Core Configuration
Spring Boot 2.x Sample
Spring Boot 2.x 为 OAuth 2.0 登录带来了全自动配置功能。
Spring Boot 2.x brings full auto-configuration capabilities for OAuth 2.0 Login.
此部分展示了如何使用 Google 作为 Authentication Provider 来配置 OAuth 2.0 Login sample ,并且涵盖了以下主题:
This section shows how to configure the OAuth 2.0 Login sample by using Google as the Authentication Provider and covers the following topics:
Initial Setup
要使用 Google 的 OAuth 2.0 身份验证系统进行登录,你必须在 Google API 控制台中设置一个项目才能获得 OAuth 2.0 凭据。
To use Google’s OAuth 2.0 authentication system for login, you must set up a project in the Google API Console to obtain OAuth 2.0 credentials.
|
用于验证的 Google’s OAuth 2.0 implementation 符合 OpenID Connect 1.0 规范,并且是 OpenID certified。 Google’s OAuth 2.0 implementation for authentication conforms to the OpenID Connect 1.0 specification and is OpenID certified. |
从 “Setting up OAuth 2.0” 部分开始,按照 OpenID Connect 页面上的说明进行操作。
Follow the instructions on the OpenID Connect page, starting in the “Setting up OAuth 2.0” section.
完成 “Obtain OAuth 2.0 credentials” 说明后,你应该拥有包含一个客户端 ID 和一个客户端密钥的新 OAuth 客户端。
After completing the “Obtain OAuth 2.0 credentials” instructions, you should have new OAuth Client with credentials consisting of a Client ID and a Client Secret.
Setting the Redirect URI
重定向 URI 是应用程序中的路径,在最终用户使用他们的用户代理通过身份验证并授予了同意页面上的 OAuth 客户端 (created in the previous step) 访问权限后,他们会被重定向回该路径。
The redirect URI is the path in the application that the end-user’s user-agent is redirected back to after they have authenticated with Google and have granted access to the OAuth Client (oauth2login-sample-initial-setup) on the Consent page.
在 “Set a redirect URI” 子部分中,确保将 Authorized redirect URIs 字段设置为 http://localhost:8080/login/oauth2/code/google。
In the “Set a redirect URI” subsection, ensure that the Authorized redirect URIs field is set to http://localhost:8080/login/oauth2/code/google.
|
默认重定向 URI 模板为 The default redirect URI template is |
如果 OAuth 客户端在代理服务器后面运行,则应检查 Proxy Server Configuration,以确保应用程序配置正确。此外,请查看 redirect-uri 支持的 URI template variables。
If the OAuth Client runs behind a proxy server, you should check the Proxy Server Configuration to ensure the application is correctly configured.
Also, see the supported URI template variables for redirect-uri.
Configure application.yml
现在,你已拥有新的与 Google 相关的 OAuth 客户端,你需要配置应用程序以使用 OAuth 客户端进行 authentication flow。若要执行此操作,请执行以下操作:
Now that you have a new OAuth Client with Google, you need to configure the application to use the OAuth Client for the authentication flow. To do so:
-
Go to
application.ymland set the following configuration:[source, yaml]
spring:
security:
oauth2:
client:
registration: 1
google: 2
client-id: google-client-id
client-secret: google-client-secret
| 1 | spring.security.oauth2.client.registration is the base property prefix for OAuth Client properties. |
| 2 | Following the base property prefix is the ID for the ClientRegistration, such as Google.
|
Boot up the Application
启动 Spring Boot 2.x 示例并转到 http://localhost:8080。然后你会被重定向到默认 auto-generated 登录页面,其中显示一个适用于 Google 的链接。
Launch the Spring Boot 2.x sample and go to http://localhost:8080.
You are then redirected to the default auto-generated login page, which displays a link for Google.
点击 Google 链接,然后你将被重定向到 Google 进行身份验证。
Click on the Google link, and you are then redirected to Google for authentication.
通过 Google 帐户凭据进行身份验证后,你会看到同意屏幕。同意屏幕会要求你允许或拒绝你之前创建的 OAuth 客户端访问权限。点击 Allow 以授权 OAuth 客户端访问你的电子邮件地址和基本个人资料信息。
After authenticating with your Google account credentials, you see the Consent screen. The Consent screen asks you to either allow or deny access to the OAuth Client you created earlier. Click Allow to authorize the OAuth Client to access your email address and basic profile information.
此时,OAuth 客户端从 UserInfo Endpoint 中检索你的电子邮件地址和基本个人资料,并建立经过验证的会话。
At this point, the OAuth Client retrieves your email address and basic profile information from the UserInfo Endpoint and establishes an authenticated session.
Spring Boot 2.x Property Mappings
下表概述了 Spring Boot 2.x OAuth 客户端属性到 ClientRegistration 属性的映射。
The following table outlines the mapping of the Spring Boot 2.x OAuth Client properties to the ClientRegistration properties.
| Spring Boot 2.x | ClientRegistration |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
你最初可以通过发现 OpenID Connect 提供程序的 Configuration endpoint 或授权服务器的 Metadata endpoint,并指定 You can initially configure a |
CommonOAuth2Provider
CommonOAuth2Provider 为许多知名提供商(包括 Google、GitHub、Facebook 和 Okta)预定义了一组默认客户端属性。
CommonOAuth2Provider pre-defines a set of default client properties for a number of well known providers: Google, GitHub, Facebook, and Okta.
例如,提供商的 authorization-uri、token-uri 和 user-info-uri 不会经常发生变化。因此,提供默认值是合理的,可减少所需的配置。
For example, the authorization-uri, token-uri, and user-info-uri do not change often for a provider.
Therefore, it makes sense to provide default values, to reduce the required configuration.
如前所述,在我们 configured a Google client 时,只需要 client-id 和 client-secret 属性。
As demonstrated previously, when we oauth2login-sample-application-config, only the client-id and client-secret properties are required.
下面的清单显示了一个示例:
The following listing shows an example:
spring:
security:
oauth2:
client:
registration:
google:
client-id: google-client-id
client-secret: google-client-secret|
客户端属性的自动默认值在这里正常工作,因为 |
|
The auto-defaulting of client properties works seamlessly here because the |
对于可能希望指定不同的 registrationId(例如 google-login)的情况,你仍可以通过配置 provider 属性来利用客户端属性的自动默认值。
For cases where you may want to specify a different registrationId, such as google-login, you can still leverage auto-defaulting of client properties by configuring the provider property.
下面的清单显示了一个示例:
The following listing shows an example:
spring:
security:
oauth2:
client:
registration:
google-login: 1
provider: google 2
client-id: google-client-id
client-secret: google-client-secret| 1 | The registrationId is set to google-login. |
| 2 | The provider property is set to google, which will leverage the auto-defaulting of client properties set in CommonOAuth2Provider.GOOGLE.getBuilder(). |
Configuring Custom Provider Properties
有一些支持多租户的 OAuth 2.0 提供程序,这会导致每个租户(或子域)具有不同的协议端点。
There are some OAuth 2.0 Providers that support multi-tenancy, which results in different protocol endpoints for each tenant (or sub-domain).
例如,注册到 Okta 的 OAuth 客户端被分配到特定的子域,并有自己的协议端点。
For example, an OAuth Client registered with Okta is assigned to a specific sub-domain and have their own protocol endpoints.
针对这些情况,Spring Boot 2.x 为配置自定义提供程序属性提供了以下基本属性: spring.security.oauth2.client.provider.[providerId]。
For these cases, Spring Boot 2.x provides the following base property for configuring custom provider properties: spring.security.oauth2.client.provider.[providerId].
下面的清单显示了一个示例:
The following listing shows an example:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
provider:
okta: 1
authorization-uri: https://your-subdomain.oktapreview.com/oauth2/v1/authorize
token-uri: https://your-subdomain.oktapreview.com/oauth2/v1/token
user-info-uri: https://your-subdomain.oktapreview.com/oauth2/v1/userinfo
user-name-attribute: sub
jwk-set-uri: https://your-subdomain.oktapreview.com/oauth2/v1/keys| 1 | The base property (spring.security.oauth2.client.provider.okta) allows for custom configuration of protocol endpoint locations. |
Overriding Spring Boot 2.x Auto-configuration
OAuth 客户端支持的 Spring Boot 2.x 自动配置类是 OAuth2ClientAutoConfiguration。
The Spring Boot 2.x auto-configuration class for OAuth Client support is OAuth2ClientAutoConfiguration.
它执行以下任务:
It performs the following tasks:
-
Registers a
ClientRegistrationRepository@Beancomposed ofClientRegistration(s) from the configured OAuth Client properties. -
Registers a
SecurityFilterChain@Beanand enables OAuth 2.0 Login throughhttpSecurity.oauth2Login().
如果您需要根据您的特定要求覆盖自动配置,您可通过以下方式进行:
If you need to override the auto-configuration based on your specific requirements, you may do so in the following ways:
Register a ClientRegistrationRepository @Bean
以下示例显示如何注册 ClientRegistrationRepository @Bean:
The following example shows how to register a ClientRegistrationRepository @Bean:
-
Java
-
Kotlin
@Configuration
public class OAuth2LoginConfig {
@Bean
public ClientRegistrationRepository clientRegistrationRepository() {
return new InMemoryClientRegistrationRepository(this.googleClientRegistration());
}
private ClientRegistration googleClientRegistration() {
return ClientRegistration.withRegistrationId("google")
.clientId("google-client-id")
.clientSecret("google-client-secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
.scope("openid", "profile", "email", "address", "phone")
.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
.tokenUri("https://www.googleapis.com/oauth2/v4/token")
.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
.userNameAttributeName(IdTokenClaimNames.SUB)
.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
.clientName("Google")
.build();
}
}@Configuration
class OAuth2LoginConfig {
@Bean
fun clientRegistrationRepository(): ClientRegistrationRepository {
return InMemoryClientRegistrationRepository(googleClientRegistration())
}
private fun googleClientRegistration(): ClientRegistration {
return ClientRegistration.withRegistrationId("google")
.clientId("google-client-id")
.clientSecret("google-client-secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
.scope("openid", "profile", "email", "address", "phone")
.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
.tokenUri("https://www.googleapis.com/oauth2/v4/token")
.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
.userNameAttributeName(IdTokenClaimNames.SUB)
.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
.clientName("Google")
.build()
}
}Register a SecurityFilterChain @Bean
以下示例显示如何注册 SecurityFilterChain @Bean 并通过 @EnableWebSecurity 启用 OAuth 2.0 登录:
The following example shows how to register a SecurityFilterChain @Bean with @EnableWebSecurity and enable OAuth 2.0 login through httpSecurity.oauth2Login():
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.oauth2Login(withDefaults());
return http.build();
}
}@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorize(anyRequest, authenticated)
}
oauth2Login { }
}
return http.build()
}
}Completely Override the Auto-configuration
以下示例显示如何通过注册 ClientRegistrationRepository @Bean 和 SecurityFilterChain @Bean 来完全覆盖自动配置。
The following example shows how to completely override the auto-configuration by registering a ClientRegistrationRepository @Bean and a SecurityFilterChain @Bean.
-
Java
-
Kotlin
@Configuration
public class OAuth2LoginConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.oauth2Login(withDefaults());
return http.build();
}
@Bean
public ClientRegistrationRepository clientRegistrationRepository() {
return new InMemoryClientRegistrationRepository(this.googleClientRegistration());
}
private ClientRegistration googleClientRegistration() {
return ClientRegistration.withRegistrationId("google")
.clientId("google-client-id")
.clientSecret("google-client-secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
.scope("openid", "profile", "email", "address", "phone")
.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
.tokenUri("https://www.googleapis.com/oauth2/v4/token")
.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
.userNameAttributeName(IdTokenClaimNames.SUB)
.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
.clientName("Google")
.build();
}
}@Configuration
class OAuth2LoginConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorize(anyRequest, authenticated)
}
oauth2Login { }
}
return http.build()
}
@Bean
fun clientRegistrationRepository(): ClientRegistrationRepository {
return InMemoryClientRegistrationRepository(googleClientRegistration())
}
private fun googleClientRegistration(): ClientRegistration {
return ClientRegistration.withRegistrationId("google")
.clientId("google-client-id")
.clientSecret("google-client-secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
.scope("openid", "profile", "email", "address", "phone")
.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
.tokenUri("https://www.googleapis.com/oauth2/v4/token")
.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
.userNameAttributeName(IdTokenClaimNames.SUB)
.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
.clientName("Google")
.build()
}
}Java Configuration without Spring Boot 2.x
如果您无法使用 Spring Boot 2.x,并且想要在 CommonOAuth2Provider 中配置一个预定义的提供程序(例如,Google),请应用以下配置:
If you are not able to use Spring Boot 2.x and would like to configure one of the pre-defined providers in CommonOAuth2Provider (for example, Google), apply the following configuration:
-
Java
-
Kotlin
-
Xml
@Configuration
@EnableWebSecurity
public class OAuth2LoginConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.oauth2Login(withDefaults());
return http.build();
}
@Bean
public ClientRegistrationRepository clientRegistrationRepository() {
return new InMemoryClientRegistrationRepository(this.googleClientRegistration());
}
@Bean
public OAuth2AuthorizedClientService authorizedClientService(
ClientRegistrationRepository clientRegistrationRepository) {
return new InMemoryOAuth2AuthorizedClientService(clientRegistrationRepository);
}
@Bean
public OAuth2AuthorizedClientRepository authorizedClientRepository(
OAuth2AuthorizedClientService authorizedClientService) {
return new AuthenticatedPrincipalOAuth2AuthorizedClientRepository(authorizedClientService);
}
private ClientRegistration googleClientRegistration() {
return CommonOAuth2Provider.GOOGLE.getBuilder("google")
.clientId("google-client-id")
.clientSecret("google-client-secret")
.build();
}
}@Configuration
@EnableWebSecurity
open class OAuth2LoginConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeRequests {
authorize(anyRequest, authenticated)
}
oauth2Login { }
}
return http.build()
}
@Bean
open fun clientRegistrationRepository(): ClientRegistrationRepository {
return InMemoryClientRegistrationRepository(googleClientRegistration())
}
@Bean
open fun authorizedClientService(
clientRegistrationRepository: ClientRegistrationRepository?
): OAuth2AuthorizedClientService {
return InMemoryOAuth2AuthorizedClientService(clientRegistrationRepository)
}
@Bean
open fun authorizedClientRepository(
authorizedClientService: OAuth2AuthorizedClientService?
): OAuth2AuthorizedClientRepository {
return AuthenticatedPrincipalOAuth2AuthorizedClientRepository(authorizedClientService)
}
private fun googleClientRegistration(): ClientRegistration {
return CommonOAuth2Provider.GOOGLE.getBuilder("google")
.clientId("google-client-id")
.clientSecret("google-client-secret")
.build()
}
}<http auto-config="true">
<intercept-url pattern="/**" access="authenticated"/>
<oauth2-login authorized-client-repository-ref="authorizedClientRepository"/>
</http>
<client-registrations>
<client-registration registration-id="google"
client-id="google-client-id"
client-secret="google-client-secret"
provider-id="google"/>
</client-registrations>
<b:bean id="authorizedClientService"
class="org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService"
autowire="constructor"/>
<b:bean id="authorizedClientRepository"
class="org.springframework.security.oauth2.client.web.AuthenticatedPrincipalOAuth2AuthorizedClientRepository">
<b:constructor-arg ref="authorizedClientService"/>
</b:bean>