Spring Security OAuth 2.0 - 授权代码授予始终需要客户端机密 [英] Spring Security OAuth 2.0 - client secret always required for authorization code grant

问题描述

根据规范，只要请求中包含client_id和，使用授权码授予的令牌请求不需要进行身份验证code>client_id 与用于生成代码的相同.但是，使用 Spring Security OAuth 2.0 实现，即使客户端从未分配过机密，/oauth/token 端点似乎始终需要基本身份验证.

According to the spec, requests for a token using the authorization code grant are not required to be authenticated as long as the client_id is included in the request and the client_id is the same one used to generate the code. However, with the Spring Security OAuth 2.0 implementation, it appears that basic auth is always required on the /oauth/token endpoint even if the client was never assigned a secret.

由于 ClientDetails 接口中的 isSecretRequired() 方法，看起来似乎支持允许没有密码的客户端.我需要做什么才能让没有密钥的客户端在 /oauth/token URL 上进行身份验证?

It looks like there is support for allowing clients without a secret due to the isSecretRequired() method in the ClientDetails interface. What do I need to do to enable clients without a secret to be authenticated at the /oauth/token URL?

4.1.3.访问令牌请求

客户端通过发送
向令牌端点发出请求以下参数使用application/x-www-form-urlencoded"
根据附录 B 的格式，HTTP 中的字符编码为 UTF-8
请求实体主体:

The client makes a request to the token endpoint by sending the
following parameters using the "application/x-www-form-urlencoded"
format per Appendix B with a character encoding of UTF-8 in the HTTP
request entity-body:

grant_type必需的.值必须设置为authorization_code".

grant_type REQUIRED. Value MUST be set to "authorization_code".

代码必需的.收到的授权码授权服务器.

code REQUIRED. The authorization code received from the authorization server.

redirect_uri必需，如果redirect_uri"参数包含在第 4.1.1 节中描述的授权请求，以及它们的值必须相同.

redirect_uri REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.

client_id必需，如果客户端未使用授权服务器如第 3.2.1 节所述.

client_id REQUIRED, if the client is not authenticating with the authorization server as described in Section 3.2.1.

如果客户端类型是机密的或者客户端是发布的客户端凭据(或分配的其他身份验证要求)，
客户端必须按照描述的方式向授权服务器进行身份验证
在第 3.2.1 节中.

If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.

推荐答案

使用 allowFormAuthenticationForClients() 方法启用使用表单参数而不是基本身份验证客户端的身份验证，如下面的代码示例所示.

Authenticating the client using the form parameters instead of basic auth is enabled using the allowFormAuthenticationForClients() method as shown in the code sample below.

class AuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter {

    @Override
    void configure(AuthorizationServerSecurityConfigurer security) {
        security
                .tokenKeyAccess("permitAll()")
                .checkTokenAccess("isAuthenticated()")
                .allowFormAuthenticationForClients()
    }
}

allowFormAuthenticationForClients() 方法触发了 ClientCredentialsTokenEndpointFilter 的添加，它允许通过表单参数进行身份验证.

The allowFormAuthenticationForClients() method triggers the addition of the ClientCredentialsTokenEndpointFilter which allows for authentication via form parameters.

这篇关于Spring Security OAuth 2.0 - 授权代码授予始终需要客户端机密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！