Spring Security OAuth 2.0-授权代码授予始终需要客户端机密 [英] Spring Security OAuth 2.0 - client secret always required for authorization code grant

问题描述

根据规范，只要请求中包含client_id，并且client_id相同，就不需要对使用授权码授予的令牌请求进行身份验证.一种用于生成代码.但是，使用Spring Security OAuth 2.0实现，即使从未为客户端分配秘密，/oauth/token端点上始终总是需要基本身份验证.

According to the spec, requests for a token using the authorization code grant are not required to be authenticated as long as the client_id is included in the request and the client_id is the same one used to generate the code. However, with the Spring Security OAuth 2.0 implementation, it appears that basic auth is always required on the /oauth/token endpoint even if the client was never assigned a secret.

由于ClientDetails界面中的isSecretRequired()方法，似乎支持不带任何秘密的客户端.为了使没有密码的客户端能够在/oauth/token URL上进行身份验证，我该怎么做?

It looks like there is support for allowing clients without a secret due to the isSecretRequired() method in the ClientDetails interface. What do I need to do to enable clients without a secret to be authenticated at the /oauth/token URL?

4.1.3.访问令牌请求

客户端通过发送
向令牌端点发出请求 以下参数使用"application/x-www-form-urlencoded"
附录B中的格式，在HTTP
中使用UTF-8字符编码 请求实体-正文:

The client makes a request to the token endpoint by sending the
following parameters using the "application/x-www-form-urlencoded"
format per Appendix B with a character encoding of UTF-8 in the HTTP
request entity-body:

grant_type 必需的.值必须设置为"authorization_code".

grant_type REQUIRED. Value MUST be set to "authorization_code".

代码 必需的.收到的授权码 授权服务器.

code REQUIRED. The authorization code received from the authorization server.

redirect_uri 必需，如果"redirect_uri"参数包含在 4.1.1节中所述的授权请求及其 值必须相同.

redirect_uri REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.

client_id 要求，如果客户端未通过 授权服务器，如第3.2.1节所述.

client_id REQUIRED, if the client is not authenticating with the authorization server as described in Section 3.2.1.

如果客户端类型为机密或客户端已被颁发客户端 凭据(或分配的其他身份验证要求)，
客户端必须按所述向授权服务器进行身份验证
在3.2.1节中.

If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.

推荐答案

使用allowFormAuthenticationForClients()方法启用使用表单参数而不是基本身份验证的客户端身份验证，如下面的代码示例所示.

Authenticating the client using the form parameters instead of basic auth is enabled using the allowFormAuthenticationForClients() method as shown in the code sample below.

class AuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter {

    @Override
    void configure(AuthorizationServerSecurityConfigurer security) {
        security
                .tokenKeyAccess("permitAll()")
                .checkTokenAccess("isAuthenticated()")
                .allowFormAuthenticationForClients()
    }
}

allowFormAuthenticationForClients()方法触发添加ClientCredentialsTokenEndpointFilter的功能，该功能允许通过表单参数进行身份验证.

The allowFormAuthenticationForClients() method triggers the addition of the ClientCredentialsTokenEndpointFilter which allows for authentication via form parameters.

这篇关于Spring Security OAuth 2.0-授权代码授予始终需要客户端机密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！