颁发访问令牌时可以包含用户信息吗? [英] can I include user information while issuing an access token?
问题描述
在某些oauth2实现中,我看到了有关授权服务器发出访问令牌时由授权服务器返回的响应的其他信息.我想知道是否有一种方法可以使用spring-security-oauth2来完成.我希望能够在访问令牌响应中包括一些用户权限,以便我的使用中的应用程序无需管理用户权限,但仍可以根据自己的安全上下文设置用户并应用其自身的任何spring-security检查.
I have seen in some oauth2 implementations additional information on the response returned by the authorization server when it issues access tokens. I'm wondering if there is a way to accomplish this using spring-security-oauth2. I would love to be able to include some user authorities on the access token response so that my consuming applications don't need to manage the user authorities but can still set the user on their own security contexts and apply any of their own spring-security checks.
- 如何获取有关访问令牌响应的信息?
- 我将如何在oauth2客户端截获该信息并将其设置在安全上下文中?
我想另一种选择是使用JWT令牌并与客户端应用程序共享适当的信息,以便它们可以从令牌中解析用户/权限并在上下文中进行设置.这使我更加不舒服,因为我希望控制哪些客户端应用程序可以访问此信息(仅受信任的应用程序)和AFAIK,只有授权服务器和资源服务器才知道如何解析JWT令牌.
I suppose another option would be to use JWT tokens and share the appropriate information with the client applications so that they can parse the user / authorities out of the token and set it on the context. This makes me more uncomfortable since I'd prefer to be in control of which client applications could have access to this information (trusted apps only) and AFAIK only the authorization server and resource server should know how to parse the JWT tokens.
推荐答案
您将需要实现自定义TokenEnhancer,如下所示:
You will need to implement a custom TokenEnhancer like so:
public class CustomTokenEnhancer implements TokenEnhancer {
@Override
public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
User user = (User) authentication.getPrincipal();
final Map<String, Object> additionalInfo = new HashMap<>();
additionalInfo.put("customInfo", "some_stuff_here");
additionalInfo.put("authorities", user.getAuthorities());
((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);
return accessToken;
}
}
并将其作为带有相应设置器的Bean添加到您的AuthorizationServerConfigurerAdapter中
and add it to your AuthorizationServerConfigurerAdapter as a bean with the corresponding setters
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
// Some autowired stuff here
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
// @formatter:off
endpoints
// ...
.tokenEnhancer(tokenEnhancer());
// @formatter:on
}
@Bean
@Primary
public AuthorizationServerTokenServices tokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
// ...
tokenServices.setTokenEnhancer(tokenEnhancer());
return tokenServices;
}
// Some @Bean here like tokenStore
@Bean
public TokenEnhancer tokenEnhancer() {
return new CustomTokenEnhancer();
}
}
然后在控制器中(例如)
then in a controller (for example)
@RestController
public class MyController {
@Autowired
private AuthorizationServerTokenServices tokenServices;
@RequestMapping(value = "/getSomething", method = RequestMethod.GET)
public String getSection(OAuth2Authentication authentication) {
Map<String, Object> additionalInfo = tokenServices.getAccessToken(authentication).getAdditionalInformation();
String customInfo = (String) additionalInfo.get("customInfo");
Collection<? extends GrantedAuthority> authorities = (Collection<? extends GrantedAuthority>) additionalInfo.get("authorities");
// Play with authorities
return customInfo;
}
}
我个人使用JDBC令牌存储,所以我的这里一些自动接线的东西"对应于@Autowired数据源,PasswordEncoder和不对应的东西.
I'm personnaly using a JDBC TokenStore so my "Some autowired stuff here" are corresponding to some @Autowired Datasource, PasswordEncoder and what not.
希望这对您有帮助!
这篇关于颁发访问令牌时可以包含用户信息吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
