Spring oAuth2 中基于用户的权限/范围 [英] User based permissions/scopes in Spring oAuth2
问题描述
在我当前的设置中,我有独立的 spring oAuth2 服务器、独立的资源服务器和带有反向代理的 angularJs 应用程序.
In my current setup I have standalone spring oAuth2 server, standalone resource server and angularJs app with reverse proxy.
在身份验证服务器端,我注册了 2 个客户端(用于服务通信的 Web 应用程序和内部客户端).我正确接收到客户端范围和用户角色.
On the authentication server side I have register 2 clients (web-app and internal client for service communication). I correctly receive client scopes and Users roles.
问题 1我需要每个用户而不是客户端(网络应用程序、移动设备等)的不同权限(例如范围)
Question 1 I need different permission (e.g. scopes) per user not client (web-app, mobile,...)
我尝试提供我自己的 ClientsDetailService,我可以在其中为每个用户构建 ClientDetails,但我收到的唯一信息是客户端 ID(网络应用程序"),我无法知道哪个用户登录了.
I tried providing my own ClientsDetailService where I would build ClientDetails for each user, but only thing I receive is client id ("web-app") and I have no way of knowing which user is logged in.
有没有办法注入用户上下文?
Is there a way to inject user context?
相关堆栈问题
问题 2 如果我将所有可用权限放在 JWT 中并在资源服务器上执行hasPermission(...)"逻辑,我可以以某种方式解决此问题.基本上客户端应用程序在 N 范围内工作,服务器基于用户角色构建权限列表并创建 JWT.但是...
Question 2 I can somehow work around this if I put all of the available permissions in the JWT and do the "hasPermission(...)" logic on the resource servers. Basically client app works in N scopes and server based on the Users role builds list of permissions and creates JWT. But...
- 当我删除用户权限时会发生什么?JWT 是否已失效?
- 此场景中的 oAuth 工作流程是什么?(refresh_token 会获得更新的权限还是用户必须再次输入凭据?)
- 既然这似乎是不好的做法,有没有更好的解决方案?
问题 3 是否有使用 spring oauth2 实现更细粒度的权限逻辑的标准方法?(想想 100 多种具有方法级安全性的不同权限)
Question 3 Is there a standard way of implementing more granular permission logic with spring oauth2? (think of 100+ different permissions with method level security)
推荐答案
好的,我终于设法使用 TokenEnhancer 为每个用户映射自定义范围,如下所示:
Ok, I finally managed to map custom scopes per user using TokenEnhancer as follows:
public class AuthorityTokenEnhancer implements TokenEnhancer {
@Override
public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
User user = (User) authentication.getPrincipal();
final ImmutableMap<String, Object> additionalInfo = ImmutableMap.<String, Object>builder()
.put("authorities", user.getAuthorities())
.build();
((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);
((DefaultOAuth2AccessToken) accessToken).setScope(user.getPermissions());
return accessToken;
}}
通过这种方法,我可以获得当前登录的用户并根据用户权限更新范围.
With this approach I can get currently logged in user and update scopes based on user permissions.
但我仍然不知道这是否是好的做法.
But still I don't know whether this is good practice or not.
这篇关于Spring oAuth2 中基于用户的权限/范围的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!