带有访问/刷新令牌的 Spring Boot OAuth2 SSO 未正确存储在数据库中 [英] Spring Boot OAuth2 SSO with access/refresh tokens is not stored in a database correctly
问题描述
基于这个例子 https://spring.io/guides/tutorials/spring-boot-oauth2/ 我已经通过社交网络实现了带有 SSO 的应用程序.为了改进这种方法并将访问/刷新令牌存储在我的数据库中,我添加了 oauth_client_token 表:
Based on this example https://spring.io/guides/tutorials/spring-boot-oauth2/ I have implemented application with SSO throught Social Networks. In order to improve this approach and store access/refresh tokens in my database I have added oauth_client_token table:
CREATE TABLE IF NOT EXISTS oauth_client_token (
token_id VARCHAR(255),
token BLOB,
authentication_id VARCHAR(255),
user_name VARCHAR(255),
client_id VARCHAR(255),
PRIMARY KEY(authentication_id)
);
和扩展 ClientResources 类以便从 AuthorizationCodeResourceDetails.isClientOnly() 方法返回 true :
and extended ClientResources class in order to return true from AuthorizationCodeResourceDetails.isClientOnly() method:
class ClientResources {
private OAuth2ProtectedResourceDetails client = new AuthorizationCodeResourceDetails() {
@Override
public boolean isClientOnly() {
return true;
}
};
private ResourceServerProperties resource = new ResourceServerProperties();
public OAuth2ProtectedResourceDetails getClient() {
return client;
}
public ResourceServerProperties getResource() {
return resource;
}
}
这是我的 SSO 过滤器:
This is my SSO filter:
private Filter ssoFilter(ClientResources client, String path) {
OAuth2ClientAuthenticationProcessingFilter clientFilter = new OAuth2ClientAuthenticationProcessingFilter(path);
OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(client.getClient(), oauth2ClientContext);
AccessTokenProviderChain tokenProviderChain = new AccessTokenProviderChain(new ArrayList<>(Arrays.asList(new AuthorizationCodeAccessTokenProvider())));
tokenProviderChain.setClientTokenServices(new JdbcClientTokenServices(dataSource));
oAuth2RestTemplate.setAccessTokenProvider(tokenProviderChain);
clientFilter.setRestTemplate(oAuth2RestTemplate);
clientFilter.setTokenServices(new OkUserInfoTokenServices(okService, client.getClient().getClientId(), apiUrl, eventService));
clientFilter.setAuthenticationSuccessHandler(new UrlParameterAuthenticationHandler());
return clientFilter;
}
现在我不确定我是否以正确的方式实现了这个逻辑,而不是肮脏的黑客.
Right now I'm not sure I have implemented this logic in the right way and not the dirty hack.
请告诉我我是否以正确的方式实现了这件事.
Please advise me if I have implemented this thing in a correct way.
更新
我现在确定它不是正确的实现,因为我的表中有 2 个不同的用户 oauth_client_token 我只有一条记录.. Auth 对象为 null 并且 authentication_id 仅基于 OAuth2 计算client_id.. 这是错误的.当身份验证不为空时,我需要保留令牌..但我不知道如何使用 OAuth2ClientAuthenticationProcessingFilter
I'm sure right now it is not correct implementation because of for 2 different users in my table oauth_client_token I have only one record.. Auth object is null and authentication_id is calculated only based on OAuth2 client_id.. this is wrong. I need to persist token when authentication is not null.. but I don't know how to do it with a current implementation of OAuth2ClientAuthenticationProcessingFilter
目前在 spring-security-oauth2 2.0.8.RELEASE 的当前版本中,我们在 OAuth2ClientAuthenticationProcessingFilter.successfulAuthentication 方法中只有一个奇怪的注释:
Right now in the current version of spring-security-oauth2 2.0.8.RELEASE we have only one strange comment inside of OAuth2ClientAuthenticationProcessingFilter.successfulAuthentication method:
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
FilterChain chain, Authentication authResult) throws IOException, ServletException {
super.successfulAuthentication(request, response, chain, authResult);
// Nearly a no-op, but if there is a ClientTokenServices then the token will now be stored
restTemplate.getAccessToken();
}
如何正确实施?
推荐答案
在 GitHub 上发现了同样的问题:
Found the same issue at GitHub:
https://github.com/spring-projects/spring-security-oauth/issues/498https://github.com/spring-projects/spring-security-oauth/pull/499
这篇关于带有访问/刷新令牌的 Spring Boot OAuth2 SSO 未正确存储在数据库中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
