|
对于最新的稳定版本,请使用 Spring Security 6.4.1! |
OAuth 2.0 资源服务器不透明令牌
Introspection 的最小依赖项
如 JWT 的最小依赖项中所述,大多数 Resource Server 支持都收集在spring-security-oauth2-resource-server.
但是,除非您提供自定义ReactiveOpaqueTokenIntrospector,则 Resource Server 会回退到ReactiveOpaqueTokenIntrospector.
这意味着spring-security-oauth2-resource-server和oauth2-oidc-sdk对于具有支持不透明 Bearer Token 的工作最小 Resource Server 是必需的。
看spring-security-oauth2-resource-server为了确定oauth2-oidc-sdk.
Introspection 的最小配置
通常,您可以使用授权服务器托管的 OAuth 2.0 Introspection Endpoint 验证不透明令牌。 当需要吊销时,这可能很方便。
使用 Spring Boot 时,将应用程序配置为使用内省的资源服务器包括两个步骤:
-
包括所需的依赖项。
-
指示自省终端节点详细信息。
指定 Authorization Server
您可以指定自省终端节点的位置:
spring:
security:
oauth2:
resourceserver:
opaque-token:
introspection-uri: https://idp.example.com/introspect
client-id: client
client-secret: secret哪里idp.example.com/introspect是由授权服务器托管的 Introspection 终端节点,client-id和client-secret是命中该终端节点所需的凭证。
Resource Server 使用这些属性进一步自我配置并随后验证传入的 JWT。
|
如果授权服务器响应令牌有效,则令牌有效。 |
运行时预期
应用程序启动后,Resource Server 会尝试处理任何包含Authorization: Bearer页眉:
GET / HTTP/1.1
Authorization: Bearer some-token-value # Resource Server will process this只要指示此方案,Resource Server 就会尝试根据 Bearer Token 规范处理请求。
给定一个不透明的令牌,Resource Server:
-
使用提供的凭证和令牌查询提供的自省终端节点。
-
检查
{ 'active' : true }属性。 -
将每个范围映射到前缀为
SCOPE_.
默认情况下,生成的Authentication#getPrincipal是 Spring SecurityOAuth2AuthenticatedPrincipalobject 和Authentication#getName映射到令牌的sub属性(如果存在)。
从这里,您可能希望跳转到:
身份验证后查找属性
令牌通过身份验证后,BearerTokenAuthentication在SecurityContext.
这意味着它可用于@Controller方法时@EnableWebFlux在您的配置中:
-
Java
-
Kotlin
@GetMapping("/foo")
public Mono<String> foo(BearerTokenAuthentication authentication) {
return Mono.just(authentication.getTokenAttributes().get("sub") + " is the subject");
}@GetMapping("/foo")
fun foo(authentication: BearerTokenAuthentication): Mono<String> {
return Mono.just(authentication.tokenAttributes["sub"].toString() + " is the subject")
}因为BearerTokenAuthentication持有OAuth2AuthenticatedPrincipal,这也意味着它也可用于控制器方法:
-
Java
-
Kotlin
@GetMapping("/foo")
public Mono<String> foo(@AuthenticationPrincipal OAuth2AuthenticatedPrincipal principal) {
return Mono.just(principal.getAttribute("sub") + " is the subject");
}@GetMapping("/foo")
fun foo(@AuthenticationPrincipal principal: OAuth2AuthenticatedPrincipal): Mono<String> {
return Mono.just(principal.getAttribute<Any>("sub").toString() + " is the subject")
}使用 SPEL 查找属性
您可以使用 Spring 表达式语言 (SpEL) 访问属性。
例如,如果您使用@EnableReactiveMethodSecurity这样您就可以使用@PreAuthorizeannotations 中,您可以执行以下作:
-
Java
-
Kotlin
@PreAuthorize("principal?.attributes['sub'] = 'foo'")
public Mono<String> forFoosEyesOnly() {
return Mono.just("foo");
}@PreAuthorize("principal.attributes['sub'] = 'foo'")
fun forFoosEyesOnly(): Mono<String> {
return Mono.just("foo")
}覆盖或替换引导自动配置
Spring Boot 生成两个@Bean实例。
第一个是SecurityWebFilterChain,将应用程序配置为资源服务器。
当您使用 Opaque Token 时,此SecurityWebFilterChain看来:
-
Java
-
Kotlin
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange(exchanges -> exchanges
.anyExchange().authenticated()
)
.oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken)
return http.build();
}@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
authorizeExchange {
authorize(anyExchange, authenticated)
}
oauth2ResourceServer {
opaqueToken { }
}
}
}如果应用程序未公开SecurityWebFilterChainbean,Spring Boot 公开了默认的 bean(如前面的清单所示)。
您可以通过在应用程序中公开 bean 来替换它:
-
Java
-
Kotlin
import static org.springframework.security.oauth2.core.authorization.OAuth2ReactiveAuthorizationManagers.hasScope;
@Configuration
@EnableWebFluxSecurity
public class MyCustomSecurityConfiguration {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange(exchanges -> exchanges
.pathMatchers("/messages/**").access(hasScope("message:read"))
.anyExchange().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.opaqueToken(opaqueToken -> opaqueToken
.introspector(myIntrospector())
)
);
return http.build();
}
}import org.springframework.security.oauth2.core.authorization.OAuth2ReactiveAuthorizationManagers.hasScope
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
authorizeExchange {
authorize("/messages/**", hasScope("message:read"))
authorize(anyExchange, authenticated)
}
oauth2ResourceServer {
opaqueToken {
introspector = myIntrospector()
}
}
}
}前面的示例需要message:read对于任何以/messages/.
方法oauth2ResourceServerDSL 还会覆盖或替换 auto 配置。
例如,第二个@BeanSpring Boot 创建的是一个ReactiveOpaqueTokenIntrospector,它解码String令牌转换为已验证的OAuth2AuthenticatedPrincipal:
-
Java
-
Kotlin
@Bean
public ReactiveOpaqueTokenIntrospector introspector() {
return new NimbusReactiveOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret);
}@Bean
fun introspector(): ReactiveOpaqueTokenIntrospector {
return NimbusReactiveOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret)
}如果应用程序未公开ReactiveOpaqueTokenIntrospectorbean,Spring Boot 公开了默认的(如前面的清单所示)。
您可以使用introspectionUri()和introspectionClientCredentials()或者使用introspector().
用introspectionUri()
您可以将授权服务器的 Introspection URI 配置为配置属性,也可以在 DSL 中提供:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class DirectlyConfiguredIntrospectionUri {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange(exchanges -> exchanges
.anyExchange().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.opaqueToken(opaqueToken -> opaqueToken
.introspectionUri("https://idp.example.com/introspect")
.introspectionClientCredentials("client", "secret")
)
);
return http.build();
}
}@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
authorizeExchange {
authorize(anyExchange, authenticated)
}
oauth2ResourceServer {
opaqueToken {
introspectionUri = "https://idp.example.com/introspect"
introspectionClientCredentials("client", "secret")
}
}
}
}用introspectionUri()优先于任何配置属性。
用introspector()
introspector()比introspectionUri().它完全取代了ReactiveOpaqueTokenIntrospector:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class DirectlyConfiguredIntrospector {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange(exchanges -> exchanges
.anyExchange().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.opaqueToken(opaqueToken -> opaqueToken
.introspector(myCustomIntrospector())
)
);
return http.build();
}
}@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
authorizeExchange {
authorize(anyExchange, authenticated)
}
oauth2ResourceServer {
opaqueToken {
introspector = myCustomIntrospector()
}
}
}
}公开ReactiveOpaqueTokenIntrospector @Bean
或者,公开ReactiveOpaqueTokenIntrospector @Bean具有相同的效果introspector():
-
Java
-
Kotlin
@Bean
public ReactiveOpaqueTokenIntrospector introspector() {
return new NimbusReactiveOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret);
}@Bean
fun introspector(): ReactiveOpaqueTokenIntrospector {
return NimbusReactiveOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret)
}配置授权
OAuth 2.0 自省终端节点通常返回scope属性,指示已授予的范围(或权限)——例如:
{ ..., "scope" : "messages contacts"}在这种情况下,Resource Server 会尝试将这些范围强制转换为已授予的权限列表,并在每个范围前加上字符串:SCOPE_.
这意味着,要保护具有从 Opaque Token 派生的范围的终端节点或方法,相应的表达式应包含以下前缀:
-
Java
-
Kotlin
import static org.springframework.security.oauth2.core.authorization.OAuth2ReactiveAuthorizationManagers.hasScope;
@Configuration
@EnableWebFluxSecurity
public class MappedAuthorities {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange(exchange -> exchange
.pathMatchers("/contacts/**").access(hasScope("contacts"))
.pathMatchers("/messages/**").access(hasScope("messages"))
.anyExchange().authenticated()
)
.oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken);
return http.build();
}
}import org.springframework.security.oauth2.core.authorization.OAuth2ReactiveAuthorizationManagers.hasScope
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
authorizeExchange {
authorize("/contacts/**", hasScope("contacts"))
authorize("/messages/**", hasScope("messages"))
authorize(anyExchange, authenticated)
}
oauth2ResourceServer {
opaqueToken { }
}
}
}你可以对 method security 做类似的事情:
-
Java
-
Kotlin
@PreAuthorize("hasAuthority('SCOPE_messages')")
public Flux<Message> getMessages(...) {}@PreAuthorize("hasAuthority('SCOPE_messages')")
fun getMessages(): Flux<Message> { }手动提取权限
默认情况下,Opaque Token 支持从自省响应中提取 scope 声明,并将其解析为单个GrantedAuthority实例。
请考虑以下示例:
{
"active" : true,
"scope" : "message:read message:write"
}如果自省响应如前面的示例所示,则 Resource Server 将生成一个Authentication有两个权限,一个用于message:read另一个用于message:write.
您可以使用自定义ReactiveOpaqueTokenIntrospector,它查看属性集并以自己的方式进行转换:
-
Java
-
Kotlin
public class CustomAuthoritiesOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {
private ReactiveOpaqueTokenIntrospector delegate =
new NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");
public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {
return this.delegate.introspect(token)
.map(principal -> new DefaultOAuth2AuthenticatedPrincipal(
principal.getName(), principal.getAttributes(), extractAuthorities(principal)));
}
private Collection<GrantedAuthority> extractAuthorities(OAuth2AuthenticatedPrincipal principal) {
List<String> scopes = principal.getAttribute(OAuth2IntrospectionClaimNames.SCOPE);
return scopes.stream()
.map(SimpleGrantedAuthority::new)
.collect(Collectors.toList());
}
}class CustomAuthoritiesOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {
private val delegate: ReactiveOpaqueTokenIntrospector = NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")
override fun introspect(token: String): Mono<OAuth2AuthenticatedPrincipal> {
return delegate.introspect(token)
.map { principal: OAuth2AuthenticatedPrincipal ->
DefaultOAuth2AuthenticatedPrincipal(
principal.name, principal.attributes, extractAuthorities(principal))
}
}
private fun extractAuthorities(principal: OAuth2AuthenticatedPrincipal): Collection<GrantedAuthority> {
val scopes = principal.getAttribute<List<String>>(OAuth2IntrospectionClaimNames.SCOPE)
return scopes
.map { SimpleGrantedAuthority(it) }
}
}此后,您可以通过将自定义 Introspector 公开为@Bean:
-
Java
-
Kotlin
@Bean
public ReactiveOpaqueTokenIntrospector introspector() {
return new CustomAuthoritiesOpaqueTokenIntrospector();
}@Bean
fun introspector(): ReactiveOpaqueTokenIntrospector {
return CustomAuthoritiesOpaqueTokenIntrospector()
}将 Introspection 与 JWT 结合使用
一个常见的问题是 introspection 是否与 JWT 兼容。 Spring Security 的 Opaque Token 支持被设计为不关心令牌的格式。它很乐意将任何令牌传递给提供的 introspection 终端节点。
因此,假设您需要在每个请求上与授权服务器进行检查,以防 JWT 被撤销。
即使您对令牌使用 JWT 格式,您的验证方法也是 introspection,这意味着您需要执行以下作:
spring:
security:
oauth2:
resourceserver:
opaque-token:
introspection-uri: https://idp.example.org/introspection
client-id: client
client-secret: secret在这种情况下,生成的Authentication将BearerTokenAuthentication.
相应OAuth2AuthenticatedPrincipal将是 Introspection 终端节点返回的任何内容。
但是,假设无论出于何种原因,内省终端节点仅返回令牌是否处于活动状态。 现在怎么办?
在这种情况下,您可以创建自定义ReactiveOpaqueTokenIntrospector,它仍然命中终端节点,但随后更新返回的主体以将 JWTs 声明作为属性:
-
Java
-
Kotlin
public class JwtOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {
private ReactiveOpaqueTokenIntrospector delegate =
new NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");
private ReactiveJwtDecoder jwtDecoder = new NimbusReactiveJwtDecoder(new ParseOnlyJWTProcessor());
public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {
return this.delegate.introspect(token)
.flatMap(principal -> this.jwtDecoder.decode(token))
.map(jwt -> new DefaultOAuth2AuthenticatedPrincipal(jwt.getClaims(), NO_AUTHORITIES));
}
private static class ParseOnlyJWTProcessor implements Converter<JWT, Mono<JWTClaimsSet>> {
public Mono<JWTClaimsSet> convert(JWT jwt) {
try {
return Mono.just(jwt.getJWTClaimsSet());
} catch (Exception ex) {
return Mono.error(ex);
}
}
}
}class JwtOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {
private val delegate: ReactiveOpaqueTokenIntrospector = NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")
private val jwtDecoder: ReactiveJwtDecoder = NimbusReactiveJwtDecoder(ParseOnlyJWTProcessor())
override fun introspect(token: String): Mono<OAuth2AuthenticatedPrincipal> {
return delegate.introspect(token)
.flatMap { jwtDecoder.decode(token) }
.map { jwt: Jwt -> DefaultOAuth2AuthenticatedPrincipal(jwt.claims, NO_AUTHORITIES) }
}
private class ParseOnlyJWTProcessor : Converter<JWT, Mono<JWTClaimsSet>> {
override fun convert(jwt: JWT): Mono<JWTClaimsSet> {
return try {
Mono.just(jwt.jwtClaimsSet)
} catch (e: Exception) {
Mono.error(e)
}
}
}
}此后,您可以通过将自定义 Introspector 公开为@Bean:
-
Java
-
Kotlin
@Bean
public ReactiveOpaqueTokenIntrospector introspector() {
return new JwtOpaqueTokenIntropsector();
}@Bean
fun introspector(): ReactiveOpaqueTokenIntrospector {
return JwtOpaqueTokenIntrospector()
}调用/userinfo端点
一般来说,Resource Server 不关心底层用户,而是关心已授予的权限。
也就是说,有时将授权声明绑定回用户可能很有价值。
如果应用程序还使用spring-security-oauth2-client,在设置适当的ClientRegistrationRepository中,您可以使用自定义OpaqueTokenIntrospector.
下一个清单中的实现做了三件事:
-
委托给内省终端节点,以确认令牌的有效性。
-
查找与
/userinfo端点。 -
调用并返回来自
/userinfo端点。
-
Java
-
Kotlin
public class UserInfoOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {
private final ReactiveOpaqueTokenIntrospector delegate =
new NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");
private final ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService =
new DefaultReactiveOAuth2UserService();
private final ReactiveClientRegistrationRepository repository;
// ... constructor
@Override
public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {
return Mono.zip(this.delegate.introspect(token), this.repository.findByRegistrationId("registration-id"))
.map(t -> {
OAuth2AuthenticatedPrincipal authorized = t.getT1();
ClientRegistration clientRegistration = t.getT2();
Instant issuedAt = authorized.getAttribute(ISSUED_AT);
Instant expiresAt = authorized.getAttribute(OAuth2IntrospectionClaimNames.EXPIRES_AT);
OAuth2AccessToken accessToken = new OAuth2AccessToken(BEARER, token, issuedAt, expiresAt);
return new OAuth2UserRequest(clientRegistration, accessToken);
})
.flatMap(this.oauth2UserService::loadUser);
}
}class UserInfoOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {
private val delegate: ReactiveOpaqueTokenIntrospector = NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")
private val oauth2UserService: ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> = DefaultReactiveOAuth2UserService()
private val repository: ReactiveClientRegistrationRepository? = null
// ... constructor
override fun introspect(token: String?): Mono<OAuth2AuthenticatedPrincipal> {
return Mono.zip<OAuth2AuthenticatedPrincipal, ClientRegistration>(delegate.introspect(token), repository!!.findByRegistrationId("registration-id"))
.map<OAuth2UserRequest> { t: Tuple2<OAuth2AuthenticatedPrincipal, ClientRegistration> ->
val authorized = t.t1
val clientRegistration = t.t2
val issuedAt: Instant? = authorized.getAttribute(ISSUED_AT)
val expiresAt: Instant? = authorized.getAttribute(OAuth2IntrospectionClaimNames.EXPIRES_AT)
val accessToken = OAuth2AccessToken(BEARER, token, issuedAt, expiresAt)
OAuth2UserRequest(clientRegistration, accessToken)
}
.flatMap { userRequest: OAuth2UserRequest -> oauth2UserService.loadUser(userRequest) }
}
}如果您未使用spring-security-oauth2-client,还是挺简单的。
您只需调用/userinfo替换为您自己的WebClient:
-
Java
-
Kotlin
public class UserInfoOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {
private final ReactiveOpaqueTokenIntrospector delegate =
new NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");
private final WebClient rest = WebClient.create();
@Override
public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {
return this.delegate.introspect(token)
.map(this::makeUserInfoRequest);
}
}class UserInfoOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {
private val delegate: ReactiveOpaqueTokenIntrospector = NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")
private val rest: WebClient = WebClient.create()
override fun introspect(token: String): Mono<OAuth2AuthenticatedPrincipal> {
return delegate.introspect(token)
.map(this::makeUserInfoRequest)
}
}无论哪种方式,创建ReactiveOpaqueTokenIntrospector,您应该将其发布为@Bean要覆盖默认值,请执行以下作:
-
Java
-
Kotlin
@Bean
ReactiveOpaqueTokenIntrospector introspector() {
return new UserInfoOpaqueTokenIntrospector();
}@Bean
fun introspector(): ReactiveOpaqueTokenIntrospector {
return UserInfoOpaqueTokenIntrospector()
}