使用 Firebase Auth 在 Spring 中验证 API 请求 [英] Authenticate API Requests in Spring using Firebase Auth
问题描述
我已经使用 Firebase 身份验证令牌 (JWT) 验证对我的 API 的访问,该令牌在 Http 授权标头中作为不记名令牌传递.使用自动配置可以很好地工作.现在我想从身份验证映射到我的数据库中的用户记录.我需要如何调整安全过滤器链?这个配置由spring boot根据docs 并且可以被覆盖:
Im already authenticating access to my API using a Firebase Auth token (JWT) which is passed inside the Http Authorization Header as Bearer token. This works fine using auto configuration. Now I want to map from the authentication to a user record in my DB. How do I need to adapt the security filter chain? This configuration is automatically applied by spring boot according to the docs and can be overridden:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().anyRequest().authenticated()
.and().oauth2ResourceServer().jwt();
}
我正在使用 Firebase 身份验证 UI 解决方案,该解决方案在成功身份验证时提供访问令牌.然后这个令牌被传递给我的 API.
I am using the Firebase Authentication UI drop in solution which provides the access token on a successful authentication. This token then gets passed to my API.
推荐答案
您可能需要做一些事情:
There are a few things you may need to do:
- 编写安全过滤器以调用 FirebaseAuth 来验证不记名令牌.令牌通过身份验证后,将其放入 SecurityContext.类似于:
public class FirebaseFilter extends OncePerRequestFilter {
private static String AUTH_HEADER = "Authorization";
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
String authToken = request.getHeader(AUTH_HEADER).substring(7);
if (!StringUtils.isEmpty(authToken)) {
Authentication auth = getAuthentication(authToken);
SecurityContextHolder.getContext().setAuthentication(auth);
logger.debug("Successfully Authenticated");
}
filterChain.doFilter(request, response);
}
private FirebaseToken verifyIdToken(String idToken) {
if (StringUtils.isEmpty(idToken)) {
throw new IllegalArgumentException("idToken is blank");
}
return FirebaseAuth.getInstance().verifyIdToken(idToken);
}
private Authentication getAuthentication(String idToken) {
FirebaseToken token = verifyIdToken(idToken);
assert token != null;
return new FirebaseAuthenticationToken(token.getUid(), token);
}
}
您将需要一个 UserDetailsService 的实现,我相信您已经拥有了.
You will need an implementation of UserDetailsService, which I believe you already have.
您将需要一个安全提供程序,它从安全上下文中获取身份验证,然后调用 UserDetailsService 来获取您的应用程序可能需要的任何信息.然后更新身份验证对象.类似于:
You will need a security provider which get the authentication from the security context, then call out UserDetailsService to obtain whatever information you may need for your application. Then update the authentication object. Something similar as:
@Component
public class FirebaseAuthenticationProvider implements AuthenticationProvider {
private UserService userService;
@Autowired
public FirebaseAuthenticationProvider(UserService userService) {
this.userService = userService;
}
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
if (!supports(authentication.getClass())) {
return null;
}
UserDetails details = userService.loadUserByUsername(authentication.getPrincipal()
.toString());
FirebaseToken token = (FirebaseToken) authentication.getCredentials();
if (details == null) {
details = userService.registerUser(token);
}
return new FirebaseAuthenticationToken(details, token, details.getAuthorities());
}
public boolean supports(Class<?> authentication) {
return (FirebaseAuthenticationToken.class.isAssignableFrom(authentication));
}
}
希望以上有所帮助.
这篇关于使用 Firebase Auth 在 Spring 中验证 API 请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
