客户端身份验证支持

客户端凭证

身份验证方式`client_secret_basic`

HTTP Basic 的客户端身份验证是开箱即用的，无需自定义即可启用它。默认实现由DefaultOAuth2TokenRequestHeadersConverter.spring-doc.cadn.net.cn

给定 OAuth 2.0 客户端注册的以下 Spring Boot 属性：spring-doc.cadn.net.cn

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: client-id
            client-secret: client-secret
            client-authentication-method: client_secret_basic
            authorization-grant-type: authorization_code
            ...

以下示例显示如何配置WebClientReactiveAuthorizationCodeTokenResponseClient要禁用客户端凭证的 URL 编码：spring-doc.cadn.net.cn

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

DefaultOAuth2TokenRequestHeadersConverter<OAuth2AuthorizationCodeGrantRequest> headersConverter =
		new DefaultOAuth2TokenRequestHeadersConverter<>();
headersConverter.setEncodeClientCredentials(false);

WebClientReactiveAuthorizationCodeTokenResponseClient tokenResponseClient =
		new WebClientReactiveAuthorizationCodeTokenResponseClient();
tokenResponseClient.setHeadersConverter(headersConverter);

val headersConverter = DefaultOAuth2TokenRequestHeadersConverter<OAuth2AuthorizationCodeGrantRequest>()
headersConverter.setEncodeClientCredentials(false)

val tokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
tokenResponseClient.setHeadersConverter(headersConverter)

身份验证方式`client_secret_post`

支持使用请求正文中包含的客户端凭证进行客户端身份验证，并且无需自定义即可启用它。spring-doc.cadn.net.cn

OAuth 2.0 客户端注册的以下 Spring Boot 属性演示了该配置：spring-doc.cadn.net.cn

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: client-id
            client-secret: client-secret
            client-authentication-method: client_secret_post
            authorization-grant-type: authorization_code
            ...

JWT 持有者

有关 JWT 不记名客户端身份验证的更多详细信息，请参阅 OAuth 2.0 客户端身份验证和授权的 JSON Web 令牌（JWT）配置文件。spring-doc.cadn.net.cn

JWT 不记名客户端身份验证的默认实现是NimbusJwtClientAuthenticationParametersConverter, 这是一个Converter，通过添加已签名的 JSON Web 令牌（JWS）client_assertion参数。spring-doc.cadn.net.cn

这java.security.PrivateKey或javax.crypto.SecretKey用于签署 JWS 由com.nimbusds.jose.jwk.JWK解析器关联NimbusJwtClientAuthenticationParametersConverter.spring-doc.cadn.net.cn

身份验证方式`private_key_jwt`

给定 OAuth 2.0 客户端注册的以下 Spring Boot 属性：spring-doc.cadn.net.cn

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-authentication-method: private_key_jwt
            authorization-grant-type: authorization_code
            ...

以下示例显示如何配置WebClientReactiveAuthorizationCodeTokenResponseClient:spring-doc.cadn.net.cn

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

Function<ClientRegistration, JWK> jwkResolver = (clientRegistration) -> {
	if (clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
		// Assuming RSA key type
		RSAPublicKey publicKey = ...
		RSAPrivateKey privateKey = ...
		return new RSAKey.Builder(publicKey)
				.privateKey(privateKey)
				.keyID(UUID.randomUUID().toString())
				.build();
	}
	return null;
};

WebClientReactiveAuthorizationCodeTokenResponseClient tokenResponseClient =
		new WebClientReactiveAuthorizationCodeTokenResponseClient();
tokenResponseClient.addParametersConverter(
		new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver));

val jwkResolver: Function<ClientRegistration, JWK> =
    Function<ClientRegistration, JWK> { clientRegistration ->
        if (clientRegistration.clientAuthenticationMethod.equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
            // Assuming RSA key type
            var publicKey: RSAPublicKey = ...
            var privateKey: RSAPrivateKey = ...
            RSAKey.Builder(publicKey)
                    .privateKey(privateKey)
                    .keyID(UUID.randomUUID().toString())
                .build()
        }
        null
    }

val tokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
tokenResponseClient.addParametersConverter(
    NimbusJwtClientAuthenticationParametersConverter(jwkResolver)
)

身份验证方式`client_secret_jwt`

给定 OAuth 2.0 客户端注册的以下 Spring Boot 属性：spring-doc.cadn.net.cn

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
            client-authentication-method: client_secret_jwt
            authorization-grant-type: client_credentials
            ...

以下示例显示如何配置WebClientReactiveClientCredentialsTokenResponseClient:spring-doc.cadn.net.cn

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

Function<ClientRegistration, JWK> jwkResolver = (clientRegistration) -> {
	if (clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.CLIENT_SECRET_JWT)) {
		SecretKeySpec secretKey = new SecretKeySpec(
				clientRegistration.getClientSecret().getBytes(StandardCharsets.UTF_8),
				"HmacSHA256");
		return new OctetSequenceKey.Builder(secretKey)
				.keyID(UUID.randomUUID().toString())
				.build();
	}
	return null;
};

WebClientReactiveClientCredentialsTokenResponseClient tokenResponseClient =
		new WebClientReactiveClientCredentialsTokenResponseClient();
tokenResponseClient.addParametersConverter(
		new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver));

val jwkResolver = Function<ClientRegistration, JWK?> { clientRegistration: ClientRegistration ->
    if (clientRegistration.clientAuthenticationMethod == ClientAuthenticationMethod.CLIENT_SECRET_JWT) {
        val secretKey = SecretKeySpec(
            clientRegistration.clientSecret.toByteArray(StandardCharsets.UTF_8),
            "HmacSHA256"
        )
        OctetSequenceKey.Builder(secretKey)
            .keyID(UUID.randomUUID().toString())
            .build()
    }
    null
}

val tokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
tokenResponseClient.addParametersConverter(
    NimbusJwtClientAuthenticationParametersConverter(jwkResolver)
)

自定义 JWT 断言

由NimbusJwtClientAuthenticationParametersConverter包含iss,sub,aud,jti,iat和exp声明。您可以通过提供Consumer<NimbusJwtClientAuthenticationParametersConverter.JwtClientAuthenticationContext<T>>自setJwtClientAssertionCustomizer().以下示例显示如何自定义 JWT 的声明：spring-doc.cadn.net.cn

Javaspring-doc.cadn.net.cn
Kotlinspring-doc.cadn.net.cn

Function<ClientRegistration, JWK> jwkResolver = ...

NimbusJwtClientAuthenticationParametersConverter<OAuth2ClientCredentialsGrantRequest> converter =
		new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver);
converter.setJwtClientAssertionCustomizer((context) -> {
	context.getHeaders().header("custom-header", "header-value");
	context.getClaims().claim("custom-claim", "claim-value");
});

val jwkResolver = ...

val converter: NimbusJwtClientAuthenticationParametersConverter<OAuth2ClientCredentialsGrantRequest> =
    NimbusJwtClientAuthenticationParametersConverter(jwkResolver)
converter.setJwtClientAssertionCustomizer { context ->
    context.headers.header("custom-header", "header-value")
    context.claims.claim("custom-claim", "claim-value")
}

公共身份验证

Public Client Authentication 是开箱即用的支持，无需自定义即可启用它。spring-doc.cadn.net.cn

OAuth 2.0 客户端注册的以下 Spring Boot 属性演示了该配置：spring-doc.cadn.net.cn

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: client-id
            client-authentication-method: none
            authorization-grant-type: authorization_code
            ...

支持使用代码交换证明密钥（PKCE）的公共客户端。 PKCE 将在client-authentication-method设置为 “none” （ClientAuthenticationMethod.NONE).spring-doc.cadn.net.cn

客户端身份验证支持

客户端凭证

身份验证方式client_secret_basic

身份验证方式client_secret_post

JWT 持有者

身份验证方式private_key_jwt

身份验证方式client_secret_jwt

自定义 JWT 断言

公共身份验证

身份验证方式`client_secret_basic`

身份验证方式`client_secret_post`

身份验证方式`private_key_jwt`

身份验证方式`client_secret_jwt`