Advanced Configuration
OAuth 2.0 授权框架将 Protocol Endpoints 定义如下: 授权过程使用两个授权服务器端点(HTTP 资源):
-
授权终端:供客户端通过用户代理重定向从资源所有者获得授权。
-
令牌端点:Client 用于将授权授权交换为访问令牌,通常使用 Client 认证。
以及一个客户端端点:
-
重定向终端:供授权服务器通过资源所有者用户代理向客户端返回包含授权凭据的响应。
OpenID Connect 核心 1.0 规范将 UserInfo Endpoint 定义如下:
UserInfo 端点是一个 OAuth 2.0 受保护资源,返回有关经过身份验证的最终用户的信息。为了获得有关最终用户请求的信息,客户端使用通过 OpenID Connect Authentication 获得的访问令牌,向 UserInfo 端点发出请求。这些信息通常由一个 JSON 对象表示,该对象包含一系列用于信息的名称-值对。
ServerHttpSecurity.oauth2Login()
提供了许多配置选项,用于定制 OAuth 2.0 登录。
以下代码显示了 oauth2Login()
DSL 可用的完整配置选项:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.oauth2Login(oauth2 -> oauth2
.authenticationConverter(this.authenticationConverter())
.authenticationMatcher(this.authenticationMatcher())
.authenticationManager(this.authenticationManager())
.authenticationSuccessHandler(this.authenticationSuccessHandler())
.authenticationFailureHandler(this.authenticationFailureHandler())
.clientRegistrationRepository(this.clientRegistrationRepository())
.authorizedClientRepository(this.authorizedClientRepository())
.authorizedClientService(this.authorizedClientService())
.authorizationRequestResolver(this.authorizationRequestResolver())
.authorizationRequestRepository(this.authorizationRequestRepository())
.securityContextRepository(this.securityContextRepository())
);
return http.build();
}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login {
authenticationConverter = authenticationConverter()
authenticationMatcher = authenticationMatcher()
authenticationManager = authenticationManager()
authenticationSuccessHandler = authenticationSuccessHandler()
authenticationFailureHandler = authenticationFailureHandler()
clientRegistrationRepository = clientRegistrationRepository()
authorizedClientRepository = authorizedClientRepository()
authorizedClientService = authorizedClientService()
authorizationRequestResolver = authorizationRequestResolver()
authorizationRequestRepository = authorizationRequestRepository()
securityContextRepository = securityContextRepository()
}
}
return http.build()
}
}
以下各节将详细介绍每个可用的配置选项:
OAuth 2.0 Login Page
默认情况下,OAuth 2.0 登录页是由 LoginPageGeneratingWebFilter
自动生成的。默认登录页显示每个配置的 OAuth 客户端及其 ClientRegistration.clientName
作为一个链接,该链接能够启动授权请求(或 OAuth 2.0 登录)。
为了使 |
每个 OAuth 客户端的链接目标默认为以下内容:
"/oauth2/authorization/{registrationId}"
以下行为示例:
<a href="/oauth2/authorization/google">Google</a>
要覆盖默认登录页,请配置 exceptionHandling().authenticationEntryPoint()
和(可选)oauth2Login().authorizationRequestResolver()
。
下面的清单显示了一个示例:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.exceptionHandling(exceptionHandling -> exceptionHandling
.authenticationEntryPoint(new RedirectServerAuthenticationEntryPoint("/login/oauth2"))
)
.oauth2Login(oauth2 -> oauth2
.authorizationRequestResolver(this.authorizationRequestResolver())
);
return http.build();
}
private ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver() {
ServerWebExchangeMatcher authorizationRequestMatcher =
new PathPatternParserServerWebExchangeMatcher(
"/login/oauth2/authorization/{registrationId}");
return new DefaultServerOAuth2AuthorizationRequestResolver(
this.clientRegistrationRepository(), authorizationRequestMatcher);
}
...
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
exceptionHandling {
authenticationEntryPoint = RedirectServerAuthenticationEntryPoint("/login/oauth2")
}
oauth2Login {
authorizationRequestResolver = authorizationRequestResolver()
}
}
return http.build()
}
private fun authorizationRequestResolver(): ServerOAuth2AuthorizationRequestResolver {
val authorizationRequestMatcher: ServerWebExchangeMatcher = PathPatternParserServerWebExchangeMatcher(
"/login/oauth2/authorization/{registrationId}"
)
return DefaultServerOAuth2AuthorizationRequestResolver(
clientRegistrationRepository(), authorizationRequestMatcher
)
}
...
}
您需要提供一个 @Controller
及其 @RequestMapping("/login/oauth2")
,能够呈现自定义登录页面。
如前所述,配置
|
Redirection Endpoint
重定向端点由授权服务器用于通过资源所有者用户代理将授权响应(包含授权凭据)返回给客户端。
OAuth 2.0 登录利用授权代码授予。因此,授权凭证就是授权代码。 |
默认授权响应重定向端点是 /login/oauth2/code/{registrationId}
。
如果您想要定制授权响应重定向端点,请按照以下示例中的说明进行配置:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.oauth2Login(oauth2 -> oauth2
.authenticationMatcher(new PathPatternParserServerWebExchangeMatcher("/login/oauth2/callback/{registrationId}"))
);
return http.build();
}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login {
authenticationMatcher = PathPatternParserServerWebExchangeMatcher("/login/oauth2/callback/{registrationId}")
}
}
return http.build()
}
}
您还需要确保 ClientRegistration.redirectUri
与自定义授权响应重定向端点匹配。
下面的清单显示了一个示例:
- Java
-
return CommonOAuth2Provider.GOOGLE.getBuilder("google") .clientId("google-client-id") .clientSecret("google-client-secret") .redirectUri("{baseUrl}/login/oauth2/callback/{registrationId}") .build();
- Kotlin
-
return CommonOAuth2Provider.GOOGLE.getBuilder("google") .clientId("google-client-id") .clientSecret("google-client-secret") .redirectUri("{baseUrl}/login/oauth2/callback/{registrationId}") .build()
UserInfo Endpoint
UserInfo 终结点包括多个配置选项,如下小节所述:
Mapping User Authorities
用户在 OAuth 2.0 提供商处成功认证后,OAuth2User.getAuthorities()
(或 OidcUser.getAuthorities()
) 包含从 OAuth2UserRequest.getAccessToken().getScopes()
中填充的授权列表,并在其之前加上 SCOPE_
。这些授权可能被映射到 GrantedAuthority
实例的新集合,它会在完成认证时提供给 OAuth2AuthenticationToken
。
|
在映射用户权限时有几个选项可供选择:
Using a GrantedAuthoritiesMapper
GrantedAuthoritiesMapper
具有被授予的权限列表,其中包含 OAuth2UserAuthority
类型和权限字符串 OAUTH2_USER
(或 OidcUserAuthority
和权限字符串 OIDC_USER
)的特殊权限。
注册一个 GrantedAuthoritiesMapper
@Bean
以使其自动应用到配置中,如以下示例所示:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
...
.oauth2Login(withDefaults());
return http.build();
}
@Bean
public GrantedAuthoritiesMapper userAuthoritiesMapper() {
return (authorities) -> {
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
authorities.forEach(authority -> {
if (OidcUserAuthority.class.isInstance(authority)) {
OidcUserAuthority oidcUserAuthority = (OidcUserAuthority)authority;
OidcIdToken idToken = oidcUserAuthority.getIdToken();
OidcUserInfo userInfo = oidcUserAuthority.getUserInfo();
// Map the claims found in idToken and/or userInfo
// to one or more GrantedAuthority's and add it to mappedAuthorities
} else if (OAuth2UserAuthority.class.isInstance(authority)) {
OAuth2UserAuthority oauth2UserAuthority = (OAuth2UserAuthority)authority;
Map<String, Object> userAttributes = oauth2UserAuthority.getAttributes();
// Map the attributes found in userAttributes
// to one or more GrantedAuthority's and add it to mappedAuthorities
}
});
return mappedAuthorities;
};
}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login { }
}
return http.build()
}
@Bean
fun userAuthoritiesMapper(): GrantedAuthoritiesMapper = GrantedAuthoritiesMapper { authorities: Collection<GrantedAuthority> ->
val mappedAuthorities = emptySet<GrantedAuthority>()
authorities.forEach { authority ->
if (authority is OidcUserAuthority) {
val idToken = authority.idToken
val userInfo = authority.userInfo
// Map the claims found in idToken and/or userInfo
// to one or more GrantedAuthority's and add it to mappedAuthorities
} else if (authority is OAuth2UserAuthority) {
val userAttributes = authority.attributes
// Map the attributes found in userAttributes
// to one or more GrantedAuthority's and add it to mappedAuthorities
}
}
mappedAuthorities
}
}
Delegation-based strategy with ReactiveOAuth2UserService
与使用 GrantedAuthoritiesMapper
相比,此策略更加高级,不过,它也更加灵活,因为它允许您访问 OAuth2UserRequest
和 OAuth2User
(使用 OAuth 2.0 UserService 时)或 OidcUserRequest
和 OidcUser
(使用 OpenID Connect 1.0 UserService 时)。
OAuth2UserRequest
(和 OidcUserRequest
)使您能访问关联的 OAuth2AccessToken
,在 delegator 需要在为用户映射自定义授权之前从受保护资源中获取授权信息的情况下,此访问非常有用。
以下示例展示了如何使用 OpenID Connect 1.0 UserService 实现和配置基于委派的策略:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
...
.oauth2Login(withDefaults());
return http.build();
}
@Bean
public ReactiveOAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
final OidcReactiveOAuth2UserService delegate = new OidcReactiveOAuth2UserService();
return (userRequest) -> {
// Delegate to the default implementation for loading a user
return delegate.loadUser(userRequest)
.flatMap((oidcUser) -> {
OAuth2AccessToken accessToken = userRequest.getAccessToken();
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
// TODO
// 1) Fetch the authority information from the protected resource using accessToken
// 2) Map the authority information to one or more GrantedAuthority's and add it to mappedAuthorities
// 3) Create a copy of oidcUser but use the mappedAuthorities instead
ProviderDetails providerDetails = userRequest.getClientRegistration().getProviderDetails();
String userNameAttributeName = providerDetails.getUserInfoEndpoint().getUserNameAttributeName();
if (StringUtils.hasText(userNameAttributeName)) {
oidcUser = new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo(), userNameAttributeName);
} else {
oidcUser = new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo());
}
return Mono.just(oidcUser);
});
};
}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login { }
}
return http.build()
}
@Bean
fun oidcUserService(): ReactiveOAuth2UserService<OidcUserRequest, OidcUser> {
val delegate = OidcReactiveOAuth2UserService()
return ReactiveOAuth2UserService { userRequest ->
// Delegate to the default implementation for loading a user
delegate.loadUser(userRequest)
.flatMap { oidcUser ->
val accessToken = userRequest.accessToken
val mappedAuthorities = mutableSetOf<GrantedAuthority>()
// TODO
// 1) Fetch the authority information from the protected resource using accessToken
// 2) Map the authority information to one or more GrantedAuthority's and add it to mappedAuthorities
// 3) Create a copy of oidcUser but use the mappedAuthorities instead
val providerDetails = userRequest.getClientRegistration().getProviderDetails()
val userNameAttributeName = providerDetails.getUserInfoEndpoint().getUserNameAttributeName()
val mappedOidcUser = if (StringUtils.hasText(userNameAttributeName)) {
DefaultOidcUser(mappedAuthorities, oidcUser.idToken, oidcUser.userInfo, userNameAttributeName)
} else {
DefaultOidcUser(mappedAuthorities, oidcUser.idToken, oidcUser.userInfo)
}
Mono.just(mappedOidcUser)
}
}
}
}
OAuth 2.0 UserService
DefaultReactiveOAuth2UserService
是 ReactiveOAuth2UserService
的实现,它支持标准 OAuth 2.0 提供商。
|
DefaultReactiveOAuth2UserService
在 UserInfo 端点请求用户属性时使用 WebClient
。
如果您需要定制 UserInfo 请求的预处理和/或 UserInfo 响应的后处理,您需要用自定义配置的 WebClient
向 DefaultReactiveOAuth2UserService.setWebClient()
提供。
无论您定制 DefaultReactiveOAuth2UserService
还是提供 ReactiveOAuth2UserService
的自定义实现,您都需要按照以下示例中的说明进行配置:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
...
.oauth2Login(withDefaults());
return http.build();
}
@Bean
public ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() {
...
}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login { }
}
return http.build()
}
@Bean
fun oauth2UserService(): ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> {
// ...
}
}
OpenID Connect 1.0 UserService
OidcReactiveOAuth2UserService
是 ReactiveOAuth2UserService
的实现,它支持 OpenID Connect 1.0 提供商。
OidcReactiveOAuth2UserService
在 UserInfo 端点请求用户属性时利用 DefaultReactiveOAuth2UserService
。
如果您需要定制 UserInfo 请求的预处理和/或 UserInfo 响应的后处理,您需要用自定义配置的 ReactiveOAuth2UserService
向 OidcReactiveOAuth2UserService.setOauth2UserService()
提供。
无论您定制 OidcReactiveOAuth2UserService
还是为 OpenID Connect 1.0 提供商提供 ReactiveOAuth2UserService
的自定义实现,您都需要按照以下示例中的说明进行配置:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
...
.oauth2Login(withDefaults());
return http.build();
}
@Bean
public ReactiveOAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
...
}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login { }
}
return http.build()
}
@Bean
fun oidcUserService(): ReactiveOAuth2UserService<OidcUserRequest, OidcUser> {
// ...
}
}
ID Token Signature Verification
ID 令牌表示为 JSON Web Token(JWT),并且必须使用 JSON Web Signature(JWS)进行签名。
ReactiveOidcIdTokenDecoderFactory
提供了 ReactiveJwtDecoder
,用于 OidcIdToken
签名验证。默认算法为 RS256
,但在客户端注册期间分配时,可能不同。对于这些情况,可以配置解析器以返回为特定客户端分配的预期 JWS 算法。
JWS 算法解析器是 Function
,它接受 ClientRegistration
,并为客户端返回预期 JwsAlgorithm
,比如 SignatureAlgorithm.RS256
或 MacAlgorithm.HS256
以下代码展示了如何配置 OidcIdTokenDecoderFactory
@Bean
,使其对所有 ClientRegistration
默认使用 MacAlgorithm.HS256
:
-
Java
-
Kotlin
@Bean
public ReactiveJwtDecoderFactory<ClientRegistration> idTokenDecoderFactory() {
ReactiveOidcIdTokenDecoderFactory idTokenDecoderFactory = new ReactiveOidcIdTokenDecoderFactory();
idTokenDecoderFactory.setJwsAlgorithmResolver(clientRegistration -> MacAlgorithm.HS256);
return idTokenDecoderFactory;
}
@Bean
fun idTokenDecoderFactory(): ReactiveJwtDecoderFactory<ClientRegistration> {
val idTokenDecoderFactory = ReactiveOidcIdTokenDecoderFactory()
idTokenDecoderFactory.setJwsAlgorithmResolver { MacAlgorithm.HS256 }
return idTokenDecoderFactory
}
对于诸如 |
如果为 OpenID Connect 1.0 身份验证配置了多个 |
然后,可以继续配置 logout。