TokenRelay Filter

令牌中继是指 OAuth2 消费者充当客户端,并将传入令牌转发到传出资源请求的位置。消费者可以是纯客户端(如 SSO 应用程序)或资源服务器。

A Token Relay is where an OAuth2 consumer acts as a Client and forwards the incoming token to outgoing resource requests. The consumer can be a pure Client (like an SSO application) or a Resource Server.

Spring Cloud Gateway Server MVC 可以转发当前经过身份验证用户的 OAuth2 访问令牌,oauth2Login() 用于对用户进行身份验证。

Spring Cloud Gateway Server MVC can forward the OAuth2 access token of the currently authenticated user oauth2Login() is used to authenticate the user.

RouteConfiguration.java
import static org.springframework.cloud.gateway.server.mvc.filter.TokenRelayFilterFunctions.tokenRelay;
import static org.springframework.cloud.gateway.server.mvc.handler.GatewayRouterFunctions.route;
import static org.springframework.cloud.gateway.server.mvc.handler.HandlerFunctions.http;

@Configuration
class RouteConfiguration {

    @Bean
    public RouterFunction<ServerResponse> gatewayRouterFunctionsAddReqHeader() {
		return route("resource")
			.GET("/resource", http("http://localhost:9000"))
				.filter(tokenRelay())
				.build();
    }
}

或者

or this

application.yaml
spring:
  cloud:
    gateway:
      mvc:
        routes:
        - id: resource
          uri: http://localhost:9000
          predicates:
          - Path=/resource
          filters:
          - TokenRelay=

而且它将(除了让用户登录并获取令牌之外)将身份验证令牌向下传递到服务(在本例中为 “/resource”)。

and it will (in addition to logging the user in and grabbing a token) pass the authentication token downstream to the services (in this case /resource).

要为 Spring Cloud Gateway Server MVC 启用此功能,请添加以下依赖项

To enable this for Spring Cloud Gateway Server MVC add the following dependencies

  • org.springframework.boot:spring-boot-starter-oauth2-client

它如何工作?当前经过身份验证用户的自己的访问令牌(在登录期间获取)被使用,并且提取的访问令牌被放置在下游请求的请求标头中。

How does it work? The currently authenticated user’s own access token (obtained during login) is used and the extracted access token is placed in a request header for the downstream requests.

Token Relay 过滤器仅在设置了正确的 spring.security.oauth2.client.* 属性时才会工作,这将触发 OAuth2AuthorizedClientManager bean 的创建。

The Token Relay filter will only work if the proper spring.security.oauth2.client.* properties are set which will trigger creation of a OAuth2AuthorizedClientManager bean.

Token Relay 过滤器使用的默认实现使用内存数据存储。如果你需要一个更健壮的解决方案,则需要提供自己的实现 OAuth2AuthorizedClientService

The default implementation used by the Token Relay filter uses an in-memory data store. You will need to provide your own implementation OAuth2AuthorizedClientService if you need a more robust solution.