Core Configuration

Spring Boot 2.x Sample

Spring Boot 2.x 为 OAuth 2.0 登录带来了全自动配置功能。

本部分展示了如何通过使用 _Google_作为 _Authentication Provider_来配置 OAuth 2.0 Login WebFlux sample,并涵盖以下主题:

Initial Setup

要使用 Google 的 OAuth 2.0 身份验证系统进行登录,你必须在 Google API 控制台中设置一个项目才能获得 OAuth 2.0 凭据。

符合 OpenID Connect 1.0规范的 Google’s OAuth 2.0 implementation用于认证,并且是 OpenID Certified

从 “Setting up OAuth 2.0” 部分开始,按照 OpenID Connect 页面上的说明进行操作。

完成 “Obtain OAuth 2.0 credentials” 说明后,你应该有了凭证(其中包含客户端 ID 和客户端密钥)的新 OAuth 客户端。

Setting the Redirect URI

重定向 URI 是应用程序中以下路径:在他们通过 Google 认证并在同意页面上被授予对 OAuth 客户端 (created in the previous step) 的访问权限后,将用户代理重定向回该路径。

在 “Set a redirect URI” 小节中,确保将 Authorized redirect URIs 字段设为 http://localhost:8080/login/oauth2/code/google

默认重定向 URI 模板是 {baseUrl}/login/oauth2/code/{registrationId}registrationIdClientRegistration 的唯一标识符。对于我们的示例,registrationIdgoogle

如果 OAuth 客户端在代理服务器后运行,建议检查 Proxy Server Configuration,以确保应用程序配置正确。同时,请参阅 redirect-uri`支持的 `URI template variables

Configure application.yml

现在,你已拥有新的与 Google 相关的 OAuth 客户端,你需要配置应用程序以使用 OAuth 客户端进行 authentication flow。若要执行此操作,请执行以下操作:

  1. 转到 `application.yml`并设置以下配置:.OAuth Client properties

spring:
  security:
    oauth2:
      client:
        registration:	1
          google:	2
            client-id: google-client-id
            client-secret: google-client-secret
1 `spring.security.oauth2.client.registration`是 OAuth Client 属性的基本属性前缀。
2 在基本属性前缀后面是 ClientRegistration的 ID,例如 google。

  1. 使用您之前创建的 OAuth 2.0 凭证替换 `client-id`和 `client-secret`属性中的值。

Boot the Application

启动 Spring Boot 2.x 示例并转到 http://localhost:8080。然后你会被重定向到默认 auto-generated 登录页面,其中显示一个适用于 Google 的链接。

点击 Google 链接,然后你将被重定向到 Google 进行身份验证。

使用你的 Google 帐户凭证进行身份验证之后,会显示给你下一页,即同意屏幕。同意屏幕要求你允许或拒绝访问你之前创建的 OAuth 客户端。单击 Allow 以授权 OAuth 客户端访问你的电子邮件地址和基本个人资料信息。

此时,OAuth 客户端从 UserInfo Endpoint 中检索你的电子邮件地址和基本个人资料,并建立经过验证的会话。

Spring Boot 2.x Property Mappings

下表概述了 Spring Boot 2.x OAuth 客户端属性到 ClientRegistration属性的映射。

Spring Boot 2.x ClientRegistration

spring.security.oauth2.client.registration.[registrationId]

registrationId

spring.security.oauth2.client.registration.[registrationId].client-id

clientId

spring.security.oauth2.client.registration.[registrationId].client-secret

clientSecret

spring.security.oauth2.client.registration.[registrationId].client-authentication-method

clientAuthenticationMethod

spring.security.oauth2.client.registration.[registrationId].authorization-grant-type

authorizationGrantType

spring.security.oauth2.client.registration.[registrationId].redirect-uri

redirectUri

spring.security.oauth2.client.registration.[registrationId].scope

scopes

spring.security.oauth2.client.registration.[registrationId].client-name

clientName

spring.security.oauth2.client.provider.[providerId].authorization-uri

providerDetails.authorizationUri

spring.security.oauth2.client.provider.[providerId].token-uri

providerDetails.tokenUri

spring.security.oauth2.client.provider.[providerId].jwk-set-uri

providerDetails.jwkSetUri

spring.security.oauth2.client.provider.[providerId].issuer-uri

providerDetails.issuerUri

spring.security.oauth2.client.provider.[providerId].user-info-uri

providerDetails.userInfoEndpoint.uri

spring.security.oauth2.client.provider.[providerId].user-info-authentication-method

providerDetails.userInfoEndpoint.authenticationMethod

spring.security.oauth2.client.provider.[providerId].user-name-attribute

providerDetails.userInfoEndpoint.userNameAttributeName

可以通过指定 spring.security.oauth2.client.provider.[providerId].issuer-uri 属性,使用对 OpenID Connect 提供程序的 Configuration endpoint 或授权服务器的 Metadata endpoint 的发现来初始配置 ClientRegistration

CommonOAuth2Provider

CommonOAuth2Provider 为许多知名提供商(包括 Google、GitHub、Facebook 和 Okta)预定义了一组默认客户端属性。

例如,authorization-uritoken-uriuser-info-uri 对于提供程序而言不常更改。因此,为了减少所需的配置,提供默认值是有意义的。

如下所示,当我们 configured a Google client 时,只需要 client-idclient-secret 属性。

下面的清单显示了一个示例:

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: google-client-id
            client-secret: google-client-secret

客户端属性的自动默认值在这里正常工作,因为 issuer-uri (google) 与 CommonOAuth2Provider 中的 issuer enum (不区分大小写) 匹配。

对于可能希望指定不同的 registrationId(例如 google-login)的情况,你仍可以通过配置 provider 属性来利用客户端属性的自动默认值。

下面的清单显示了一个示例:

spring:
  security:
    oauth2:
      client:
        registration:
          google-login:	1
            provider: google	2
            client-id: google-client-id
            client-secret: google-client-secret
1 registrationId`设置为 `google-login
2 provider`属性设置为 `google,这将利用 `CommonOAuth2Provider.GOOGLE.getBuilder()`中设置的 Client 属性的自动默认设定。

Configuring Custom Provider Properties

有一些支持多租户的 OAuth 2.0 提供程序,这会导致每个租户(或子域)具有不同的协议端点。

例如,注册到 Okta 的 OAuth 客户端被分配到特定的子域,并有自己的协议端点。

针对这些情况,Spring Boot 2.x 为配置自定义提供程序属性提供了以下基本属性: spring.security.oauth2.client.provider.[providerId]

下面的清单显示了一个示例:

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
        provider:
          okta:	1
            authorization-uri: https://your-subdomain.oktapreview.com/oauth2/v1/authorize
            token-uri: https://your-subdomain.oktapreview.com/oauth2/v1/token
            user-info-uri: https://your-subdomain.oktapreview.com/oauth2/v1/userinfo
            user-name-attribute: sub
            jwk-set-uri: https://your-subdomain.oktapreview.com/oauth2/v1/keys
1 基本属性 (spring.security.oauth2.client.provider.okta) 允许自定义协议端点位置。

Overriding Spring Boot 2.x Auto-configuration

Spring Boot 2.x OAuth 客户端支持的自动配置类是 ReactiveOAuth2ClientAutoConfiguration

它执行以下任务:

  • 注册由配置的 OAuth 客户端属性组成的 ReactiveClientRegistrationRepository @Bean

  • 注册 SecurityWebFilterChain `@Bean`并通过 `serverHttpSecurity.oauth2Login()`启用 OAuth 2.0 登录。

如果您需要根据您的特定要求覆盖自动配置,您可通过以下方式进行:

Register a ReactiveClientRegistrationRepository @Bean

以下示例演示如何注册 ReactiveClientRegistrationRepository @Bean

  • Java

  • Kotlin

@Configuration
public class OAuth2LoginConfig {

	@Bean
	public ReactiveClientRegistrationRepository clientRegistrationRepository() {
		return new InMemoryReactiveClientRegistrationRepository(this.googleClientRegistration());
	}

	private ClientRegistration googleClientRegistration() {
		return ClientRegistration.withRegistrationId("google")
				.clientId("google-client-id")
				.clientSecret("google-client-secret")
				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
				.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
				.scope("openid", "profile", "email", "address", "phone")
				.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
				.tokenUri("https://www.googleapis.com/oauth2/v4/token")
				.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
				.userNameAttributeName(IdTokenClaimNames.SUB)
				.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
				.clientName("Google")
				.build();
	}
}
@Configuration
class OAuth2LoginConfig {

    @Bean
    fun clientRegistrationRepository(): ReactiveClientRegistrationRepository {
        return InMemoryReactiveClientRegistrationRepository(googleClientRegistration())
    }

    private fun googleClientRegistration(): ClientRegistration {
        return ClientRegistration.withRegistrationId("google")
                .clientId("google-client-id")
                .clientSecret("google-client-secret")
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
                .scope("openid", "profile", "email", "address", "phone")
                .authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
                .tokenUri("https://www.googleapis.com/oauth2/v4/token")
                .userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
                .userNameAttributeName(IdTokenClaimNames.SUB)
                .jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
                .clientName("Google")
                .build()
    }
}

Register a SecurityWebFilterChain @Bean

以下示例演示如何注册带有 @EnableWebFluxSecuritySecurityWebFilterChain @Bean,并通过 serverHttpSecurity.oauth2Login() 启用 OAuth 2.0 登录:

OAuth2 Login Configuration

  • Java

  • Kotlin

@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {

	@Bean
	public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
		http
			.authorizeExchange(authorize -> authorize
				.anyExchange().authenticated()
			)
			.oauth2Login(withDefaults());

		return http.build();
	}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {

    @Bean
    fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
        http {
            authorizeExchange {
                authorize(anyExchange, authenticated)
            }
            oauth2Login { }
        }

        return http.build()
    }
}

Completely Override the Auto-configuration

以下示例演示如何通过注册 ReactiveClientRegistrationRepository @BeanSecurityWebFilterChain @Bean 来完全覆盖自动配置。

Overriding the auto-configuration

  • Java

  • Kotlin

@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginConfig {

	@Bean
	public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
		http
			.authorizeExchange(authorize -> authorize
				.anyExchange().authenticated()
			)
			.oauth2Login(withDefaults());

		return http.build();
	}

	@Bean
	public ReactiveClientRegistrationRepository clientRegistrationRepository() {
		return new InMemoryReactiveClientRegistrationRepository(this.googleClientRegistration());
	}

	private ClientRegistration googleClientRegistration() {
		return ClientRegistration.withRegistrationId("google")
				.clientId("google-client-id")
				.clientSecret("google-client-secret")
				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
				.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
				.scope("openid", "profile", "email", "address", "phone")
				.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
				.tokenUri("https://www.googleapis.com/oauth2/v4/token")
				.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
				.userNameAttributeName(IdTokenClaimNames.SUB)
				.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
				.clientName("Google")
				.build();
	}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginConfig {

    @Bean
    fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
        http {
            authorizeExchange {
                authorize(anyExchange, authenticated)
            }
            oauth2Login { }
        }

        return http.build()
    }

    @Bean
    fun clientRegistrationRepository(): ReactiveClientRegistrationRepository {
        return InMemoryReactiveClientRegistrationRepository(googleClientRegistration())
    }

    private fun googleClientRegistration(): ClientRegistration {
        return ClientRegistration.withRegistrationId("google")
                .clientId("google-client-id")
                .clientSecret("google-client-secret")
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
                .scope("openid", "profile", "email", "address", "phone")
                .authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
                .tokenUri("https://www.googleapis.com/oauth2/v4/token")
                .userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
                .userNameAttributeName(IdTokenClaimNames.SUB)
                .jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
                .clientName("Google")
                .build()
    }
}

Java Configuration without Spring Boot 2.x

如果您无法使用 Spring Boot 2.x,并且想要在 CommonOAuth2Provider 中配置一个预定义的提供程序(例如,Google),请应用以下配置:

OAuth2 Login Configuration

  • Java

  • Kotlin

@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginConfig {

	@Bean
	public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
		http
			.authorizeExchange(authorize -> authorize
				.anyExchange().authenticated()
			)
			.oauth2Login(withDefaults());

		return http.build();
	}

	@Bean
	public ReactiveClientRegistrationRepository clientRegistrationRepository() {
		return new InMemoryReactiveClientRegistrationRepository(this.googleClientRegistration());
	}

	@Bean
	public ReactiveOAuth2AuthorizedClientService authorizedClientService(
			ReactiveClientRegistrationRepository clientRegistrationRepository) {
		return new InMemoryReactiveOAuth2AuthorizedClientService(clientRegistrationRepository);
	}

	@Bean
	public ServerOAuth2AuthorizedClientRepository authorizedClientRepository(
			ReactiveOAuth2AuthorizedClientService authorizedClientService) {
		return new AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository(authorizedClientService);
	}

	private ClientRegistration googleClientRegistration() {
		return CommonOAuth2Provider.GOOGLE.getBuilder("google")
				.clientId("google-client-id")
				.clientSecret("google-client-secret")
				.build();
	}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginConfig {

    @Bean
    fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
        http {
            authorizeExchange {
                authorize(anyExchange, authenticated)
            }
            oauth2Login { }
        }

        return http.build()
    }

    @Bean
    fun clientRegistrationRepository(): ReactiveClientRegistrationRepository {
        return InMemoryReactiveClientRegistrationRepository(googleClientRegistration())
    }

    @Bean
    fun authorizedClientService(
        clientRegistrationRepository: ReactiveClientRegistrationRepository
    ): ReactiveOAuth2AuthorizedClientService {
        return InMemoryReactiveOAuth2AuthorizedClientService(clientRegistrationRepository)
    }

    @Bean
    fun authorizedClientRepository(
        authorizedClientService: ReactiveOAuth2AuthorizedClientService
    ): ServerOAuth2AuthorizedClientRepository {
        return AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository(authorizedClientService)
    }

    private fun googleClientRegistration(): ClientRegistration {
        return CommonOAuth2Provider.GOOGLE.getBuilder("google")
                .clientId("google-client-id")
                .clientSecret("google-client-secret")
                .build()
    }
}