|
此版本仍在开发中,尚未被视为稳定版本。对于最新的稳定版本,请使用 Spring Security 6.5.0! |
测试 OAuth 2.0
当谈到 OAuth 2.0 时,前面介绍的相同原则仍然适用:最终,这取决于你被测试的方法在SecurityContextHolder.
请考虑以下控制器示例:
-
Java
-
Kotlin
@GetMapping("/endpoint")
public Mono<String> foo(Principal user) {
return Mono.just(user.getName());
}@GetMapping("/endpoint")
fun foo(user: Principal): Mono<String> {
return Mono.just(user.name)
}它没有什么是 OAuth2 特定的,因此您可以用@WithMockUser并且没事。
但是,请考虑控制器绑定到 Spring Security 的 OAuth 2.0 支持的某些方面的情况:
-
Java
-
Kotlin
@GetMapping("/endpoint")
public Mono<String> foo(@AuthenticationPrincipal OidcUser user) {
return Mono.just(user.getIdToken().getSubject());
}@GetMapping("/endpoint")
fun foo(@AuthenticationPrincipal user: OidcUser): Mono<String> {
return Mono.just(user.idToken.subject)
}在这种情况下,Spring Security 的 test 支持很方便。
测试 OIDC 登录
使用WebTestClient需要使用授权服务器模拟某种类型的授权流。
这是一项艰巨的任务,这就是为什么 Spring Security 支持删除此样板的原因。
例如,我们可以告诉 Spring Security 包含一个默认的OidcUser通过使用SecurityMockServerConfigurers#oidcLogin方法:
-
Java
-
Kotlin
client
.mutateWith(mockOidcLogin()).get().uri("/endpoint").exchange();client
.mutateWith(mockOidcLogin())
.get().uri("/endpoint")
.exchange()该行将配置关联的MockServerRequest替换为OidcUser这包括一个简单的OidcIdToken一OidcUserInfo和Collection的授予权限。
具体来说,它包括一个OidcIdToken替换为subclaim 设置为user:
-
Java
-
Kotlin
assertThat(user.getIdToken().getClaim("sub")).isEqualTo("user");assertThat(user.idToken.getClaim<String>("sub")).isEqualTo("user")它还包括一个OidcUserInfo未设置索赔:
-
Java
-
Kotlin
assertThat(user.getUserInfo().getClaims()).isEmpty();assertThat(user.userInfo.claims).isEmpty()它还包括一个Collection只有一个授权的授权,SCOPE_read:
-
Java
-
Kotlin
assertThat(user.getAuthorities()).hasSize(1);
assertThat(user.getAuthorities()).containsExactly(new SimpleGrantedAuthority("SCOPE_read"));assertThat(user.authorities).hasSize(1)
assertThat(user.authorities).containsExactly(SimpleGrantedAuthority("SCOPE_read"))Spring Security 确保OidcUser实例可用于这@AuthenticationPrincipal注解.
此外,它还将OidcUser更改为OAuth2AuthorizedClient它存入 mock 中ServerOAuth2AuthorizedClientRepository.
如果您的测试使用@RegisteredOAuth2AuthorizedClient注解..
配置权限
在许多情况下,您的方法受到过滤器或方法安全性的保护,并且需要您的Authentication以授予某些权限来允许该请求。
在这些情况下,您可以使用authorities()方法:
-
Java
-
Kotlin
client
.mutateWith(mockOidcLogin()
.authorities(new SimpleGrantedAuthority("SCOPE_message:read"))
)
.get().uri("/endpoint").exchange();client
.mutateWith(mockOidcLogin()
.authorities(SimpleGrantedAuthority("SCOPE_message:read"))
)
.get().uri("/endpoint").exchange()配置声明
虽然授予的权限在整个 Spring Security 中都是通用的,但我们在 OAuth 2.0 的情况下也有声明。
例如,假设您有一个user_id声明,该声明指示用户在系统中的 ID。
您可以在控制器中按如下方式访问它:
-
Java
-
Kotlin
@GetMapping("/endpoint")
public Mono<String> foo(@AuthenticationPrincipal OidcUser oidcUser) {
String userId = oidcUser.getIdToken().getClaim("user_id");
// ...
}@GetMapping("/endpoint")
fun foo(@AuthenticationPrincipal oidcUser: OidcUser): Mono<String> {
val userId = oidcUser.idToken.getClaim<String>("user_id")
// ...
}在这种情况下,您可以使用idToken()方法:
-
Java
-
Kotlin
client
.mutateWith(mockOidcLogin()
.idToken(token -> token.claim("user_id", "1234"))
)
.get().uri("/endpoint").exchange();client
.mutateWith(mockOidcLogin()
.idToken { token -> token.claim("user_id", "1234") }
)
.get().uri("/endpoint").exchange()这之所以有效,是因为OidcUser从OidcIdToken.
其他配置
还有其他方法可以进一步配置身份验证,具体取决于控制器所需的数据:
-
userInfo(OidcUserInfo.Builder):配置OidcUserInfo实例 -
clientRegistration(ClientRegistration):配置关联的OAuth2AuthorizedClient使用给定的ClientRegistration -
oidcUser(OidcUser):配置完整的OidcUser实例
如果您满足以下条件,最后一个选项很方便:
* 拥有自己的OidcUser或
* 需要更改 name 属性
例如,假设您的授权服务器在user_nameclaim 而不是sub索赔。
在这种情况下,您可以配置OidcUser手工:
-
Java
-
Kotlin
OidcUser oidcUser = new DefaultOidcUser(
AuthorityUtils.createAuthorityList("SCOPE_message:read"),
OidcIdToken.withTokenValue("id-token").claim("user_name", "foo_user").build(),
"user_name");
client
.mutateWith(mockOidcLogin().oidcUser(oidcUser))
.get().uri("/endpoint").exchange();val oidcUser: OidcUser = DefaultOidcUser(
AuthorityUtils.createAuthorityList("SCOPE_message:read"),
OidcIdToken.withTokenValue("id-token").claim("user_name", "foo_user").build(),
"user_name"
)
client
.mutateWith(mockOidcLogin().oidcUser(oidcUser))
.get().uri("/endpoint").exchange()测试 OAuth 2.0 登录
与测试 OIDC 登录一样,测试 OAuth 2.0 登录也存在类似的挑战:模拟授权流程。 因此, Spring Security 还具有对非 OIDC 用例的测试支持。
假设我们有一个控制器,它将登录用户作为OAuth2User:
-
Java
-
Kotlin
@GetMapping("/endpoint")
public Mono<String> foo(@AuthenticationPrincipal OAuth2User oauth2User) {
return Mono.just(oauth2User.getAttribute("sub"));
}@GetMapping("/endpoint")
fun foo(@AuthenticationPrincipal oauth2User: OAuth2User): Mono<String> {
return Mono.just(oauth2User.getAttribute("sub"))
}在这种情况下,我们可以告诉 Spring Security 包含一个默认的OAuth2User通过使用SecurityMockServerConfigurers#oauth2User方法:
-
Java
-
Kotlin
client
.mutateWith(mockOAuth2Login())
.get().uri("/endpoint").exchange();client
.mutateWith(mockOAuth2Login())
.get().uri("/endpoint").exchange()前面的示例配置关联的MockServerRequest替换为OAuth2User这包括一个简单的Mapof 属性和Collection的授予权限。
具体来说,它包括一个Map键/值对为sub/user:
-
Java
-
Kotlin
assertThat((String) user.getAttribute("sub")).isEqualTo("user");assertThat(user.getAttribute<String>("sub")).isEqualTo("user")它还包括一个Collection只有一个授权的授权,SCOPE_read:
-
Java
-
Kotlin
assertThat(user.getAuthorities()).hasSize(1);
assertThat(user.getAuthorities()).containsExactly(new SimpleGrantedAuthority("SCOPE_read"));assertThat(user.authorities).hasSize(1)
assertThat(user.authorities).containsExactly(SimpleGrantedAuthority("SCOPE_read"))Spring Security 执行必要的工作来确保OAuth2User实例可用于这@AuthenticationPrincipal注解.
此外,它还将OAuth2User更改为OAuth2AuthorizedClient它存放在 mock 中ServerOAuth2AuthorizedClientRepository.
如果您的测试使用@RegisteredOAuth2AuthorizedClient注解.
配置权限
在许多情况下,您的方法受到过滤器或方法安全性的保护,并且需要您的Authentication以授予某些权限来允许该请求。
在这种情况下,您可以使用authorities()方法:
-
Java
-
Kotlin
client
.mutateWith(mockOAuth2Login()
.authorities(new SimpleGrantedAuthority("SCOPE_message:read"))
)
.get().uri("/endpoint").exchange();client
.mutateWith(mockOAuth2Login()
.authorities(SimpleGrantedAuthority("SCOPE_message:read"))
)
.get().uri("/endpoint").exchange()配置声明
虽然授予权限在整个 Spring Security 中非常普遍,但我们在 OAuth 2.0 的情况下也有声明。
例如,假设您有一个user_id属性,该属性指示系统中的用户 ID。
您可以在控制器中按如下方式访问它:
-
Java
-
Kotlin
@GetMapping("/endpoint")
public Mono<String> foo(@AuthenticationPrincipal OAuth2User oauth2User) {
String userId = oauth2User.getAttribute("user_id");
// ...
}@GetMapping("/endpoint")
fun foo(@AuthenticationPrincipal oauth2User: OAuth2User): Mono<String> {
val userId = oauth2User.getAttribute<String>("user_id")
// ...
}在这种情况下,您可以使用attributes()方法:
-
Java
-
Kotlin
client
.mutateWith(mockOAuth2Login()
.attributes(attrs -> attrs.put("user_id", "1234"))
)
.get().uri("/endpoint").exchange();client
.mutateWith(mockOAuth2Login()
.attributes { attrs -> attrs["user_id"] = "1234" }
)
.get().uri("/endpoint").exchange()其他配置
还有其他方法可以进一步配置身份验证,具体取决于控制器所需的数据:
-
clientRegistration(ClientRegistration):配置关联的OAuth2AuthorizedClient使用给定的ClientRegistration -
oauth2User(OAuth2User):配置完整的OAuth2User实例
如果您满足以下条件,最后一个选项很方便:
* 拥有自己的OAuth2User或
* 需要更改 name 属性
例如,假设您的授权服务器在user_nameclaim 而不是sub索赔。
在这种情况下,您可以配置OAuth2User手工:
-
Java
-
Kotlin
OAuth2User oauth2User = new DefaultOAuth2User(
AuthorityUtils.createAuthorityList("SCOPE_message:read"),
Collections.singletonMap("user_name", "foo_user"),
"user_name");
client
.mutateWith(mockOAuth2Login().oauth2User(oauth2User))
.get().uri("/endpoint").exchange();val oauth2User: OAuth2User = DefaultOAuth2User(
AuthorityUtils.createAuthorityList("SCOPE_message:read"),
mapOf(Pair("user_name", "foo_user")),
"user_name"
)
client
.mutateWith(mockOAuth2Login().oauth2User(oauth2User))
.get().uri("/endpoint").exchange()测试 OAuth 2.0 客户端
无论您的用户如何进行身份验证,您可能还有其他Tokens和客户端注册可用于您正在测试的请求。 例如,您的控制器可能依赖客户端凭证授予来获取根本不与用户关联的Tokens:
-
Java
-
Kotlin
@GetMapping("/endpoint")
public Mono<String> foo(@RegisteredOAuth2AuthorizedClient("my-app") OAuth2AuthorizedClient authorizedClient) {
return this.webClient.get()
.attributes(oauth2AuthorizedClient(authorizedClient))
.retrieve()
.bodyToMono(String.class);
}import org.springframework.web.reactive.function.client.bodyToMono
// ...
@GetMapping("/endpoint")
fun foo(@RegisteredOAuth2AuthorizedClient("my-app") authorizedClient: OAuth2AuthorizedClient?): Mono<String> {
return this.webClient.get()
.attributes(oauth2AuthorizedClient(authorizedClient))
.retrieve()
.bodyToMono()
}Simulating this handshake with the authorization server can be cumbersome.
Instead, you can use SecurityMockServerConfigurers#oauth2Client to add a OAuth2AuthorizedClient to a mock ServerOAuth2AuthorizedClientRepository:
-
Java
-
Kotlin
client
.mutateWith(mockOAuth2Client("my-app"))
.get().uri("/endpoint").exchange();client
.mutateWith(mockOAuth2Client("my-app"))
.get().uri("/endpoint").exchange()这将创建一个OAuth2AuthorizedClient它有一个简单的ClientRegistration一个OAuth2AccessToken和资源所有者名称。
具体来说,它包括一个ClientRegistration客户端 ID 为test-client和客户端密钥test-secret:
-
Java
-
Kotlin
assertThat(authorizedClient.getClientRegistration().getClientId()).isEqualTo("test-client");
assertThat(authorizedClient.getClientRegistration().getClientSecret()).isEqualTo("test-secret");assertThat(authorizedClient.clientRegistration.clientId).isEqualTo("test-client")
assertThat(authorizedClient.clientRegistration.clientSecret).isEqualTo("test-secret")它还包括资源所有者名称user:
-
Java
-
Kotlin
assertThat(authorizedClient.getPrincipalName()).isEqualTo("user");assertThat(authorizedClient.principalName).isEqualTo("user")它还包括一个OAuth2AccessToken使用一个范围,read:
-
Java
-
Kotlin
assertThat(authorizedClient.getAccessToken().getScopes()).hasSize(1);
assertThat(authorizedClient.getAccessToken().getScopes()).containsExactly("read");assertThat(authorizedClient.accessToken.scopes).hasSize(1)
assertThat(authorizedClient.accessToken.scopes).containsExactly("read")然后,您可以像往常一样使用@RegisteredOAuth2AuthorizedClient在 Controller 方法中。
配置范围
在许多情况下,OAuth 2.0 访问Tokens附带一组范围。 请考虑以下控制器如何检查范围的示例:
-
Java
-
Kotlin
@GetMapping("/endpoint")
public Mono<String> foo(@RegisteredOAuth2AuthorizedClient("my-app") OAuth2AuthorizedClient authorizedClient) {
Set<String> scopes = authorizedClient.getAccessToken().getScopes();
if (scopes.contains("message:read")) {
return this.webClient.get()
.attributes(oauth2AuthorizedClient(authorizedClient))
.retrieve()
.bodyToMono(String.class);
}
// ...
}import org.springframework.web.reactive.function.client.bodyToMono
// ...
@GetMapping("/endpoint")
fun foo(@RegisteredOAuth2AuthorizedClient("my-app") authorizedClient: OAuth2AuthorizedClient): Mono<String> {
val scopes = authorizedClient.accessToken.scopes
if (scopes.contains("message:read")) {
return webClient.get()
.attributes(oauth2AuthorizedClient(authorizedClient))
.retrieve()
.bodyToMono()
}
// ...
}给定一个检查范围的控制器,你可以使用accessToken()方法:
-
Java
-
Kotlin
client
.mutateWith(mockOAuth2Client("my-app")
.accessToken(new OAuth2AccessToken(BEARER, "token", null, null, Collections.singleton("message:read")))
)
.get().uri("/endpoint").exchange();client
.mutateWith(mockOAuth2Client("my-app")
.accessToken(OAuth2AccessToken(BEARER, "token", null, null, setOf("message:read")))
)
.get().uri("/endpoint").exchange()其他配置
您还可以使用其他方法进一步配置身份验证,具体取决于控制器所需的数据:
-
principalName(String); Configures the resource owner name -
clientRegistration(Consumer<ClientRegistration.Builder>):配置关联的ClientRegistration -
clientRegistration(ClientRegistration):配置完整的ClientRegistration
如果您想使用真正的ClientRegistration
例如,假设您要使用应用程序的ClientRegistration定义,如application.yml.
在这种情况下,您的测试可以自动装配ReactiveClientRegistrationRepository并查找您的测试所需的 ID:
-
Java
-
Kotlin
@Autowired
ReactiveClientRegistrationRepository clientRegistrationRepository;
// ...
client
.mutateWith(mockOAuth2Client()
.clientRegistration(this.clientRegistrationRepository.findByRegistrationId("facebook").block())
)
.get().uri("/exchange").exchange();@Autowired
lateinit var clientRegistrationRepository: ReactiveClientRegistrationRepository
// ...
client
.mutateWith(mockOAuth2Client()
.clientRegistration(this.clientRegistrationRepository.findByRegistrationId("facebook").block())
)
.get().uri("/exchange").exchange()Testing JWT Authentication
To make an authorized request on a resource server, you need a bearer token. If your resource server is configured for JWTs, the bearer token needs to be signed and then encoded according to the JWT specification. All of this can be quite daunting, especially when this is not the focus of your test.
Fortunately, there are a number of simple ways in which you can overcome this difficulty and let your tests focus on authorization and not on representing bearer tokens. We look at two of them in the next two subsections.
mockJwt() WebTestClientConfigurer
The first way is with a WebTestClientConfigurer.
The simplest of these would be to use the SecurityMockServerConfigurers#mockJwt method like the following:
-
Java
-
Kotlin
client
.mutateWith(mockJwt()).get().uri("/endpoint").exchange();client
.mutateWith(mockJwt()).get().uri("/endpoint").exchange()This example creates a mock Jwt and passes it through any authentication APIs so that it is available for your authorization mechanisms to verify.
By default, the JWT that it creates has the following characteristics:
{
"headers" : { "alg" : "none" },
"claims" : {
"sub" : "user",
"scope" : "read"
}
}结果Jwt,将按以下方式通过:
-
Java
-
Kotlin
assertThat(jwt.getTokenValue()).isEqualTo("token");
assertThat(jwt.getHeaders().get("alg")).isEqualTo("none");
assertThat(jwt.getSubject()).isEqualTo("sub");assertThat(jwt.tokenValue).isEqualTo("token")
assertThat(jwt.headers["alg"]).isEqualTo("none")
assertThat(jwt.subject).isEqualTo("sub")请注意,您需要配置这些值。
您还可以使用其相应的方法配置任何标头或声明:
-
Java
-
Kotlin
client
.mutateWith(mockJwt().jwt(jwt -> jwt.header("kid", "one")
.claim("iss", "https://idp.example.org")))
.get().uri("/endpoint").exchange();client
.mutateWith(mockJwt().jwt { jwt -> jwt.header("kid", "one")
.claim("iss", "https://idp.example.org")
})
.get().uri("/endpoint").exchange()-
Java
-
Kotlin
client
.mutateWith(mockJwt().jwt(jwt -> jwt.claims(claims -> claims.remove("scope"))))
.get().uri("/endpoint").exchange();client
.mutateWith(mockJwt().jwt { jwt ->
jwt.claims { claims -> claims.remove("scope") }
})
.get().uri("/endpoint").exchange()这scope和scp此处声明的处理方式与普通 Bearer Token 请求中的处理方式相同。
但是,只需提供GrantedAuthority测试所需的实例:
-
Java
-
Kotlin
client
.mutateWith(mockJwt().authorities(new SimpleGrantedAuthority("SCOPE_messages")))
.get().uri("/endpoint").exchange();client
.mutateWith(mockJwt().authorities(SimpleGrantedAuthority("SCOPE_messages")))
.get().uri("/endpoint").exchange()或者,如果您有一个自定义的Jwt自Collection<GrantedAuthority>converter 中,你也可以使用它来派生 authorities:
-
Java
-
Kotlin
client
.mutateWith(mockJwt().authorities(new MyConverter()))
.get().uri("/endpoint").exchange();client
.mutateWith(mockJwt().authorities(MyConverter()))
.get().uri("/endpoint").exchange()您还可以指定完整的Jwt,其中Jwt.Builder相当得心应手:
-
Java
-
Kotlin
Jwt jwt = Jwt.withTokenValue("token")
.header("alg", "none")
.claim("sub", "user")
.claim("scope", "read")
.build();
client
.mutateWith(mockJwt().jwt(jwt))
.get().uri("/endpoint").exchange();val jwt: Jwt = Jwt.withTokenValue("token")
.header("alg", "none")
.claim("sub", "user")
.claim("scope", "read")
.build()
client
.mutateWith(mockJwt().jwt(jwt))
.get().uri("/endpoint").exchange()authentication()和WebTestClientConfigurer
第二种方法是使用authentication() Mutator.
您可以实例化自己的JwtAuthenticationToken并在您的测试中提供它:
-
Java
-
Kotlin
Jwt jwt = Jwt.withTokenValue("token")
.header("alg", "none")
.claim("sub", "user")
.build();
Collection<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("SCOPE_read");
JwtAuthenticationToken token = new JwtAuthenticationToken(jwt, authorities);
client
.mutateWith(mockAuthentication(token))
.get().uri("/endpoint").exchange();val jwt = Jwt.withTokenValue("token")
.header("alg", "none")
.claim("sub", "user")
.build()
val authorities: Collection<GrantedAuthority> = AuthorityUtils.createAuthorityList("SCOPE_read")
val token = JwtAuthenticationToken(jwt, authorities)
client
.mutateWith(mockAuthentication<JwtMutator>(token))
.get().uri("/endpoint").exchange()Note that, as an alternative to these, you can also mock the ReactiveJwtDecoder bean itself with a @MockBean annotation.
Testing Opaque Token Authentication
Similar to JWTs, opaque tokens require an authorization server in order to verify their validity, which can make testing more difficult. To help with that, Spring Security has test support for opaque tokens.
Suppose you have a controller that retrieves the authentication as a BearerTokenAuthentication:
-
Java
-
Kotlin
@GetMapping("/endpoint")
public Mono<String> foo(BearerTokenAuthentication authentication) {
return Mono.just((String) authentication.getTokenAttributes().get("sub"));
}@GetMapping("/endpoint")
fun foo(authentication: BearerTokenAuthentication): Mono<String?> {
return Mono.just(authentication.tokenAttributes["sub"] as String?)
}In that case, you can tell Spring Security to include a default BearerTokenAuthentication通过使用SecurityMockServerConfigurers#opaqueToken方法:
-
Java
-
Kotlin
client
.mutateWith(mockOpaqueToken())
.get().uri("/endpoint").exchange();client
.mutateWith(mockOpaqueToken())
.get().uri("/endpoint").exchange()This example configures the associated MockHttpServletRequest替换为BearerTokenAuthentication这包括一个简单的OAuth2AuthenticatedPrincipal一个Map of attributes, and a Collection的授予权限。
具体来说,它包括一个Map键/值对为sub/user:
-
Java
-
Kotlin
assertThat((String) token.getTokenAttributes().get("sub")).isEqualTo("user");assertThat(token.tokenAttributes["sub"] as String?).isEqualTo("user")它还包括一个Collection只有一个授权的授权,SCOPE_read:
-
Java
-
Kotlin
assertThat(token.getAuthorities()).hasSize(1);
assertThat(token.getAuthorities()).containsExactly(new SimpleGrantedAuthority("SCOPE_read"));assertThat(token.authorities).hasSize(1)
assertThat(token.authorities).containsExactly(SimpleGrantedAuthority("SCOPE_read"))Spring Security 执行必要的工作来确保BearerTokenAuthentication instance is available for your controller methods.
配置权限
在许多情况下,您的方法受到过滤器或方法安全性的保护,并且需要您的Authentication以授予某些权限来允许该请求。
In this case, you can supply what granted authorities you need using the authorities()方法:
-
Java
-
Kotlin
client
.mutateWith(mockOpaqueToken()
.authorities(new SimpleGrantedAuthority("SCOPE_message:read"))
)
.get().uri("/endpoint").exchange();client
.mutateWith(mockOpaqueToken()
.authorities(SimpleGrantedAuthority("SCOPE_message:read"))
)
.get().uri("/endpoint").exchange()配置声明
While granted authorities are quite common across all of Spring Security, we also have attributes in the case of OAuth 2.0.
例如,假设您有一个user_id属性,该属性指示系统中的用户 ID。
您可以在控制器中按如下方式访问它:
-
Java
-
Kotlin
@GetMapping("/endpoint")
public Mono<String> foo(BearerTokenAuthentication authentication) {
String userId = (String) authentication.getTokenAttributes().get("user_id");
// ...
}@GetMapping("/endpoint")
fun foo(authentication: BearerTokenAuthentication): Mono<String?> {
val userId = authentication.tokenAttributes["user_id"] as String?
// ...
}在这种情况下,您可以使用attributes()方法:
-
Java
-
Kotlin
client
.mutateWith(mockOpaqueToken()
.attributes(attrs -> attrs.put("user_id", "1234"))
)
.get().uri("/endpoint").exchange();client
.mutateWith(mockOpaqueToken()
.attributes { attrs -> attrs["user_id"] = "1234" }
)
.get().uri("/endpoint").exchange()其他配置
You can also use additional methods to further configure the authentication, depending on what data your controller expects.
One such method is principal(OAuth2AuthenticatedPrincipal), which you can use to configure the complete OAuth2AuthenticatedPrincipal instance that underlies the BearerTokenAuthentication.
It is handy if you:
* Have your own implementation of OAuth2AuthenticatedPrincipal or
* Want to specify a different principal name
例如,假设您的授权服务器在user_name attribute instead of the sub attribute.
In that case, you can configure an OAuth2AuthenticatedPrincipal手工:
-
Java
-
Kotlin
Map<String, Object> attributes = Collections.singletonMap("user_name", "foo_user");
OAuth2AuthenticatedPrincipal principal = new DefaultOAuth2AuthenticatedPrincipal(
(String) attributes.get("user_name"),
attributes,
AuthorityUtils.createAuthorityList("SCOPE_message:read"));
client
.mutateWith(mockOpaqueToken().principal(principal))
.get().uri("/endpoint").exchange();val attributes: Map<String, Any> = mapOf(Pair("user_name", "foo_user"))
val principal: OAuth2AuthenticatedPrincipal = DefaultOAuth2AuthenticatedPrincipal(
attributes["user_name"] as String?,
attributes,
AuthorityUtils.createAuthorityList("SCOPE_message:read")
)
client
.mutateWith(mockOpaqueToken().principal(principal))
.get().uri("/endpoint").exchange()Note that, as an alternative to using mockOpaqueToken() test support, you can also mock the OpaqueTokenIntrospector bean itself with a @MockBean annotation.