如何在同一个 Spring Boot 应用程序中使用多个“JWK Set Uri"值? [英] How do I use multiple 'JWK Set Uri' values in the same Spring Boot app?

问题描述

我需要使用两个不同的授权服务器(两个 Okta 实例)来验证来自作为后端 REST API 层的单个 Spring Boot 应用程序中的两个不同 Web 应用程序的身份验证令牌.

I have a requirement to use two different authorization servers (two Okta instances) to validate authentication tokens coming from two different web applications inside a single Spring Boot application which is a back-end REST API layer.

目前我有一台使用以下配置的资源服务器:

Currently I have one resource server working with the following configuration:

@Configuration
@EnableWebSecurity
public class ResourceServerSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception{
    http
      .authorizeRequests().antMatchers("/public/**").permitAll()
      .anyRequest().authenticated()
      .and()
      .oauth2ResourceServer().jwt();
  }
}

spring.security.oauth2.resourceserver.jwt.issuer-uri=https://dev-X.okta.com/oauth2/default
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://dev-X.okta.com/oauth2/default/v1/keys

以及依赖项 spring-security-oauth2-resource-server 和 spring-security-oauth2-jose 在我的 Spring Boot 应用程序(版本 2.2.4.RELEASE)中

and with dependencies spring-security-oauth2-resource-server and spring-security-oauth2-jose in my Spring Boot app (version 2.2.4.RELEASE)

我想进入的最终状态是，根据请求中设置的自定义 HTTP 标头，我想选择我的 Spring Boot 应用程序使用哪个 Okta 实例来解码和验证 JWT 令牌.

The end state I want to get into is, depending on a custom HTTP header set in the request, I want to pick which Okta instance my Spring Boot app uses to decode and validate the JWT token.

理想情况下，我的配置文件中有两个属性，如下所示:

Ideally I would have two properties in my configuration file as follows:

jwkSetUri.X=https://dev-X.okta.com/oauth2/default/v1/keys
jwtIssuerUri.X=https://dev-X.okta.com/oauth2/default

jwkSetUri.Y=https://dev-Y.okta.com/oauth2/default/v1/keys
jwtIssuerUri.Y=https://dev-Y.okta.com/oauth2/default

我应该能够使用 RequestHeaderRequestMatcher 来匹配安全配置中的标头值.我无法锻炼的是如何使用两个不同的 oauth2ResourceServer 与安全配置相匹配的实例.

I should be able to use a RequestHeaderRequestMatcher to match the header value in the security configuration. What I cannot workout is how to use two different oauth2ResourceServer instances that goes with the security configuration.

推荐答案

对于 spring boot，现在不可能开箱即用.Spring Security 5.3 提供了执行此操作的功能(spring boot 2.2.6 仍然不支持 spring security 5.3).请参阅以下问题:

With spring boot this is not possible to do out of the box right now. Spring Security 5.3 provides functionality to do this (spring boot 2.2.6 still doesn't support spring security 5.3). Please see following issues:

https://github.com/spring-projects/spring-security/问题/7857
https://github.com/spring-projects/spring-security/pull/7887

通过遵循我提供的链接，可以手动配置资源服务器以使用多个身份提供者.提供的链接主要是针对spring boot webflux的开发.有关基本的 Spring Boot Web 开发，请观看此视频:

It is possible to do manual configuration of resource server to use multiple identity providers, by following links that i have provided. Provided links are mainly for spring boot webflux development. For basic spring boot web development please see this video:

https://www.youtube.com/watch?v=ke13w8nab-k

这篇关于如何在同一个 Spring Boot 应用程序中使用多个“JWK Set Uri"值?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！