JavaSpringBootOAuth2:无用户信息端点如何直接在客户端从JWT访问令牌加载身份验证(主体)
我正在设置一个oauth 2.0客户端应用程序,它将用户重定向到外部IDP(授权服务器)进行登录。我的应用程序将执行常规的oauth 2授权码授权流-1)重定向用户以登录。2) 先获取访问码3)使用访问码获取令牌。由于外部IDP仅使用oauth 2进行身份验证,因此他们不会提供用户信息端点url(OIDC提供程序需要)来获取用户详细信息。相反,他们希望我们直接从JWT令牌获得索赔,并在我们的应用程序中进行任何授权。 我无法找到正确的代码/配置,它不需要用户信息端点,而是直接解码jwt以加载身份验证。 在下面的演示代码中,如果我要解码OKTA发布的JWT令牌中的用户详细信息,而不调用其userInfo端点,我该怎么做
我使用的是SpringBoot2。使用spring参考示例social oauth2项目中提供的标准oauth客户机配置发布
如果有人能指引我走上正确的道路,我将不胜感激。谢谢大家!
梯度配置
buildscript {
ext {
springBootVersion = '2.2.0.RELEASE'
}
repositories {
mavenLocal()
mavenCentral()
}
dependencies {
classpath("org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}")
}
}
apply plugin: 'java'
apply plugin: 'org.springframework.boot'
sourceCompatibility = 1.8
targetCompatibility = 1.8
repositories {
mavenLocal()
mavenCentral()
}
configurations {
compile.exclude module: 'spring-boot-starter-logging'
}
dependencies {
compile("org.springframework.boot:spring-boot-starter-web:${springBootVersion}")
compile("org.springframework.boot:spring-boot-starter-log4j2:${springBootVersion}")
compile("org.springframework.boot:spring-boot-starter-security:${springBootVersion}")
compile("org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:${springBootVersion}")
compile("org.webjars:jquery:2.1.1")
compile("org.webjars:bootstrap:3.2.0")
compile("org.webjars:webjars-locator-core:0.42")
}
应用程序。yml
github:
client:
clientId: <clientId>
clientSecret: <clientSecret>
accessTokenUri: https://github.com/login/oauth/access_token
userAuthorizationUri: https://github.com/login/oauth/authorize
tokenName: oauth_token
authenticationScheme: query
clientAuthenticationScheme: form
resource:
userInfoUri: https://api.github.com/user
okta:
client:
clientId: <clientId>
clientSecret: <clientSecret>
accessTokenUri: https://<okta-sub-domain>/oauth2/default/v1/token
userAuthorizationUri: https://<okta-sub-domain>/oauth2/default/v1/authorize
scope: openid profile email
resource:
userInfoUri: https://<okta-sub-domain>/oauth2/default/v1/userinfo
OAuth2Config。爪哇
@Configuration
@EnableOAuth2Client
public class Oauth2Config extends WebSecurityConfigurerAdapter {
@Autowired
OAuth2ClientContext oauth2ClientContext;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**").authorizeRequests()
.antMatchers("/", "/login**", "/webjars/**", "/error**")
.permitAll()
.anyRequest()
.authenticated()
.and().logout().logoutSuccessUrl("/").permitAll()
.and().addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);;
http.csrf().disable();
}
private Filter ssoFilter() {
CompositeFilter filter = new CompositeFilter();
List<Filter> filters = new ArrayList<>();
OAuth2ClientAuthenticationProcessingFilter githubFilter = new OAuth2ClientAuthenticationProcessingFilter("/login/github");
OAuth2RestTemplate githubTemplate = new OAuth2RestTemplate(github(), oauth2ClientContext);
githubFilter.setRestTemplate(githubTemplate);
UserInfoTokenServices tokenServices = new UserInfoTokenServices(githubResource().getUserInfoUri(), github().getClientId());
tokenServices.setRestTemplate(githubTemplate);
githubFilter.setTokenServices(tokenServices);
filters.add(githubFilter);
OAuth2ClientAuthenticationProcessingFilter oktaFilter = new OAuth2ClientAuthenticationProcessingFilter("/login/okta");
OAuth2RestTemplate oktaTemplate = new OAuth2RestTemplate(okta(), oauth2ClientContext);
oktaFilter.setRestTemplate(oktaTemplate);
tokenServices = new UserInfoTokenServices(oktaResource().getUserInfoUri(), okta().getClientId());
tokenServices.setRestTemplate(oktaTemplate);
oktaFilter.setTokenServices(tokenServices);
filters.add(oktaFilter);
filter.setFilters(filters);
return filter;
}
//Client registration
@Bean
@ConfigurationProperties("github.client")
public AuthorizationCodeResourceDetails github() {
return new AuthorizationCodeResourceDetails();
}
//user info endpoints
@Bean
@ConfigurationProperties("github.resource")
public ResourceServerProperties githubResource() {
return new ResourceServerProperties();
}
@Bean
@ConfigurationProperties("okta.client")
public AuthorizationCodeResourceDetails okta() {
return new AuthorizationCodeResourceDetails();
}
@Bean
@ConfigurationProperties("okta.resource")
public ResourceServerProperties oktaResource() {
return new ResourceServerProperties();
}
//For Handling Redirects
@Bean
public FilterRegistrationBean<OAuth2ClientContextFilter> oauth2ClientFilterRegistration(OAuth2ClientContextFilter filter) {
FilterRegistrationBean<OAuth2ClientContextFilter> registration = new FilterRegistrationBean<>();
registration.setFilter(filter);
registration.setOrder(-100);
return registration;
}
}
具有html页面使用的端点的简单控制器
@RestController
public class UserController {
@GetMapping("/user")
public Principal user(Principal principal) {
return principal;
}
}
@SpringBootApplication
public class Oauth2Application {
public static void main(String[] args) {
SpringApplication.run(Oauth2Application.class, args);
}
}
# 1 楼答案
DefaultReactiveOAuth2UserService查找用户信息。我们可以简单地引入一个新的ReactiveOAuth2UserService实现,从令牌获取值,例如:(在您的情况下,可能是非反应性等效物)