OAuth2是否允许使用非密码或自定义凭据进行授权? [英] Does OAuth2 allow for authorization using non-password or custom credentials?
问题描述
我正在使用Spring Security OAuth2.客户端应用程序(我们拥有)发出密码"授予请求,该请求传递用户的用户名和密码.就像草稿中指定的一样.
I'm using Spring Security OAuth2. The client application (that we own) makes a "password" grant request that passes the user's username and password. Just like the draft specifies.
我需要这种机制来支持其他类型的凭据,例如卡号,PIN,甚至是预先认证的,不需要密码的授予.
I need this mechanism to also support other types of credentials, like card number, PIN, and even a pre-authenticated, password not required grant.
请记住,这些请求将仅由具有特权的client_id允许,该请求只能在我们拥有的应用程序中使用.
Please keep in mind, these requests will only be permitted by a privileged client_id, one that will only be used from the application we own.
推荐答案
戴夫,感谢您的快速回复.我实际上找到了一个完美的解决方案,您参与其中.它与自定义授予"令牌授予者有关... https://jira.spring.io/browse/SECOAUTH-347
Dave, thanks for the quick response. I actually found the perfect solution, one which you took part in. It has to do with "custom-grant" token granters... https://jira.spring.io/browse/SECOAUTH-347
如果我更新了我可能已经知道的旧版本1.0.0.M5.
Had I updated my rather old 1.0.0.M5 version I might have known about those.
我的方法是使用支持自定义授予类型(我称之为"studentCard")的类扩展AbstractTokenGranter.身份验证请求到达此处后,我将像ResourceOwnerPasswordTokenGranter一样检查参数列表,但会查找我的自定义"cardNumber"参数.然后,我将自己基于ID的UsernamePasswordAuthenticationToken版本传递给我的AuthenticationProvider,后者知道如何基于ID卡对用户进行身份验证.
My approach was to extend AbstractTokenGranter with a class that supports a custom grant type (I call it "studentCard"). Once an authentication request makes it here, I examine the parameter list just like ResourceOwnerPasswordTokenGranter, but instead look for my custom "cardNumber" parameter. I then pass my own, id-based version of UsernamePasswordAuthenticationToken to my AuthenticationProvider, which knows how to authenticate users based on id card.
这是我想出的自定义令牌授予者类:
Here is the custom token granter class I came up with:
public class StudentCardTokenGranter extends AbstractTokenGranter {
private static final String GRANT_TYPE = "studentCard";
private final AuthenticationManager authenticationManager;
public StudentCardTokenGranter(AuthenticationManager authenticationManager,
AuthorizationServerTokenServices tokenServices, ClientDetailsService clientDetailsService) {
super(tokenServices, clientDetailsService, GRANT_TYPE);
this.authenticationManager = authenticationManager;
}
@Override
protected OAuth2Authentication getOAuth2Authentication(AuthorizationRequest clientToken) {
Map<String, String> parameters = clientToken.getAuthorizationParameters();
String cardNumber = parameters.get("cardNumber");
Authentication userAuth = new StudentCardAuthenticationToken(cardNumber);
try {
userAuth = authenticationManager.authenticate(userAuth);
} catch (BadCredentialsException e) {
// If the username/password are wrong the spec says we should send 400/bad grant
throw new InvalidGrantException(e.getMessage());
}
if (userAuth == null || !userAuth.isAuthenticated()) {
throw new InvalidGrantException("Could not authenticate student: " + cardNumber);
}
return new OAuth2Authentication(clientToken, userAuth);
}
}
我的授权服务器配置:
<!-- Issues tokens for both client and client/user authorization requests -->
<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password authentication-manager-ref="myUserManager" />
<oauth:custom-grant token-granter-ref="studentCardGranter" />
</oauth:authorization-server>
<bean id="studentCardGranter" class="com.api.security.StudentCardTokenGranter">
<constructor-arg name="authenticationManager" ref="myUserManager" />
<constructor-arg name="tokenServices" ref="tokenServices" />
<constructor-arg name="clientDetailsService" ref="clientDetails" />
</bean>
这篇关于OAuth2是否允许使用非密码或自定义凭据进行授权?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
