Spring Security 5 OAuth2 客户端密码授予类型 [英] Spring Security 5 OAuth2 client password grant type
问题描述
我有 2 个应用程序:
I have 2 applications:
- Spring Application 1 是客户端和资源服务器.
- Spring Application 2 是授权服务器.
用户将能够登录应用程序 1 并访问其资源.我想实现以下流程:
User will be able to login in Application 1 and access its resources. And I want to implement the following flow:
用户在登录表单中输入他的凭据 -> 应用程序 1 将使用用户凭据及其具有密码授予类型的 clientId 从应用程序 2 获取令牌 -> 使用令牌访问应用程序 1 的资源.
User enter his credentials in login form -> Application 1 will get token from Application 2 using user credentials and its clientId with password grant type -> Access resources of Application 1 with token.
问题是 Spring Security 5 是否支持客户端的密码授予类型?我在 Spring Security 5 实现中找到了所有剩余授权类型,但没有找到密码.
The question is if Spring Security 5 supports password grant type for client? I found all rest grant types, but not password in Spring Security 5 implementation.
推荐答案
Spring Security 5.1.x 不支持,参见 Spring 安全参考:
Spring Security 5.1.x doesn't support it, see Spring Security Reference:
6.6 OAuth 2.0 客户端
OAuth 2.0 客户端功能支持 OAuth 2.0 授权框架中定义的客户端角色.
The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework.
提供以下主要功能:
- 授权码授予
- 客户凭据授予
WebClient用于 Servlet 环境的扩展(用于发出受保护的资源请求)
- Authorization Code Grant
- Client Credentials Grant
WebClientextension for Servlet Environments (for making protected resource requests)
HttpSecurity.oauth2Client() 提供了许多用于自定义 OAuth 2.0 客户端的配置选项.
HttpSecurity.oauth2Client() provides a number of configuration options for customizing OAuth 2.0 Client.
但是,您可以使用 Spring Security OAuth2,请参阅 OAuth 2 Developers指南:
However, you could use Spring Security OAuth2, see OAuth 2 Developers Guide:
访问受保护的资源
作为一般规则,Web 应用程序不应使用密码授权,因此如果您可以支持 AuthorizationCodeResourceDetails,请避免使用 ResourceOwnerPasswordResourceDetails.如果您非常需要密码授权才能从 Java 客户端工作,那么使用相同的机制来配置您的 OAuth2RestTemplate 并将凭据添加到 AccessTokenRequest(它是一个 Map 并且是短暂的)而不是 ResourceOwnerPasswordResourceDetails(在所有访问令牌之间共享).
As a general rule, a web application should not use password grants, so avoid using ResourceOwnerPasswordResourceDetails if you can in favour of AuthorizationCodeResourceDetails. If you desparately need password grants to work from a Java client, then use the same mechanism to configure your OAuth2RestTemplate and add the credentials to the AccessTokenRequest (which is a Map and is ephemeral) not the ResourceOwnerPasswordResourceDetails (which is shared between all access tokens).
或者您可以更新到 Spring Security 5.2.x,请参阅 Spring 安全参考:
Or you could update to Spring Security 5.2.x, see Spring Security Reference:
11.2 OAuth 2.0 客户端
OAuth 2.0 客户端功能支持 OAuth 2.0 授权框架中定义的客户端角色.
The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework.
概括地说,可用的核心功能是:
At a high-level, the core features available are:
授权授权支持
- 授权码
- 刷新令牌
- 客户凭据
- 资源所有者密码凭据
这篇关于Spring Security 5 OAuth2 客户端密码授予类型的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
