JWT 与 Spring OAuth2 [英] JWT with Spring OAuth2
问题描述
我创建了发布 JWT-s 的 Spring 授权服务器和一个检查 JWT、它的声明和授权服务器上的权限的资源服务器.为此,我遵循了这篇文章.
I have created the Spring Authorization Server which issues JWT-s and a Resource Server which checks the JWT, its claims and permissions on the Authorization Server. To do so, I have followed this article.
我的问题是为什么我需要在获取令牌请求中发送带有 HTTP 基本授权和 Base64 编码的用户名/密码 (ClientId:ClientSecret) 的 Authorization
标头?我见过只需要用户名和密码的 JWT 实现.
My question is why I need to send the Authorization
header with HTTP Basic authorization and Base64 encoded username/password (ClientId:ClientSecret) in get token request? I have seen JWT implementations where only username and password are required.
推荐答案
它是规范的一部分,参见RFC 6749:
It is part of the specification, see RFC 6749:
2.3 客户端认证
如果客户端类型是机密的,客户端和授权服务器建立适合授权服务器安全要求的客户端认证方法.授权服务器可以接受满足其安全要求的任何形式的客户端身份验证.
If the client type is confidential, the client and authorization server establish a client authentication method suitable for the security requirements of the authorization server. The authorization server MAY accept any form of client authentication meeting its security requirements.
机密客户端通常被颁发(或建立)一组客户端凭据,用于向授权服务器进行身份验证(例如,密码、公钥/私钥对).
Confidential clients are typically issued (or establish) a set of client credentials used for authenticating with the authorization server (e.g., password, public/private key pair).
授权服务器可以与公共客户端建立客户端身份验证方法.但是,授权服务器不得依赖公共客户端身份验证来识别客户端.
The authorization server MAY establish a client authentication method with public clients. However, the authorization server MUST NOT rely on public client authentication for the purpose of identifying the client.
客户端不得在每个请求中使用一种以上的身份验证方法.
The client MUST NOT use more than one authentication method in each request.
默认情况下 Spring Security OAuth 2.0 保护令牌端点,请参阅 OAuth2 开发者指南:
By default Spring Security OAuth 2.0 protects the token endpoint, see OAuth 2 Developers Guide:
默认情况下,Spring OAuth 在 @Configuration
支持中使用客户端密钥的 HTTP 基本身份验证为您保护令牌端点.
The token endpoint is protected for you by default by Spring OAuth in the
@Configuration
support using HTTP Basic authentication of the client secret.
但看来,您可以禁用客户端身份验证:
But it seems, that you can disable the client authentication:
- Spring Security OAuth 2.0 -授权代码授予始终需要客户端密码
- 是否可以在没有客户端密码的情况下从 Spring OAuth2 服务器获取 access_token?
- 没有client_secret的Spring Security OAuth 2.0
这篇关于JWT 与 Spring OAuth2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!