Spring Security 5.3资源服务器多个密钥 [英] Spring Security 5.3 Resource Server Multiple Keys
问题描述
我们有以下情况:
- 多个传统" Spring Security Oauth2 Auth服务器(2.3.4)-每个服务器都配置了用于创建JWT令牌的不同RSA密钥.
- 我们希望从任一身份验证服务器接收令牌的
- 较新的(SS 5.3.3,SB 2.3.1)资源服务器.
- Multiple 'legacy' Spring Security Oauth2 Auth Servers (2.3.4) - each with a different RSA key configured for creation of the JWT tokens.
- Single newer (SS 5.3.3, SB 2.3.1) Resource Server which we want to accept tokens from either auth server.
问题是资源服务器(当前)仅配置有1个密钥-因此它只能接受来自1个身份验证服务器的令牌.
有什么可能的方法来支持我们资源服务器中的多个密钥来解码来自不同身份验证服务器的JWT?
Problem is the resource server is only configured with 1 key (currently)- so it can only accept tokens from 1 auth-server.
Is there any conceivable way to support multiple keys in our resource server to decode JWTs coming from different auth-servers?
我们基本上想这样做,但是要有多个键: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2resourceserver-jwt-decoder-public-key
We basically want to do this but with multiple keys: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2resourceserver-jwt-decoder-public-key
Spring Security 5.3 indicates this may be possible with 'multi-tenancy' https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2resourceserver-multitenancy
这是基本配置
@Value("${security.oauth2.resourceserver.jwt.key-value}")
RSAPublicKey key;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// using new Spring Security SpE"{{LOCATOR_BASE_URL}}"L
//https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#webflux-oauth2resourceserver-jwt-authorization
.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/shipments/**").hasAuthority("SCOPE_DOMPick")
.anyRequest().authenticated()
)
.csrf().disable()
// ****** this is the new DSL way in Spring Security 5.2 instead of Spring Security Oauth @EnableResourceServer ******
.oauth2ResourceServer(oauth2ResourceServer ->
oauth2ResourceServer
.jwt(jwt ->
jwt.decoder(jwtDecoder())
)
);
}
// static key
@Bean
JwtDecoder jwtDecoder() {
return NimbusJwtDecoder.withPublicKey(this.key).build();
推荐答案
是的,Spring Security 5.3允许您使用多个jwk-uri密钥.请在这里阅读我的答案:
Yes Spring Security 5.3 allow's you to use multiple jwk-uri key's. Please read my answer here:
https://stackoverflow.com/a/61615389/12053054
如果您不能使用此版本的SS,则可以手动配置spring security以使用多个jwk-uri密钥. (我提供了以下链接以查看操作方法.)
If you cannot use this version of SS it is possible to manually configure spring security to use multiple jwk-uri key's. (Follow link i have provided to see how).
Spring Security文档的这一部分指定如何使用Spring Security 5.3: https://docs.spring.io /spring-security/site/docs/current/reference/html5/#oauth2resourceserver-multitenancy
This part of Spring Security doc's specify how to do it with Spring Security 5.3: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2resourceserver-multitenancy
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver
("https://idp.example.org/issuerOne", "https://idp.example.org/issuerTwo");
http
.authorizeRequests(authorize -> authorize
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.authenticationManagerResolver(authenticationManagerResolver)
);
请注意,发卡行的URL是从传入令牌解析的(JWT oauth2令牌始终包含发卡行的URL,其中可以找到jwk的uri来验证JWT令牌).通过手动配置(我已经发布了答案),您可以添加自定义行为,例如:您无需检查应使用哪个ulr直接从JWT验证令牌,而是可以检查标头以获得解析哪个发行者URL的信息(您已在春季指定了它们)应用程序)与此请求一起使用,以验证JWT令牌.
Note that issuer url's are resolved from incoming token (JWT oauth2 token always contains issuer url where uri for jwk to verify JWT token can be found). By manual configuration (answer i have posted) you can add custom behavior for example: instead of finding which ulr should be used to verify token directly from JWT you can check header's for information that resolves which issuer URL (you have specified them in your spring app) should be used with this request to verify JWT token.
这篇关于Spring Security 5.3资源服务器多个密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
