OAuth2跨源解决方案 [英] Oauth2 cross origin solution
问题描述
我有一个rest应用程序,该应用程序是使用spring框架并使用spring oauth2编写的,以确保安全. 每当我从Angular App调用此休息服务时,都会收到CORS错误..两个应用程序都在本地计算机(localhost)上运行,但端口不同(后端Java为8080,前端为3000).
I'm having an rest application which is written using spring framework and using spring oauth2 for security.. And whenever I'm calling this rest services from my Angular App , I'm getting a CORS error.. both applications are running on my local machine(localhost) but with different port(8080 for backend java and 3000 for frontend)..
我在后端应用程序的控制器中添加了@crossorigin(),并且资源API的所有交叉源都是固定的..但是对于spring oauth2身份验证url(/oauth/token),这种情况一直在发生.
I've added @crossorigin() in my controller of backend application and all the cross origin for resources APIs are fixed.. but for spring oauth2 authentication url(/oauth/token) this is happening always..
我已经尝试了很多方法,但是并不能解决我的问题.
I've tried many ways , but it won't solved my issue.
任何人都请帮助我....
Anyone please help me....
谢谢
推荐答案
应该从应用程序服务器端调用令牌终结点(/oauth/token)以获得令牌,以交换授权授权代码,因此没有CORS规则在那里应用-不需要CORS标头(浏览器仅需要CORS规则).如果要获取Angular应用程序的令牌,则应使用OAuth2隐式流并使用iframe刷新它们-因此此处也不需要CORS标头.
The token endpoint (/oauth/token) is supposed to be called from your application server side to get tokens in exchange of authorization grant code, so no CORS rules are applied there - no CORS headers needed (CORS rules are required just by browsers). If you want to get tokens to your Angular application, you should use OAuth2 implicit flow and refresh them using an iframe - so no CORS headers needed here either.
请参阅 https://tools.ietf.org/html/rfc6749 用于OAuth2授权类型和 http://openid.net/specs/openid-connect-session-1_0. html 用于OpenID Connect会话管理.这些RFC很容易阅读.
See https://tools.ietf.org/html/rfc6749 for OAuth2 grant types and http://openid.net/specs/openid-connect-session-1_0.html for OpenID Connect session management. Those RFCs are rather easy to read.
这篇关于OAuth2跨源解决方案的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
