使用Spring Security登录的Google OAuth2的增量授权 [英] Incremental authorization for Google OAuth2 Sign in with Spring Security

问题描述

我想知道是否有一种方法可以使用Spring Security进行增量授权(如所述

I was wondering if there is a way for authorizing incrementally with Spring Security (as mentioned here)

默认情况下，使用Google Sign OAuth验证时，spring security提供基本的配置文件访问权限.那个流程是正确的.但是，我想在某些URL端点上请求其他范围(Gmail读取，日历读取等).

By default spring security provides basic profile access when using Google sign OAuth verification. That flow is correct. I would however want to request for additional scopes (Gmail Read, Calendar read etc) on certain URL endpoints.

我已经尝试使用端点上的@PreAuthorize属性，以及启用代码中的 @EnableGlobalMethodSecurity(prePostEnabled = true).

I have already tried using the @PreAuthorize property on the endpoint along with enabling @EnableGlobalMethodSecurity(prePostEnabled = true) as in the code.

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {

    @Override

protected MethodSecurityExpressionHandler createExpressionHandler() {
    return new OAuth2MethodSecurityExpressionHandler();
}

}

安全配置类:

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

   @Override
   protected void configure(HttpSecurity http) throws Exception {
      http.authorizeRequests()
            .antMatchers("/", "/error", "/privacy", "/css/**", "/images/**", "/js/**", "/fonts/**")
            .permitAll().anyRequest().authenticated().and().oauth2Login().and().logout().logoutSuccessUrl("/");
    http.csrf().disable();
    http.headers().frameOptions().disable();

   }
}

推荐答案

我找到了一种解决方法.我已经实现了一个自定义的AccessDeniedHandler.检查异常及其来源的URL.如果该网址是需要更高范围的网址，那么我会将请求重定向到添加了额外范围的Google身份验证.

I have found a workaround. I have implemented a custom AccessDeniedHandler. Check for the exception and the URL from which it is coming from. If the URL is one where a higher scope is required I redirect the request to google authentication with extra scopes added.

这是一种解决方法，真正的解决方案仍未解决.

This is a workaround, the real solution is still open.

public class CustomAccessDeniedHandler implements AccessDeniedHandler {

@Value("${spring.security.oauth2.client.registration.google.client-id}")
private String clientId;

@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
        AccessDeniedException accessDeniedException) throws IOException, ServletException {
    if (accessDeniedException.getMessage().equalsIgnoreCase("Insufficient scope for this resource")) {
        response.sendRedirect("https://accounts.google.com/o/oauth2/v2/auth?client_id=" + clientId
                        + "&response_type=code&scope=https://www.googleapis.com/auth/gmail.readonly&redirect_uri="
                        + request.getServerName() + "/xyz");
    }
}

}

这篇关于使用Spring Security登录的Google OAuth2的增量授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！