带有Spring OAuth2的JWT [英] JWT with Spring OAuth2
问题描述
我创建了发出JWT-s的Spring Authorization Server和一个检查JWT,其声明和对Authorization Server的权限的资源服务器.为此,我遵循了文章.
I have created the Spring Authorization Server which issues JWT-s and a Resource Server which checks the JWT, its claims and permissions on the Authorization Server. To do so, I have followed this article.
我的问题是为什么我需要在获取令牌请求中发送带有HTTP Basic授权和Base64编码的用户名/密码(ClientId:ClientSecret)的Authorization标头?我见过只需要用户名和密码的JWT实现.
My question is why I need to send the Authorization header with HTTP Basic authorization and Base64 encoded username/password (ClientId:ClientSecret) in get token request? I have seen JWT implementations where only username and password are required.
推荐答案
它是规范的一部分,请参见 RFC 6749 :
It is part of the specification, see RFC 6749:
2.3客户端身份验证
如果客户端类型为机密,则客户端和授权服务器将建立适合于授权服务器安全要求的客户端身份验证方法.授权服务器可以接受满足其安全性要求的任何形式的客户端认证.
If the client type is confidential, the client and authorization server establish a client authentication method suitable for the security requirements of the authorization server. The authorization server MAY accept any form of client authentication meeting its security requirements.
通常会向机密客户端颁发(或建立)一组用于通过授权服务器进行身份验证的客户端凭据(例如,密码,公钥/私钥对).
Confidential clients are typically issued (or establish) a set of client credentials used for authenticating with the authorization server (e.g., password, public/private key pair).
授权服务器可以与公共客户端建立客户端认证方法.但是,授权服务器不得出于识别客户端的目的而依赖于公共客户端身份验证.
The authorization server MAY establish a client authentication method with public clients. However, the authorization server MUST NOT rely on public client authentication for the purpose of identifying the client.
客户端在每个请求中不得使用多种身份验证方法.
The client MUST NOT use more than one authentication method in each request.
默认情况下,Spring Security OAuth 2.0保护令牌端点,请参见 OAuth 2开发人员指南:
By default Spring Security OAuth 2.0 protects the token endpoint, see OAuth 2 Developers Guide:
默认情况下,Spring OAuth在
@Configuration支持中使用客户端密钥的HTTP Basic身份验证为您保护令牌终结点.
The token endpoint is protected for you by default by Spring OAuth in the
@Configurationsupport using HTTP Basic authentication of the client secret.
但是,您似乎可以禁用客户端身份验证:
But it seems, that you can disable the client authentication:
- Spring Security OAuth 2.0-授权密码授予始终需要客户机密
- 是否可以在没有客户端密码的情况下从Spring OAuth2服务器获取access_token?
- 没有client_secret的Spring Security OAuth 2.0
- Spring Security OAuth 2.0 - client secret always required for authorization code grant
- Is it possible to get an access_token from Spring OAuth2 server without client secret?
- Spring Security OAuth 2.0 with no client_secret
这篇关于带有Spring OAuth2的JWT的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
