如何从资源服务器中的 Spring Security Oauht2 Boot 中提取声明? [英] How to extract claims from Spring Security OAuht2 Boot in the Resource Server?

问题描述

我使用 Identity Server 4 在 .Net Core 中内置了授权服务器！它正在按预期从 Node Js 和 .Net 授权客户端和资源.现在我正在尝试添加一个 Java spring Boot 2 API (jdk 1.8) 作为受保护的资源.我通过使用 OAuth2 启动文档！到目前为止一切正常.现在，我需要从授权服务器生成的访问令牌中提取声明.这是 JWT 类型的承载令牌.我对此的实现如下:

I have an Authorization Server built in .Net Core Using Identity Server 4! It is working as expected to authorize clients and resources from Node Js and .Net. Now I'm trying to add a Java spring Boot 2 API (jdk 1.8) as a Protected Resource. I have achieved that goal by using the OAuth2 Boot Documentation! Everything works fine so far. Now, I need to extract the claims from the access token generated by the Authorization Server. This is a Bearer Token of Type JWT. The implementation I have for this is the following:

@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends ResourceServerConfigurerAdapter {
  public String resourceId;

  @Autowired
  public SecurityConfiguration(@Value("${security.oauth2.resource.id}") String resourceId) {
    this.resourceId = resourceId;
  }

@Override
  public void configure(ResourceServerSecurityConfigurer resources) {
    resources.resourceId(this.resourceId);
}

  @Override
  public void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
        .csrf()
        .disable()
        .authorizeRequests()
        .antMatchers("/swagger-ui.html", "/webjars/**", "/swagger-resources/**", "/**/api-docs/**", "/actuator/**")
        .permitAll()
        .and()
        .authorizeRequests().anyRequest().fullyAuthenticated();
  }

问题是当我尝试访问控制器内的声明时，它们不可用.我已经在 spring security 中检查了 DefaultAccessTokenConverter 中的默认 extractAuthentication 方法，实际上它忽略了所有非默认声明.我想到的是创建一个扩展 DefaultAccessToken 转换器的新转换器，如下所示:

The problem is that when I try to access the claims inside a controller, they are not available. I have checked the default extractAuthentication Method from DefaultAccessTokenConverter, inside spring security, and indeed It is ignoring all non-default claims. What cross my mind is creating a new Converter extending the DefaultAccessToken Converter, as following:

@Component
public class CustomAccessTokenConverter extends DefaultAccessTokenConverter {

  @Override
  public OAuth2Authentication extractAuthentication(Map<String, ?> claims) {
    OAuth2Authentication authentication = super.extractAuthentication(claims);
    authentication.setDetails(claims);
    return authentication;
  }
}

但我还没想好在哪里注入或引用这个新的转换器.

But I have not figured out where to inject or reference this new converter.

推荐答案

不幸的是，Spring Boot 自动配置 没有似乎提供了一种替换 DefaultAccessTokenConverter 的方法，它是 RemoteTokenServices 中的默认令牌转换器.要替换转换器，您必须替换默认创建的 RemoteTokenServices.

Unfortunately, the Spring Boot auto-configuration doesn't seem to provide a way to replace the DefaultAccessTokenConverter, which is the default token converter in RemoteTokenServices. To replace the converter, you would have to replace the RemoteTokenServices that's created by default.

如果你的转换器是一个 bean，你可以在你自己的 RemoteTokenServices 对象上设置它，然后你可以在 ResourceServerSecurityConfigurer 上设置它(以便它可以应用于OAuth2AuthenticationManager 在幕后):

If your converter is a bean, you could set it on your own RemoteTokenServices object, which you can then set on ResourceServerSecurityConfigurer (so that it could be applied to the OAuth2AuthenticationManager behind the scenes):

@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends ResourceServerConfigurerAdapter {
    // ...

    @Autowired
    private ResourceServerProperties resource;

    @Autowired
    private CustomAccessTokenConverter customConverter;

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) {
        resources.tokenServices(customTokenServices());
        // ..
    }

    private RemoteTokenServices customTokenServices() {
        RemoteTokenServices services = new RemoteTokenServices();
        services.setAccessTokenConverter(this.customConverter);

        // configure based on .properties file 
        services.setCheckTokenEndpointUrl(this.resource.getTokenInfoUri());
        services.setClientId(this.resource.getClientId());
        services.setClientSecret(this.resource.getClientSecret());

        return services;
    }

    // ..

这篇关于如何从资源服务器中的 Spring Security Oauht2 Boot 中提取声明?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！