   (5)
                                .errorResponseHandler(errorResponseHandler) (6)
                                .userInfoMapper(userInfoMapper) (7)
                        )
                )
		);

	return http.build();
}
1 userInfoRequestConverter():添加一个AuthenticationConverter (预处理器)尝试从中提取 UserInfo 请求时使用HttpServletRequest设置为OidcUserInfoAuthenticationToken.
2 userInfoRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OidcUserInfoAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 userInfoResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OidcUserInfoAuthenticationToken并返回 UserInfo 响应
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回 UserInfo Error 响应
7 userInfoMapper():这Function用于从OidcUserInfoAuthenticationContext设置为OidcUserInfo.

OidcUserInfoEndpointConfigurer配置OidcUserInfoEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcUserInfoEndpointFilterFilter处理 UserInfo 请求并返回 OidcUserInfo 响应spring-doc.cadn.net.cn

OidcUserInfoEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 获取AuthenticationSecurityContext并创建一个OidcUserInfoAuthenticationToken与校长。spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOidcUserInfoAuthenticationProvider,它与userInfoMapper根据授权期间请求的范围ID Tokens中提取标准声明spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 处理“已验证”的内部实现OidcUserInfoAuthenticationToken并返回OidcUserInfo响应。spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 使用OAuth2ErrorOAuth2AuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

您可以通过提供OAuth2TokenCustomizer<JwtEncodingContext> @Bean.

OpenID Connect 1.0 UserInfo 端点是受 OAuth2 保护的资源,它要求UserInfo 请求中将访问Tokens作为持有者Tokens发送。spring-doc.cadn.net.cn

OAuth2 资源服务器支持是自动配置的,但是,JwtDecoder @Bean对于 OpenID Connect 1.0 UserInfo 端点来说是必需的
指南作方法:自定义 OpenID Connect 1.0 UserInfo 响应包含自定义 UserInfo 端点的示例。

OpenID Connect 1.0 客户端注册终结点

OidcClientRegistrationEndpointConfigurer提供了自定义 OpenID Connect 1.0 客户端注册端点的功能。它定义了扩展点,允许您自定义客户端注册请求客户端读取请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OidcClientRegistrationEndpointConfigurer提供以下配置选项:spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
			OAuth2AuthorizationServerConfigurer.authorizationServer();

	http
		.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
		.with(authorizationServerConfigurer, (authorizationServer) ->
			authorizationServer
                .oidc(oidc ->
                    oidc
                        .clientRegistrationEndpoint(clientRegistrationEndpoint ->
                            clientRegistrationEndpoint
                                .clientRegistrationRequestConverter(clientRegistrationRequestConverter) (1)
                                .clientRegistrationRequestConverters(clientRegistrationRequestConvertersConsumers)  (2)
                                .authenticationProvider(authenticationProvider) (3)
                                .authenticationProviders(authenticationProvidersConsumer)   (4)
                                .clientRegistrationResponseHandler(clientRegistrationResponseHandler)   (5)
                                .errorResponseHandler(errorResponseHandler) (6)
                        )
                )
		);

	return http.build();
}
1 clientRegistrationRequestConverter():添加一个AuthenticationConverter (预处理器)在尝试从中提取客户端注册请求客户端读取请求时使用HttpServletRequest设置为OidcClientRegistrationAuthenticationToken.
2 clientRegistrationRequestConverters():将Consumer提供对List默认和(可选)添加AuthenticationConverter允许添加、删除或自定义特定的AuthenticationConverter.
3 authenticationProvider():添加一个AuthenticationProvider (主处理器)用于验证OidcClientRegistrationAuthenticationToken.
4 authenticationProviders():将Consumer提供对List默认和(可选)添加AuthenticationProvider允许添加、删除或自定义特定的AuthenticationProvider.
5 clientRegistrationResponseHandler():这AuthenticationSuccessHandler (后处理器)用于处理“经过身份验证的”OidcClientRegistrationAuthenticationToken并返回客户端注册响应客户端读取响应
6 errorResponseHandler():这AuthenticationFailureHandler (后处理器)用于处理OAuth2AuthenticationException并返回客户端注册错误响应客户端读取错误响应
默认情况下,OpenID Connect 1.0 客户端注册端点处于禁用状态,因为许多部署不需要动态客户端注册。

OidcClientRegistrationEndpointConfigurer配置OidcClientRegistrationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcClientRegistrationEndpointFilterFilter处理客户端注册请求并返回 OidcClientRegistration 响应spring-doc.cadn.net.cn

OidcClientRegistrationEndpointFilter还处理客户端读取请求并返回 OidcClientRegistration 响应

OidcClientRegistrationEndpointFilter配置为以下默认值:spring-doc.cadn.net.cn

  • AuthenticationConverter— 一个OidcClientRegistrationAuthenticationConverter.spring-doc.cadn.net.cn

  • AuthenticationManager— 一个AuthenticationManagerOidcClientRegistrationAuthenticationProviderOidcClientConfigurationAuthenticationProvider.spring-doc.cadn.net.cn

  • AuthenticationSuccessHandler— 处理“已验证”的内部实现OidcClientRegistrationAuthenticationToken并返回OidcClientRegistration响应。spring-doc.cadn.net.cn

  • AuthenticationFailureHandler— 使用OAuth2ErrorOAuth2AuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

OpenID Connect 1.0 客户端注册端点是受 OAuth2 保护的资源,它要求在客户端注册(或客户端读取)请求中将访问Tokens作为持有者Tokens发送。spring-doc.cadn.net.cn

OAuth2 资源服务器支持是自动配置的,但是,JwtDecoder @Bean对于 OpenID Connect 1.0 客户端注册终结点是必需的
客户端注册请求中的访问Tokens需要 OAuth2 范围client.create.
客户端读取请求中的访问Tokens需要 OAuth2 范围client.read.