Spring OAuth:带有授权服务器后端的资源服务器 [英] Spring OAuth: Resource Server with Authorization Server backend

问题描述

我想开发两个独立的服务，一个用于业务，另一个用于使用 Spring OAuth 2 的用户身份验证

I want to develop two independent services, one for the business stuff and one for the user authentication using Spring OAuth 2

我们称它们为 Business-Service 和 OAuth-Service.

Let's call them Business-Service and OAuth-Service.

现在，如果请求未通过身份验证，我希望业务服务委托给 OAuth 服务.客户端应用程序(一个 Android 应用程序)不应该先验地知道 OAuth-Service，它应该只由业务服务委派给它，并为未经身份验证的请求使用 302 HTTP 重定向.准确地说，我希望我的 API 登录页面提供一个指向 http://businessservice.com/login 的链接，以及当我的客户端应用程序决定时点击此链接，它会被重定向到 OAuth 服务.

Now I want the Business-Service delegate to the OAuth-Service if a request is not authenticated. The client application (an Android app) should not know about the OAuth-Service a priori, it should only be delegated to it by the Business-Service with an 302 HTTP redirect for non-authenticated request. To be precise, I want my API landing page to provide a link to http://businessservice.com/login and when my client app decides to follow this link, it gets redirected to the OAuth-Service.

如果我用 @EnableOAuth2Resource ，当我在没有访问令牌的情况下卷曲它们时，它的所有资源都受到保护，返回 401.到现在为止还挺好.如果我提供这样的访问令牌:

If I annotate the Business-Service with @EnableOAuth2Resource , all of its resources are protected returning a 401 when I curl them without an access token. So far so good. If I provide an access token like this:

curl -v http://localhost:8667/resource/ -H "Authorization: Bearer $TOKEN"

我可以访问该资源.还是不错的.

I can access the resource. Still good.

但是，如果我使用 @EnableOAuth2Sso 用于启用重定向到 OAuth 服务，它失去了使用访问令牌访问资源的能力(与上面的 curl 相同)，它只返回一个302到登录页面http://localhost:8667/login

However if I annotate the Business-Service with @EnableOAuth2Sso for enabling the redirection to the OAuth service, it looses the capability of accessing the resources with an access token (same curl as above), it only returns a 302 to the login page http://localhost:8667/login

如果我同时使用这两个注释，@EnableOAuth2Resource 似乎总是获胜"，因为身份验证有效但调用 http://localhost:8667/login 返回 404.

If I use both annotations, the @EnableOAuth2Resource always seems to "win", as the authentication works but calling http://localhost:8667/login returns a 404.

那么，创建一个资源服务器的正确方法是什么，该服务器将未经身份验证的调用委托给身份验证服务器?

So what is the right way to create a resource server that delegates to the auth server for non-authenticated calls?

推荐答案

经过几个小时的尝试，我现在找到了解决方案.

After trying around for hours I now found a solution.

业务服务器(资源服务器)现在如下所示:

The Business Server (Resource Server) now looks as follows:

@SpringBootApplication
@EnableOAuth2Sso
@EnableOAuth2Resource
public class BusinessService {

    public static void main(final String[] args) {
        final ConfigurableApplicationContext context = SpringApplication.run(BusinessService.class, args);
    }

}

有两种配置，一种用于 SSO:

with two configurations, one for the SSO:

@Configuration
public class OAuth2SsoConfiguration extends OAuth2SsoConfigurerAdapter {

    @Override
    public void match(final RequestMatchers matchers) {
        matchers.antMatchers("/");
    }

    @Override
    public void configure(final HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().permitAll();
    }

}

一个用于资源:

@Configuration
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(final HttpSecurity http) throws Exception {
        http.requestMatchers().antMatchers("/resource/**").and().authorizeRequests().anyRequest().authenticated().antMatchers("/").permitAll();

    }

}

结果如下:

curl -v http://localhost:8667/

返回

HTTP/1.1 200 OK
{"links":[{"rel":"login","href":"http://localhost:8667/login"}]}

curl -v http://localhost:8667/resource/

返回

HTTP/1.1 401 Unauthorized
{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}

curl -v http://localhost:8667/login

返回

HTTP/1.1 302 Found
Location: http://localhost:8666/user/oauth/authorize?client_id=clientId&redirect_uri=http%3A%2F%2Flocalhost%3A8667%2Flogin&response_type=code&state=YmmNO9

因此，作为资源服务器，我的业务服务受到保护，所有业务资源都返回 401.服务的根适用于所有客户端，因此他们可以发现登录关系，如果他们遵循此关系，他们将被重定向到授权服务器

So my business servie is secured with as a resource server returning a 401 for all business resources. The root of the service is applicable for all clients so they can discover the login relation and if they follow this relation, they're redirected to the Authorization server

这篇关于Spring OAuth:带有授权服务器后端的资源服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！