分离资源服务器和授权服务器的正确方法是什么? [英] What's the right way to separate the Resource Server and the Authorization Server?

问题描述

使用 spring-security-oauth2 来保护我的资源免受可充当授权服务器的 SSO 端点的影响.当文档说明时，我有点困惑:

Using spring-security-oauth2 to secure my resources against a SSO endpoint that can act as an authorization server. I'm a bit confused when the documentation states:

OAuth 2.0 中的提供者角色实际上分为授权服务和资源服务，虽然它们有时驻留在同一个应用程序中，但使用 Spring Security OAuth，您可以选择将它们拆分到两个应用程序中，并且还可以拥有多个资源共享授权服务的服务.

The provider role in OAuth 2.0 is actually split between Authorization Service and Resource Service, and while these sometimes reside in the same application, with Spring Security OAuth you have the option to split them across two applications, and also to have multiple Resource Services that share an Authorization Service.

但我认为我没有找到发生这种情况的例子.在 sparklr/tonr 中，授权服务器和资源服务器驻留在同一个应用程序中.我从搜索中看到的唯一示例是 这个 spring-servlet.xml，它需要 这个 ResourceServerTokenServices 的自定义实现来工作.

But I don't think I have found an example of this happening. In sparklr/tonr the authorization server and the resource server reside in the same application. The only example I've seen from searching is this spring-servlet.xml, which requires this custom implementation of ResourceServerTokenServices to work.

如果可能的话，我想避免编写 ResourceServerTokenServices 的自定义实现.是否有另一种方法来支持资源服务器中的外部授权服务器?类似的东西:

I'd like to avoid writing a custom implementation of ResourceServerTokenServices if at all possible. Is there another way to support an external authorization server in a resource server? Something along the lines of:

<bean class="com.example.ExternalAuthorizationServerTokenServices" 
    p:remote-url="https://my-oauth-compatible-sso.com" 
    p:token-endpoint="/oauth/access_token" 
    p:authorize-endpoint="/oauth/authorize" />

这可能吗?

*我将添加它作为一种解决方法(或者这可能是预期的解决方案)我正在使用 jdbc 令牌存储并依赖于两个服务器碰巧都可以访问该数据库的事实.

* I'll add that as a workaround (or maybe this is the intended solution) I'm using a jdbc token store and relying on the fact that both servers happen to have access to that database.

推荐答案

对于可能感兴趣的人，这里还有另一个用于分离身份验证服务器和资源服务器的示例:https://github.com/sharmaritesh/spring-angularjs-oauth2-sample

for someone that might be interested there is as well another example for separating the authentication server and resources server found here: https://github.com/sharmaritesh/spring-angularjs-oauth2-sample

这篇关于分离资源服务器和授权服务器的正确方法是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！