|
此版本仍在开发中,尚不被认为是稳定的。对于最新的稳定版本,请使用 Spring Security 6.5.3! |
授权授予支持
本节介绍 Spring Security 对授权授权的支持。
授权码
|
有关授权代码授予的更多详细信息,请参阅 OAuth 2.0 授权框架。 |
获得授权
|
请参阅授权请求/响应协议流,了解授权代码授权。 |
发起授权请求
这OAuth2AuthorizationRequestRedirectFilter使用OAuth2AuthorizationRequestResolver以解决OAuth2AuthorizationRequest并通过将最终用户的用户代理重定向到授权服务器的授权端点来启动授权代码授权流。
的主要作用OAuth2AuthorizationRequestResolver是解决OAuth2AuthorizationRequest来自提供的 Web 请求。
默认实现DefaultOAuth2AuthorizationRequestResolver(默认)路径上的匹配项/oauth2/authorization/{registrationId},提取registrationId,并使用它来构建OAuth2AuthorizationRequest对于关联的ClientRegistration.
考虑以下 OAuth 2.0 客户端注册的 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/authorized/okta"
scope: read, write
provider:
okta:
authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token给定上述属性,具有基本路径的请求/oauth2/authorization/okta通过OAuth2AuthorizationRequestRedirectFilter并最终启动授权代码授予流。
|
这 |
如果 OAuth 2.0 客户端是公共客户端,请按如下方式配置 OAuth 2.0 客户端注册:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-authentication-method: none
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/authorized/okta"
# ...使用代码交换证明密钥 (PKCE) 支持公共客户端。 如果客户端在不受信任的环境(例如本机应用程序或基于 Web 浏览器的应用程序)中运行,因此无法维护其凭据的机密性,则在满足以下条件时自动使用 PKCE:
-
client-secret被省略(或为空),并且 -
client-authentication-method设置为none(ClientAuthenticationMethod.NONE)
或
-
什么时候
ClientRegistration.clientSettings.requireProofKey是true(在本例中ClientRegistration.authorizationGrantType必须是authorization_code)
|
如果 OAuth 2.0 提供程序支持机密客户端的 PKCE,您可以(可选)使用 |
以下配置使用所有受支持的URI模板变量:
spring:
security:
oauth2:
client:
registration:
okta:
# ...
redirect-uri: "{baseScheme}://{baseHost}{basePort}{basePath}/authorized/{registrationId}"
# ...|
|
配置redirect-uri跟URI模板变量在 OAuth 2.0 客户端在代理服务器后面运行时特别有用。
这样做可以确保X-Forwarded-*headers 用于扩展redirect-uri.
自定义授权请求
主要用例之一OAuth2AuthorizationRequestResolver可以实现的是,能够使用 OAuth 2.0 授权框架中定义的标准参数之上的附加参数自定义授权请求。
例如,OpenID Connect 为授权代码流定义了其他 OAuth 2.0 请求参数,该参数从 OAuth 2.0 授权框架中定义的标准参数扩展而来。
其中一个扩展参数是prompt参数。
|
这 |
以下示例显示如何配置DefaultOAuth2AuthorizationRequestResolver使用Consumer<OAuth2AuthorizationRequest.Builder>自定义授权请求oauth2Login(),通过包含 request 参数prompt=consent.
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {
@Autowired
private ClientRegistrationRepository clientRegistrationRepository;
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
.oauth2Login((oauth2) -> oauth2
.authorizationEndpoint((authorization) -> authorization
.authorizationRequestResolver(
authorizationRequestResolver(this.clientRegistrationRepository)
)
)
);
return http.build();
}
private OAuth2AuthorizationRequestResolver authorizationRequestResolver(
ClientRegistrationRepository clientRegistrationRepository) {
DefaultOAuth2AuthorizationRequestResolver authorizationRequestResolver =
new DefaultOAuth2AuthorizationRequestResolver(
clientRegistrationRepository, "/oauth2/authorization");
authorizationRequestResolver.setAuthorizationRequestCustomizer(
authorizationRequestCustomizer());
return authorizationRequestResolver;
}
private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
return customizer -> customizer
.additionalParameters((params) -> params.put("prompt", "consent"));
}
}@Configuration
@EnableWebSecurity
class SecurityConfig {
@Autowired
private lateinit var customClientRegistrationRepository: ClientRegistrationRepository
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
authorize(anyRequest, authenticated)
}
oauth2Login {
authorizationEndpoint {
authorizationRequestResolver = authorizationRequestResolver(customClientRegistrationRepository)
}
}
}
return http.build()
}
private fun authorizationRequestResolver(
clientRegistrationRepository: ClientRegistrationRepository?): OAuth2AuthorizationRequestResolver {
val authorizationRequestResolver = DefaultOAuth2AuthorizationRequestResolver(
clientRegistrationRepository, "/oauth2/authorization")
authorizationRequestResolver.setAuthorizationRequestCustomizer(
authorizationRequestCustomizer())
return authorizationRequestResolver
}
private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
return Consumer { customizer ->
customizer
.additionalParameters { params -> params["prompt"] = "consent" }
}
}
}对于特定提供程序的附加请求参数始终相同的简单用例,您可以直接将其添加到authorization-uri财产。
例如,如果请求参数的值prompt总是consent对于提供者okta,您可以按如下方式进行配置:
spring:
security:
oauth2:
client:
provider:
okta:
authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize?prompt=consent前面的示例显示了在标准参数之上添加自定义参数的常见用例。
或者,如果你的需求更高级,你可以通过重写OAuth2AuthorizationRequest.authorizationRequestUri财产。
|
|
以下示例显示了authorizationRequestCustomizer()而不是覆盖OAuth2AuthorizationRequest.authorizationRequestUri财产:
-
Java
-
Kotlin
private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
return customizer -> customizer
.authorizationRequestUri((uriBuilder) -> uriBuilder
.queryParam("prompt", "consent").build());
}private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
return Consumer { customizer: OAuth2AuthorizationRequest.Builder ->
customizer
.authorizationRequestUri { uriBuilder: UriBuilder ->
uriBuilder
.queryParam("prompt", "consent").build()
}
}
}存储授权请求
这AuthorizationRequestRepository负责OAuth2AuthorizationRequest从启动授权请求到收到授权响应(回调)。
|
这 |
默认实现AuthorizationRequestRepository是HttpSessionOAuth2AuthorizationRequestRepository,它存储OAuth2AuthorizationRequest在HttpSession.
如果您有AuthorizationRequestRepository,您可以按如下方式进行配置:
-
Java
-
Kotlin
-
Xml
@Configuration
@EnableWebSecurity
public class OAuth2ClientSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.oauth2Client((oauth2) -> oauth2
.authorizationCodeGrant((codeGrant) -> codeGrant
.authorizationRequestRepository(this.authorizationRequestRepository())
// ...
)
)
.oauth2Login((oauth2) -> oauth2
.authorizationEndpoint((endpoint) -> endpoint
.authorizationRequestRepository(this.authorizationRequestRepository())
// ...
)
);
return http.build();
}
@Bean
public AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository() {
return new CustomOAuth2AuthorizationRequestRepository();
}
}@Configuration
@EnableWebSecurity
class OAuth2ClientSecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
oauth2Client {
authorizationCodeGrant {
authorizationRequestRepository = authorizationRequestRepository()
}
}
}
return http.build()
}
}<http>
<oauth2-client>
<authorization-code-grant authorization-request-repository-ref="authorizationRequestRepository"/>
</oauth2-client>
</http>请求访问Tokens
|
请参阅访问Tokens请求/响应协议流,了解授权代码授权。 |
默认实现OAuth2AccessTokenResponseClient授权码授权为RestClientAuthorizationCodeTokenResponseClient,它使用RestClient实例,以在授权服务器的Tokens端点上交换访问Tokens的授权代码。
RestClientAuthorizationCodeTokenResponseClient非常灵活,并提供了多个选项来自定义授权代码授予的 OAuth 2.0 访问Tokens请求和响应。
从以下用例中进行选择以了解更多信息:
自定义访问Tokens请求
RestClientAuthorizationCodeTokenResponseClient提供用于自定义 OAuth 2.0 访问Tokens请求的 HTTP 标头和请求参数的钩子。
自定义请求标头
自定义 HTTP 标头有两个选项:
-
通过调用添加其他标头
addHeadersConverter() -
通过调用
setHeadersConverter()
您可以包含其他标头,而不会影响使用addHeadersConverter().
以下示例将User-Agent标头添加到请求中,当registrationId是spring:
-
Java
-
Kotlin
RestClientAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new RestClientAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = RestClientAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以通过重复使用DefaultOAuth2TokenRequestHeadersConverter或使用setHeadersConverter().
以下示例重用DefaultOAuth2TokenRequestHeadersConverter并禁用encodeClientCredentials以便 HTTP Basic 凭据不再使用application/x-www-form-urlencoded:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
RestClientAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new RestClientAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = RestClientAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
自定义请求参数有三个选项:
-
通过调用添加其他参数
addParametersConverter() -
通过调用
setParametersConverter() -
通过调用完全自定义参数
setParametersCustomizer()
|
用 |
您可以包含其他参数,而不会影响使用addParametersConverter().
以下示例添加了一个audience参数添加到请求中,当registrationId是keycloak:
-
Java
-
Kotlin
RestClientAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new RestClientAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = RestClientAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用以下命令覆盖默认参数setParametersConverter().
以下示例覆盖了client_id参数,当registrationId是okta:
-
Java
-
Kotlin
RestClientAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new RestClientAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val parametersConverter = DefaultOAuth2TokenRequestParametersConverter<OAuth2AuthorizationCodeGrantRequest>()
parametersConverter.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}
val accessTokenResponseClient = RestClientAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用以下命令完全自定义参数(包括省略默认参数)setParametersCustomizer().
以下示例省略了client_id参数,当client_assertion参数存在于请求中:
-
Java
-
Kotlin
RestClientAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new RestClientAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = RestClientAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问Tokens响应
RestClientAuthorizationCodeTokenResponseClient提供用于自定义响应参数和 OAuth 2.0 访问Tokens响应的错误处理的钩子。
自定义RestClient
您可以通过提供预配置的RestClient自setRestClient().
默认值RestClient配置如下:
RestClient配置-
Java
-
Kotlin
RestClient restClient = RestClient.builder()
.messageConverters(messageConverters -> {
messageConverters.clear();
messageConverters.add(new FormHttpMessageConverter());
messageConverters.add(new OAuth2AccessTokenResponseHttpMessageConverter());
})
.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
.build();
RestClientAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new RestClientAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setRestClient(restClient);val restClient = RestClient.builder()
.messageConverters { messageConverters ->
messageConverters.clear()
messageConverters.add(FormHttpMessageConverter())
messageConverters.add(OAuth2AccessTokenResponseHttpMessageConverter())
}
.defaultStatusHandler(OAuth2ErrorResponseErrorHandler())
.build()
val accessTokenResponseClient = RestClientAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setRestClient(restClient)OAuth2AccessTokenResponseHttpMessageConverter是一个HttpMessageConverter用于 OAuth 2.0 访问Tokens响应。
您可以自定义将Tokens响应参数转换为OAuth2AccessTokenResponse通过调用setAccessTokenResponseConverter().
默认实现是DefaultMapOAuth2AccessTokenResponseConverter.
OAuth2ErrorResponseErrorHandler是一个ResponseErrorHandler可以处理 OAuth 2.0 错误,例如400 Bad Request.
它使用OAuth2ErrorHttpMessageConverter用于将 OAuth 2.0 错误参数转换为OAuth2Error.
您可以自定义将Tokens响应参数转换为OAuth2Error通过调用setErrorConverter().
|
弹簧 MVC |
自定义响应参数
以下示例提供了将Tokens响应参数转换为OAuth2AccessTokenResponse:
-
Java
-
Kotlin
OAuth2AccessTokenResponseHttpMessageConverter accessTokenResponseMessageConverter =
new OAuth2AccessTokenResponseHttpMessageConverter();
accessTokenResponseMessageConverter.setAccessTokenResponseConverter(parameters -> {
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build();
});val accessTokenResponseMessageConverter = OAuth2AccessTokenResponseHttpMessageConverter()
accessTokenResponseMessageConverter.setAccessTokenResponseConverter { parameters ->
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}自定义错误处理
以下示例提供了自定义将 Error 参数转换为OAuth2Error:
-
Java
-
Kotlin
OAuth2ErrorHttpMessageConverter errorConverter =
new OAuth2ErrorHttpMessageConverter();
errorConverter.setErrorConverter(parameters -> {
// ...
return new OAuth2Error("custom-error", "custom description", "custom-uri");
});
OAuth2ErrorResponseErrorHandler errorHandler =
new OAuth2ErrorResponseErrorHandler();
errorHandler.setErrorConverter(errorConverter);val errorConverter = OAuth2ErrorHttpMessageConverter()
errorConverter.setErrorConverter { parameters ->
// ...
return OAuth2Error("custom-error", "custom description", "custom-uri")
}
val errorHandler = OAuth2ErrorResponseErrorHandler()
errorHandler.setErrorConverter(errorConverter)使用 DSL 进行自定义
无论您是自定义RestClientAuthorizationCodeTokenResponseClient或提供您自己的实现OAuth2AccessTokenResponseClient,您可以使用 DSL(作为发布 Bean 的替代方法)对其进行配置,如下所示:
-
Java
-
Kotlin
-
Xml
@Configuration
@EnableWebSecurity
public class OAuth2ClientSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.oauth2Client((oauth2) -> oauth2
.authorizationCodeGrant((codeGrant) -> codeGrant
.accessTokenResponseClient(this.accessTokenResponseClient())
// ...
)
);
return http.build();
}
}@Configuration
@EnableWebSecurity
class OAuth2ClientSecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
oauth2Client {
authorizationCodeGrant {
accessTokenResponseClient = accessTokenResponseClient()
}
}
}
return http.build()
}
}<http>
<oauth2-client>
<authorization-code-grant access-token-response-client-ref="accessTokenResponseClient"/>
</oauth2-client>
</http>刷新Tokens
|
有关刷新Tokens的更多详细信息,请参阅 OAuth 2.0 授权框架。 |
刷新访问Tokens
|
请参阅访问Tokens请求/响应协议流,了解刷新Tokens授予。 |
默认实现OAuth2AccessTokenResponseClient对于刷新Tokens授权为RestClientRefreshTokenTokenResponseClient,它使用RestClient实例以在授权服务器的Tokens端点获取访问Tokens。
RestClientRefreshTokenTokenResponseClient非常灵活,并提供了多个选项来自定义刷新Tokens授予的 OAuth 2.0 访问Tokens请求和响应。
从以下用例中进行选择以了解更多信息:
自定义访问Tokens请求
RestClientRefreshTokenTokenResponseClient提供用于自定义 OAuth 2.0 访问Tokens请求的 HTTP 标头和请求参数的钩子。
自定义请求标头
自定义 HTTP 标头有两个选项:
-
通过调用添加其他标头
addHeadersConverter() -
通过调用
setHeadersConverter()
您可以包含其他标头,而不会影响使用addHeadersConverter().
以下示例将User-Agent标头添加到请求中,当registrationId是spring:
-
Java
-
Kotlin
RestClientRefreshTokenTokenResponseClient accessTokenResponseClient =
new RestClientRefreshTokenTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = RestClientRefreshTokenTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以通过重复使用DefaultOAuth2TokenRequestHeadersConverter或使用setHeadersConverter().
以下示例重用DefaultOAuth2TokenRequestHeadersConverter并禁用encodeClientCredentials以便 HTTP Basic 凭据不再使用application/x-www-form-urlencoded:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
RestClientRefreshTokenTokenResponseClient accessTokenResponseClient =
new RestClientRefreshTokenTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = RestClientRefreshTokenTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
自定义请求参数有三个选项:
-
通过调用添加其他参数
addParametersConverter() -
通过调用
setParametersConverter() -
通过调用完全自定义参数
setParametersCustomizer()
|
用 |
您可以包含其他参数,而不会影响使用addParametersConverter().
以下示例添加了一个audience参数添加到请求中,当registrationId是keycloak:
-
Java
-
Kotlin
RestClientRefreshTokenTokenResponseClient accessTokenResponseClient =
new RestClientRefreshTokenTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = RestClientRefreshTokenTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用以下命令覆盖默认参数setParametersConverter().
以下示例覆盖了client_id参数,当registrationId是okta:
-
Java
-
Kotlin
RestClientRefreshTokenTokenResponseClient accessTokenResponseClient =
new RestClientRefreshTokenTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val parametersConverter = DefaultOAuth2TokenRequestParametersConverter<OAuth2RefreshTokenGrantRequest>()
parametersConverter.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}
val accessTokenResponseClient = RestClientRefreshTokenTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用以下命令完全自定义参数(包括省略默认参数)setParametersCustomizer().
以下示例省略了client_id参数,当client_assertion参数存在于请求中:
-
Java
-
Kotlin
RestClientRefreshTokenTokenResponseClient accessTokenResponseClient =
new RestClientRefreshTokenTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = RestClientRefreshTokenTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问Tokens响应
RestClientRefreshTokenTokenResponseClient提供用于自定义响应参数和 OAuth 2.0 访问Tokens响应的错误处理的钩子。
自定义RestClient
您可以通过提供预配置的RestClient自setRestClient().
默认值RestClient配置如下:
RestClient配置-
Java
-
Kotlin
RestClient restClient = RestClient.builder()
.messageConverters(messageConverters -> {
messageConverters.clear();
messageConverters.add(new FormHttpMessageConverter());
messageConverters.add(new OAuth2AccessTokenResponseHttpMessageConverter());
})
.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
.build();
RestClientRefreshTokenTokenResponseClient accessTokenResponseClient =
new RestClientRefreshTokenTokenResponseClient();
accessTokenResponseClient.setRestClient(restClient);val restClient = RestClient.builder()
.messageConverters { messageConverters ->
messageConverters.clear()
messageConverters.add(FormHttpMessageConverter())
messageConverters.add(OAuth2AccessTokenResponseHttpMessageConverter())
}
.defaultStatusHandler(OAuth2ErrorResponseErrorHandler())
.build()
val accessTokenResponseClient = RestClientRefreshTokenTokenResponseClient()
accessTokenResponseClient.setRestClient(restClient)OAuth2AccessTokenResponseHttpMessageConverter是一个HttpMessageConverter用于 OAuth 2.0 访问Tokens响应。
您可以自定义将Tokens响应参数转换为OAuth2AccessTokenResponse通过调用setAccessTokenResponseConverter().
默认实现是DefaultMapOAuth2AccessTokenResponseConverter.
OAuth2ErrorResponseErrorHandler是一个ResponseErrorHandler可以处理 OAuth 2.0 错误,例如400 Bad Request.
它使用OAuth2ErrorHttpMessageConverter用于将 OAuth 2.0 错误参数转换为OAuth2Error.
您可以自定义将Tokens响应参数转换为OAuth2Error通过调用setErrorConverter().
|
弹簧 MVC |
自定义响应参数
以下示例提供了将Tokens响应参数转换为OAuth2AccessTokenResponse:
-
Java
-
Kotlin
OAuth2AccessTokenResponseHttpMessageConverter accessTokenResponseMessageConverter =
new OAuth2AccessTokenResponseHttpMessageConverter();
accessTokenResponseMessageConverter.setAccessTokenResponseConverter(parameters -> {
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build();
});val accessTokenResponseMessageConverter = OAuth2AccessTokenResponseHttpMessageConverter()
accessTokenResponseMessageConverter.setAccessTokenResponseConverter { parameters ->
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}自定义错误处理
以下示例提供了自定义将 Error 参数转换为OAuth2Error:
-
Java
-
Kotlin
OAuth2ErrorHttpMessageConverter errorConverter =
new OAuth2ErrorHttpMessageConverter();
errorConverter.setErrorConverter(parameters -> {
// ...
return new OAuth2Error("custom-error", "custom description", "custom-uri");
});
OAuth2ErrorResponseErrorHandler errorHandler =
new OAuth2ErrorResponseErrorHandler();
errorHandler.setErrorConverter(errorConverter);val errorConverter = OAuth2ErrorHttpMessageConverter()
errorConverter.setErrorConverter { parameters ->
// ...
return OAuth2Error("custom-error", "custom description", "custom-uri")
}
val errorHandler = OAuth2ErrorResponseErrorHandler()
errorHandler.setErrorConverter(errorConverter)使用构建器进行自定义
无论您是自定义RestClientRefreshTokenTokenResponseClient或提供您自己的实现OAuth2AccessTokenResponseClient,您可以使用OAuth2AuthorizedClientProviderBuilder(作为发布 Bean 的替代方法),如下所示:
-
Java
-
Kotlin
// Customize
OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> refreshTokenTokenResponseClient = ...
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken((configurer) -> configurer.accessTokenResponseClient(refreshTokenTokenResponseClient))
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val refreshTokenTokenResponseClient: OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> = ...
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken { it.accessTokenResponseClient(refreshTokenTokenResponseClient) }
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
这OAuth2RefreshToken可以选择在访问Tokens响应中返回authorization_code授权类型。
如果OAuth2AuthorizedClient.getRefreshToken()可用,并且OAuth2AuthorizedClient.getAccessToken()已过期,则由RefreshTokenOAuth2AuthorizedClientProvider.
客户端凭据
|
有关客户端凭据授予的更多详细信息,请参阅 OAuth 2.0 授权框架。 |
请求访问Tokens
|
请参阅访问Tokens请求/响应协议流,了解客户端凭据授予。 |
默认实现OAuth2AccessTokenResponseClient对于客户端凭据授权为RestClientClientCredentialsTokenResponseClient,它使用RestClient实例以在授权服务器的Tokens端点获取访问Tokens。
RestClientClientCredentialsTokenResponseClient非常灵活,并提供了多个选项来自定义客户端凭据授予的 OAuth 2.0 访问Tokens请求和响应。
从以下用例中进行选择以了解更多信息:
自定义访问Tokens请求
RestClientClientCredentialsTokenResponseClient提供用于自定义 OAuth 2.0 访问Tokens请求的 HTTP 标头和请求参数的钩子。
自定义请求标头
自定义 HTTP 标头有两个选项:
-
通过调用添加其他标头
addHeadersConverter() -
通过调用
setHeadersConverter()
您可以包含其他标头,而不会影响使用addHeadersConverter().
以下示例将User-Agent标头添加到请求中,当registrationId是spring:
-
Java
-
Kotlin
RestClientClientCredentialsTokenResponseClient accessTokenResponseClient =
new RestClientClientCredentialsTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = RestClientClientCredentialsTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以通过重复使用DefaultOAuth2TokenRequestHeadersConverter或使用setHeadersConverter().
以下示例重用DefaultOAuth2TokenRequestHeadersConverter并禁用encodeClientCredentials以便 HTTP Basic 凭据不再使用application/x-www-form-urlencoded:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
RestClientClientCredentialsTokenResponseClient accessTokenResponseClient =
new RestClientClientCredentialsTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = RestClientClientCredentialsTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
自定义请求参数有三个选项:
-
通过调用添加其他参数
addParametersConverter() -
通过调用
setParametersConverter() -
通过调用完全自定义参数
setParametersCustomizer()
|
用 |
您可以包含其他参数,而不会影响使用addParametersConverter().
以下示例添加了一个audience参数添加到请求中,当registrationId是keycloak:
-
Java
-
Kotlin
RestClientClientCredentialsTokenResponseClient accessTokenResponseClient =
new RestClientClientCredentialsTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = RestClientClientCredentialsTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用以下命令覆盖默认参数setParametersConverter().
以下示例覆盖了client_id参数,当registrationId是okta:
-
Java
-
Kotlin
RestClientClientCredentialsTokenResponseClient accessTokenResponseClient =
new RestClientClientCredentialsTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val parametersConverter = DefaultOAuth2TokenRequestParametersConverter<OAuth2ClientCredentialsGrantRequest>()
parametersConverter.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}
val accessTokenResponseClient = RestClientClientCredentialsTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用以下命令完全自定义参数(包括省略默认参数)setParametersCustomizer().
以下示例省略了client_id参数,当client_assertion参数存在于请求中:
-
Java
-
Kotlin
RestClientClientCredentialsTokenResponseClient accessTokenResponseClient =
new RestClientClientCredentialsTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = RestClientClientCredentialsTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问Tokens响应
RestClientClientCredentialsTokenResponseClient提供用于自定义响应参数和 OAuth 2.0 访问Tokens响应的错误处理的钩子。
自定义RestClient
您可以通过提供预配置的RestClient自setRestClient().
默认值RestClient配置如下:
RestClient配置-
Java
-
Kotlin
RestClient restClient = RestClient.builder()
.messageConverters(messageConverters -> {
messageConverters.clear();
messageConverters.add(new FormHttpMessageConverter());
messageConverters.add(new OAuth2AccessTokenResponseHttpMessageConverter());
})
.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
.build();
RestClientClientCredentialsTokenResponseClient accessTokenResponseClient =
new RestClientClientCredentialsTokenResponseClient();
accessTokenResponseClient.setRestClient(restClient);val restClient = RestClient.builder()
.messageConverters { messageConverters ->
messageConverters.clear()
messageConverters.add(FormHttpMessageConverter())
messageConverters.add(OAuth2AccessTokenResponseHttpMessageConverter())
}
.defaultStatusHandler(OAuth2ErrorResponseErrorHandler())
.build()
val accessTokenResponseClient = RestClientClientCredentialsTokenResponseClient()
accessTokenResponseClient.setRestClient(restClient)OAuth2AccessTokenResponseHttpMessageConverter是一个HttpMessageConverter用于 OAuth 2.0 访问Tokens响应。
您可以自定义将Tokens响应参数转换为OAuth2AccessTokenResponse通过调用setAccessTokenResponseConverter().
默认实现是DefaultMapOAuth2AccessTokenResponseConverter.
OAuth2ErrorResponseErrorHandler是一个ResponseErrorHandler可以处理 OAuth 2.0 错误,例如400 Bad Request.
它使用OAuth2ErrorHttpMessageConverter用于将 OAuth 2.0 错误参数转换为OAuth2Error.
您可以自定义将Tokens响应参数转换为OAuth2Error通过调用setErrorConverter().
|
弹簧 MVC |
自定义响应参数
以下示例提供了将Tokens响应参数转换为OAuth2AccessTokenResponse:
-
Java
-
Kotlin
OAuth2AccessTokenResponseHttpMessageConverter accessTokenResponseMessageConverter =
new OAuth2AccessTokenResponseHttpMessageConverter();
accessTokenResponseMessageConverter.setAccessTokenResponseConverter(parameters -> {
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build();
});val accessTokenResponseMessageConverter = OAuth2AccessTokenResponseHttpMessageConverter()
accessTokenResponseMessageConverter.setAccessTokenResponseConverter { parameters ->
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}自定义错误处理
以下示例提供了自定义将 Error 参数转换为OAuth2Error:
-
Java
-
Kotlin
OAuth2ErrorHttpMessageConverter errorConverter =
new OAuth2ErrorHttpMessageConverter();
errorConverter.setErrorConverter(parameters -> {
// ...
return new OAuth2Error("custom-error", "custom description", "custom-uri");
});
OAuth2ErrorResponseErrorHandler errorHandler =
new OAuth2ErrorResponseErrorHandler();
errorHandler.setErrorConverter(errorConverter);val errorConverter = OAuth2ErrorHttpMessageConverter()
errorConverter.setErrorConverter { parameters ->
// ...
return OAuth2Error("custom-error", "custom description", "custom-uri")
}
val errorHandler = OAuth2ErrorResponseErrorHandler()
errorHandler.setErrorConverter(errorConverter)使用构建器进行自定义
无论您是自定义RestClientClientCredentialsTokenResponseClient或提供您自己的实现OAuth2AccessTokenResponseClient,您可以使用OAuth2AuthorizedClientProviderBuilder(作为发布 Bean 的替代方法),如下所示:
-
Java
-
Kotlin
// Customize
OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient = ...
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials((configurer) -> configurer.accessTokenResponseClient(clientCredentialsTokenResponseClient))
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val clientCredentialsTokenResponseClient: OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> = ...
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials { it.accessTokenResponseClient(clientCredentialsTokenResponseClient) }
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
使用访问Tokens
考虑以下 OAuth 2.0 客户端注册的 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: client_credentials
scope: read, write
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token进一步考虑以下事项OAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ClientRegistrationRepository,
authorizedClientRepository: OAuth2AuthorizedClientRepository): OAuth2AuthorizedClientManager {
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build()
val authorizedClientManager = DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}给定前面的属性和 bean,您可以获得OAuth2AccessToken如下:
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private OAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/")
public String index(Authentication authentication,
HttpServletRequest servletRequest,
HttpServletResponse servletResponse) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attributes(attrs -> {
attrs.put(HttpServletRequest.class.getName(), servletRequest);
attrs.put(HttpServletResponse.class.getName(), servletResponse);
})
.build();
OAuth2AuthorizedClient authorizedClient = this.authorizedClientManager.authorize(authorizeRequest);
OAuth2AccessToken accessToken = authorizedClient.getAccessToken();
// ...
return "index";
}
}class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientManager: OAuth2AuthorizedClientManager
@GetMapping("/")
fun index(authentication: Authentication?,
servletRequest: HttpServletRequest,
servletResponse: HttpServletResponse): String {
val authorizeRequest: OAuth2AuthorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attributes(Consumer { attrs: MutableMap<String, Any> ->
attrs[HttpServletRequest::class.java.name] = servletRequest
attrs[HttpServletResponse::class.java.name] = servletResponse
})
.build()
val authorizedClient = authorizedClientManager.authorize(authorizeRequest)
val accessToken: OAuth2AccessToken = authorizedClient.accessToken
// ...
return "index"
}
}|
|
JWT 承载者
|
有关 JWT 持有者授权的更多详细信息,请参阅 OAuth 2.0 客户端身份验证和授权授权的 JSON Web Tokens (JWT) 配置文件。 |
请求访问Tokens
|
请参阅访问Tokens请求/响应协议流,了解 JWT 持有者授权。 |
默认实现OAuth2AccessTokenResponseClient对于 JWT Bearer 赠款是RestClientJwtBearerTokenResponseClient,它使用RestClient实例以在授权服务器的Tokens端点获取访问Tokens。
RestClientJwtBearerTokenResponseClient非常灵活,并提供了多个选项来自定义 JWT 持有者授权的 OAuth 2.0 访问Tokens请求和响应。从以下用例中进行选择以了解更多信息:
自定义访问Tokens请求
RestClientJwtBearerTokenResponseClient提供用于自定义 OAuth 2.0 访问Tokens请求的 HTTP 标头和请求参数的钩子。
自定义请求标头
自定义 HTTP 标头有两个选项:
-
通过调用添加其他标头
addHeadersConverter() -
通过调用
setHeadersConverter()
您可以包含其他标头,而不会影响使用addHeadersConverter().
以下示例将User-Agent标头添加到请求中,当registrationId是spring:
-
Java
-
Kotlin
RestClientJwtBearerTokenResponseClient accessTokenResponseClient =
new RestClientJwtBearerTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = RestClientJwtBearerTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以通过重复使用DefaultOAuth2TokenRequestHeadersConverter或使用setHeadersConverter().
以下示例重用DefaultOAuth2TokenRequestHeadersConverter并禁用encodeClientCredentials以便 HTTP Basic 凭据不再使用application/x-www-form-urlencoded:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
RestClientJwtBearerTokenResponseClient accessTokenResponseClient =
new RestClientJwtBearerTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = RestClientJwtBearerTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
自定义请求参数有三个选项:
-
通过调用添加其他参数
addParametersConverter() -
通过调用
setParametersConverter() -
通过调用完全自定义参数
setParametersCustomizer()
|
用 |
您可以包含其他参数,而不会影响使用addParametersConverter().
以下示例添加了一个audience参数添加到请求中,当registrationId是keycloak:
-
Java
-
Kotlin
RestClientJwtBearerTokenResponseClient accessTokenResponseClient =
new RestClientJwtBearerTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = RestClientJwtBearerTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用以下命令覆盖默认参数setParametersConverter().
以下示例覆盖了client_id参数,当registrationId是okta:
-
Java
-
Kotlin
RestClientJwtBearerTokenResponseClient accessTokenResponseClient =
new RestClientJwtBearerTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val parametersConverter = DefaultOAuth2TokenRequestParametersConverter<JwtBearerGrantRequest>()
parametersConverter.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}
val accessTokenResponseClient = RestClientJwtBearerTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用以下命令完全自定义参数(包括省略默认参数)setParametersCustomizer().
以下示例省略了client_id参数,当client_assertion参数存在于请求中:
-
Java
-
Kotlin
RestClientJwtBearerTokenResponseClient accessTokenResponseClient =
new RestClientJwtBearerTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = RestClientJwtBearerTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问Tokens响应
RestClientJwtBearerTokenResponseClient提供用于自定义响应参数和 OAuth 2.0 访问Tokens响应的错误处理的钩子。
自定义RestClient
您可以通过提供预配置的RestClient自setRestClient().
默认值RestClient配置如下:
RestClient配置-
Java
-
Kotlin
RestClient restClient = RestClient.builder()
.messageConverters(messageConverters -> {
messageConverters.clear();
messageConverters.add(new FormHttpMessageConverter());
messageConverters.add(new OAuth2AccessTokenResponseHttpMessageConverter());
})
.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
.build();
RestClientJwtBearerTokenResponseClient accessTokenResponseClient =
new RestClientJwtBearerTokenResponseClient();
accessTokenResponseClient.setRestClient(restClient);val restClient = RestClient.builder()
.messageConverters { messageConverters ->
messageConverters.clear()
messageConverters.add(FormHttpMessageConverter())
messageConverters.add(OAuth2AccessTokenResponseHttpMessageConverter())
}
.defaultStatusHandler(OAuth2ErrorResponseErrorHandler())
.build()
val accessTokenResponseClient = RestClientJwtBearerTokenResponseClient()
accessTokenResponseClient.setRestClient(restClient)OAuth2AccessTokenResponseHttpMessageConverter是一个HttpMessageConverter用于 OAuth 2.0 访问Tokens响应。
您可以自定义将Tokens响应参数转换为OAuth2AccessTokenResponse通过调用setAccessTokenResponseConverter().
默认实现是DefaultMapOAuth2AccessTokenResponseConverter.
OAuth2ErrorResponseErrorHandler是一个ResponseErrorHandler可以处理 OAuth 2.0 错误,例如400 Bad Request.
它使用OAuth2ErrorHttpMessageConverter用于将 OAuth 2.0 错误参数转换为OAuth2Error.
您可以自定义将Tokens响应参数转换为OAuth2Error通过调用setErrorConverter().
|
弹簧 MVC |
自定义响应参数
以下示例提供了将Tokens响应参数转换为OAuth2AccessTokenResponse:
-
Java
-
Kotlin
OAuth2AccessTokenResponseHttpMessageConverter accessTokenResponseMessageConverter =
new OAuth2AccessTokenResponseHttpMessageConverter();
accessTokenResponseMessageConverter.setAccessTokenResponseConverter(parameters -> {
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build();
});val accessTokenResponseMessageConverter = OAuth2AccessTokenResponseHttpMessageConverter()
accessTokenResponseMessageConverter.setAccessTokenResponseConverter { parameters ->
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}自定义错误处理
以下示例提供了自定义将 Error 参数转换为OAuth2Error:
-
Java
-
Kotlin
OAuth2ErrorHttpMessageConverter errorConverter =
new OAuth2ErrorHttpMessageConverter();
errorConverter.setErrorConverter(parameters -> {
// ...
return new OAuth2Error("custom-error", "custom description", "custom-uri");
});
OAuth2ErrorResponseErrorHandler errorHandler =
new OAuth2ErrorResponseErrorHandler();
errorHandler.setErrorConverter(errorConverter);val errorConverter = OAuth2ErrorHttpMessageConverter()
errorConverter.setErrorConverter { parameters ->
// ...
return OAuth2Error("custom-error", "custom description", "custom-uri")
}
val errorHandler = OAuth2ErrorResponseErrorHandler()
errorHandler.setErrorConverter(errorConverter)使用构建器进行自定义
无论您是自定义RestClientJwtBearerTokenResponseClient或提供您自己的实现OAuth2AccessTokenResponseClient,您可以使用OAuth2AuthorizedClientProviderBuilder(作为发布 Bean 的替代方法),如下所示:
-
Java
-
Kotlin
// Customize
OAuth2AccessTokenResponseClient<JwtBearerGrantRequest> jwtBearerTokenResponseClient = ...
JwtBearerOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider = new JwtBearerOAuth2AuthorizedClientProvider();
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient);
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val jwtBearerTokenResponseClient: OAuth2AccessTokenResponseClient<JwtBearerGrantRequest> = ...
val jwtBearerAuthorizedClientProvider = JwtBearerOAuth2AuthorizedClientProvider()
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient)
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)使用访问Tokens
给定 OAuth 2.0 客户端注册的以下 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: urn:ietf:params:oauth:grant-type:jwt-bearer
scope: read
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token…和OAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
JwtBearerOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider =
new JwtBearerOAuth2AuthorizedClientProvider();
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build();
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ClientRegistrationRepository,
authorizedClientRepository: OAuth2AuthorizedClientRepository): OAuth2AuthorizedClientManager {
val jwtBearerAuthorizedClientProvider = JwtBearerOAuth2AuthorizedClientProvider()
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build()
val authorizedClientManager = DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}您可以获得OAuth2AccessToken如下:
-
Java
-
Kotlin
@RestController
public class OAuth2ResourceServerController {
@Autowired
private OAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/resource")
public String resource(JwtAuthenticationToken jwtAuthentication) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build();
OAuth2AuthorizedClient authorizedClient = this.authorizedClientManager.authorize(authorizeRequest);
OAuth2AccessToken accessToken = authorizedClient.getAccessToken();
// ...
}
}class OAuth2ResourceServerController {
@Autowired
private lateinit var authorizedClientManager: OAuth2AuthorizedClientManager
@GetMapping("/resource")
fun resource(jwtAuthentication: JwtAuthenticationToken?): String {
val authorizeRequest: OAuth2AuthorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build()
val authorizedClient = authorizedClientManager.authorize(authorizeRequest)
val accessToken: OAuth2AccessToken = authorizedClient.accessToken
// ...
}
}|
|
|
如果您需要解决 |
Tokens兑换
|
有关Tokens交换授权的更多详细信息,请参阅 OAuth 2.0 Tokens交换。 |
请求访问Tokens
|
有关Tokens交换授权,请参阅Tokens交换请求和响应协议流。 |
默认实现OAuth2AccessTokenResponseClient对于Tokens交换授权是RestClientTokenExchangeTokenResponseClient,它使用RestClient实例以在授权服务器的Tokens端点获取访问Tokens。
RestClientTokenExchangeTokenResponseClient非常灵活,并提供了多个选项来自定义 OAuth 2.0 访问Tokens请求和Tokens交换授权的响应。
从以下用例中进行选择以了解更多信息:
自定义访问Tokens请求
RestClientTokenExchangeTokenResponseClient提供用于自定义 OAuth 2.0 访问Tokens请求的 HTTP 标头和请求参数的钩子。
自定义请求标头
自定义 HTTP 标头有两个选项:
-
通过调用添加其他标头
addHeadersConverter() -
通过调用
setHeadersConverter()
您可以包含其他标头,而不会影响使用addHeadersConverter().
以下示例将User-Agent标头添加到请求中,当registrationId是spring:
-
Java
-
Kotlin
RestClientTokenExchangeTokenResponseClient accessTokenResponseClient =
new RestClientTokenExchangeTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = RestClientTokenExchangeTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以通过重复使用DefaultOAuth2TokenRequestHeadersConverter或使用setHeadersConverter().
以下示例重用DefaultOAuth2TokenRequestHeadersConverter并禁用encodeClientCredentials以便 HTTP Basic 凭据不再使用application/x-www-form-urlencoded:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
RestClientTokenExchangeTokenResponseClient accessTokenResponseClient =
new RestClientTokenExchangeTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = RestClientTokenExchangeTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
自定义请求参数有三个选项:
-
通过调用添加其他参数
addParametersConverter() -
通过调用
setParametersConverter() -
通过调用完全自定义参数
setParametersCustomizer()
|
用 |
您可以包含其他参数,而不会影响使用addParametersConverter().
以下示例添加了一个audience参数添加到请求中,当registrationId是keycloak:
-
Java
-
Kotlin
RestClientTokenExchangeTokenResponseClient accessTokenResponseClient =
new RestClientTokenExchangeTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = RestClientTokenExchangeTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用以下命令覆盖默认参数setParametersConverter().
以下示例覆盖了client_id参数,当registrationId是okta:
-
Java
-
Kotlin
RestClientTokenExchangeTokenResponseClient accessTokenResponseClient =
new RestClientTokenExchangeTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val parametersConverter = DefaultOAuth2TokenRequestParametersConverter<TokenExchangeGrantRequest>()
parametersConverter.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}
val accessTokenResponseClient = RestClientTokenExchangeTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用以下命令完全自定义参数(包括省略默认参数)setParametersCustomizer().
以下示例省略了client_id参数,当client_assertion参数存在于请求中:
-
Java
-
Kotlin
RestClientTokenExchangeTokenResponseClient accessTokenResponseClient =
new RestClientTokenExchangeTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = RestClientTokenExchangeTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问Tokens响应
RestClientTokenExchangeTokenResponseClient提供用于自定义响应参数和 OAuth 2.0 访问Tokens响应的错误处理的钩子。
自定义RestClient
您可以通过提供预配置的RestClient自setRestClient().
默认值RestClient配置如下:
RestClient配置-
Java
-
Kotlin
RestClient restClient = RestClient.builder()
.messageConverters(messageConverters -> {
messageConverters.clear();
messageConverters.add(new FormHttpMessageConverter());
messageConverters.add(new OAuth2AccessTokenResponseHttpMessageConverter());
})
.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
.build();
RestClientTokenExchangeTokenResponseClient accessTokenResponseClient =
new RestClientTokenExchangeTokenResponseClient();
accessTokenResponseClient.setRestClient(restClient);val restClient = RestClient.builder()
.messageConverters { messageConverters ->
messageConverters.clear()
messageConverters.add(FormHttpMessageConverter())
messageConverters.add(OAuth2AccessTokenResponseHttpMessageConverter())
}
.defaultStatusHandler(OAuth2ErrorResponseErrorHandler())
.build()
val accessTokenResponseClient = RestClientTokenExchangeTokenResponseClient()
accessTokenResponseClient.setRestClient(restClient)OAuth2AccessTokenResponseHttpMessageConverter是一个HttpMessageConverter用于 OAuth 2.0 访问Tokens响应。
您可以自定义将Tokens响应参数转换为OAuth2AccessTokenResponse通过调用setAccessTokenResponseConverter().
默认实现是DefaultMapOAuth2AccessTokenResponseConverter.
OAuth2ErrorResponseErrorHandler是一个ResponseErrorHandler可以处理 OAuth 2.0 错误,例如400 Bad Request.
它使用OAuth2ErrorHttpMessageConverter用于将 OAuth 2.0 错误参数转换为OAuth2Error.
您可以自定义将Tokens响应参数转换为OAuth2Error通过调用setErrorConverter().
|
弹簧 MVC |
自定义响应参数
以下示例提供了将Tokens响应参数转换为OAuth2AccessTokenResponse:
-
Java
-
Kotlin
OAuth2AccessTokenResponseHttpMessageConverter accessTokenResponseMessageConverter =
new OAuth2AccessTokenResponseHttpMessageConverter();
accessTokenResponseMessageConverter.setAccessTokenResponseConverter(parameters -> {
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build();
});val accessTokenResponseMessageConverter = OAuth2AccessTokenResponseHttpMessageConverter()
accessTokenResponseMessageConverter.setAccessTokenResponseConverter { parameters ->
// ...
return OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}自定义错误处理
以下示例提供了自定义将 Error 参数转换为OAuth2Error:
-
Java
-
Kotlin
OAuth2ErrorHttpMessageConverter errorConverter =
new OAuth2ErrorHttpMessageConverter();
errorConverter.setErrorConverter(parameters -> {
// ...
return new OAuth2Error("custom-error", "custom description", "custom-uri");
});
OAuth2ErrorResponseErrorHandler errorHandler =
new OAuth2ErrorResponseErrorHandler();
errorHandler.setErrorConverter(errorConverter);val errorConverter = OAuth2ErrorHttpMessageConverter()
errorConverter.setErrorConverter { parameters ->
// ...
return OAuth2Error("custom-error", "custom description", "custom-uri")
}
val errorHandler = OAuth2ErrorResponseErrorHandler()
errorHandler.setErrorConverter(errorConverter)使用构建器进行自定义
无论您是自定义RestClientTokenExchangeTokenResponseClient或提供您自己的实现OAuth2AccessTokenResponseClient,您可以使用OAuth2AuthorizedClientProviderBuilder(作为发布 Bean 的替代方法),如下所示:
-
Java
-
Kotlin
// Customize
OAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> tokenExchangeTokenResponseClient = ...
TokenExchangeOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider = new TokenExchangeOAuth2AuthorizedClientProvider();
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeTokenResponseClient);
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val tokenExchangeTokenResponseClient: OAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> = ...
val tokenExchangeAuthorizedClientProvider = TokenExchangeOAuth2AuthorizedClientProvider()
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeTokenResponseClient)
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)使用访问Tokens
给定 OAuth 2.0 客户端注册的以下 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: urn:ietf:params:oauth:grant-type:token-exchange
scope: read
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token…和OAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
TokenExchangeOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider =
new TokenExchangeOAuth2AuthorizedClientProvider();
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build();
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ClientRegistrationRepository,
authorizedClientRepository: OAuth2AuthorizedClientRepository): OAuth2AuthorizedClientManager {
val tokenExchangeAuthorizedClientProvider = TokenExchangeOAuth2AuthorizedClientProvider()
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build()
val authorizedClientManager = DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}您可以获得OAuth2AccessToken如下:
-
Java
-
Kotlin
@RestController
public class OAuth2ResourceServerController {
@Autowired
private OAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/resource")
public String resource(JwtAuthenticationToken jwtAuthentication) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build();
OAuth2AuthorizedClient authorizedClient = this.authorizedClientManager.authorize(authorizeRequest);
OAuth2AccessToken accessToken = authorizedClient.getAccessToken();
// ...
}
}class OAuth2ResourceServerController {
@Autowired
private lateinit var authorizedClientManager: OAuth2AuthorizedClientManager
@GetMapping("/resource")
fun resource(jwtAuthentication: JwtAuthenticationToken?): String {
val authorizeRequest: OAuth2AuthorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build()
val authorizedClient = authorizedClientManager.authorize(authorizeRequest)
val accessToken: OAuth2AccessToken = authorizedClient.accessToken
// ...
}
}|
|
|
如果需要从其他源解析主题Tokens,可以提供 |
|
如果需要解析 actor Tokens,可以提供 |