在Spring Boot 2上实现基于过滤器的JWT身份验证与OAuth2 JWT身份验证 [英] Implementing filter-based JWT authentication vs OAuth2 JWT authentication on Spring Boot 2
问题描述
据我所知,OAuth2框架需要一个自定义的JWT身份验证服务器,并且我必须使用JWT实用工具类为基于过滤器的JWT实现创建一个自定义安全过滤器.
As I can understand, OAuth2 framework needs a custom JWT authentication server and I have to create a custom security filter with JWT utility class for the filter-based JWT implementation.
但是我的问题是,在Spring Boot 2上实现JWT的最佳方法是什么?基于过滤器的身份验证还是OAuth2?
However my question is, what is the best method to implement JWT on Spring Boot 2? filter-based authentication or OAuth2?
基于客户端和应用程序的性质是否有优点和缺点?
Is there any pros and cons based on nature of the clients and application?
作为一个例子;如果应用程序管理不同的客户端(例如移动,Web,Web服务等),那么OAuth2身份验证是否可以提供任何优势?
As an example; Does OAuth2 authentication provide any advantage, if application manages different clients such as mobile, web, web service etc.?
注意:我的问题与Spring-Boot REST API + Web应用程序的安全性有关.
Note: My question is related to the security of Spring-Boot REST API + web application.
推荐答案
我发现了有关同一问题的讨论,并在下面摘录了要点.
I have found a discussion regarding the same matter and I’m extracting the important points below.
从技术角度来看,我仍然不清楚哪个实施方式,何时何地实施,但这可以帮助我做出决定.
From the technical point of view, still I didn’t get a clear idea of which implementation, when and where, but it helps me to take a decision.
- 当我只需要JWT身份验证时,我个人会想引入OAuth.老实说,这让人感到困惑,我不希望使用@EnableResourceServer等会带来额外的复杂性.也许只是几行配置,但是感觉有点过头了.
-
有人可以告诉我为什么用JWT令牌设置OAuth2提供程序如此困难吗?如果要使用JWT令牌,则所有代码都已在此处.为什么只用它这么难?
- I personally hesitate to bring in OAuth when I only need JWT authentication. It feels confusing and honestly I do not want the additional complexity to use @EnableResourceServer etc. Maybe it's just a couple of lines of configuration but if feels like overkill.
Can someone show me why it's so difficult to set up an OAuth2 provider with JWT tokens? If you want JWT tokens all the code is already here. Why is it so hard to just use it?
答案:
也许这并不困难,但1)这样做并不自然,2)可能更容易. 与其使用@EnableResourceServer和其他设置,不如希望它更简单:
Maybe it's not difficult but 1) it feels unnatural to do so and 2) it can be easier. Instead of using @EnableResourceServer and other setup I would like something much more easier like:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.jwt()
.loginUrl(new AntPathRequestMatcher("/api/login", "POST"))
.secret("my-super-duper-secret")
.claimsProvider(new MyClaimsProvider)
您通常希望为JWT设置的是登录URL(可以默认为/login),密钥以及一些可选的ClaimProvider实现.应提供开箱即用的默认实现,将用户名和角色添加到声明中. 这样,在Spring Security中设置JWT非常容易.
What you typically want set to for JWT is the login url (can be defaulted to /login), the secret and optionally some claimsProvider implementation. A default implementation should be provided out of the box adding the username and roles to the claims. This way it would be very easy to setup JWT in Spring Security.
使用OAuth2,有一个刷新令牌",因此您有责任在客户端上保持访问令牌的活动状态,并且授权服务器可以在每次刷新时检查用户帐户.如果您开始担心这种问题(应该解决),那么您最终将实现与OAuth2非常接近的东西,这时您可能会说:为什么我们不首先使用OAuth2?"你明白我的意思了吗?
With OAuth2 there is a "refresh token", so you put the onus on the client to keep the access token live, and the authorization server can check the user account every time it is refreshed. If you start worrying about that kind of problem (which you should) then you will end up implementing something that is getting pretty close to OAuth2, at which point you might say "why didn't we just use OAuth2 in the first place?" Do you see my point?
此问题中描述的用例在概念上是否与OAuth2用例不同?在这里,我们有一个密码作为输入,并有一个JWT令牌作为输出,然后使用JWT令牌访问资源. OAuth 2规范的JWT配置文件指定了不同的情况,其中JWT令牌是令牌服务的输入,访问令牌是输出,然后使用访问令牌访问资源.
最好具有简单的基于JWT令牌的基本身份验证,而无需OAuth,对于小型项目而言,这有时会很复杂.
It will be good to have just simple JWT token base authentication without OAuth which is sometimes complicated for small projects.
https://github.com/spring-projects/spring -security-oauth/issues/368
这篇关于在Spring Boot 2上实现基于过滤器的JWT身份验证与OAuth2 JWT身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
