如何在 Spring Boot OIDC 应用程序的控制器中获取用户详细信息? [英] How do I get user details in controller of Spring Boot OIDC app?

问题描述

我修改了此处的代码来调用 MitreID OIDC 服务器.

I have adapted the code from here to call a MitreID OIDC server.

我的控制器:

    public final String home(Principal p) {
    final String username = SecurityContextHolder.getContext().getAuthentication().getName();
...

返回 null 并且对于所有用户详细信息为 null.

returns null and is null for all userdetails.

我也试过:

public final String home(@AuthenticationPrincipal OpenIdConnectUserDetails user) {
        final String username = user.getUsername();

和

@RequestMapping(value = "/username", method = RequestMethod.GET)
    @ResponseBody
    public String currentUserNameSimple(HttpServletRequest request) {
        Principal principal = request.getUserPrincipal();
        return "username: " + principal.getName();
    }

一切都为空，但身份验证返回访问和用户令牌.

Everything is null but the authentication is returning an access and user token.

我的安全配置是:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private OAuth2RestTemplate restTemplate;

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**");
    }

    @Bean
    public OpenIdConnectFilter myFilter() {

        final OpenIdConnectFilter filter = new OpenIdConnectFilter("/openid_connect_login");
        filter.setRestTemplate(restTemplate);
        return filter;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // @formatter:off
        http
        .addFilterAfter(new OAuth2ClientContextFilter(), AbstractPreAuthenticatedProcessingFilter.class)
        .addFilterAfter(myFilter(), OAuth2ClientContextFilter.class)
        .httpBasic().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/openid_connect_login"))
        .and()
        .authorizeRequests()
        .antMatchers("/","/index*").permitAll()
        .anyRequest().authenticated()
        ;

     // @formatter:on
    }
}

那么为什么我的控制器不能访问用户详细信息?

So why can my controller not access the userdetails?

根据要求，OpenIdConnectFilter:

 package org.baeldung.security;

import java.io.IOException;
import java.net.URL;
import java.security.interfaces.RSAPublicKey;
import java.util.Date;
import java.util.Map;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.jwt.Jwt;
import org.springframework.security.jwt.JwtHelper;
import org.springframework.security.jwt.crypto.sign.RsaVerifier;
import org.springframework.security.oauth2.client.OAuth2RestOperations;
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;

import com.auth0.jwk.Jwk;
import com.auth0.jwk.JwkProvider;
import com.auth0.jwk.UrlJwkProvider;
import com.fasterxml.jackson.databind.ObjectMapper;

public class OpenIdConnectFilter extends AbstractAuthenticationProcessingFilter {
    @Value("${oidc.clientId}")
    private String clientId;

    @Value("${oidc.issuer}")
    private String issuer;

    @Value("${oidc.jwkUrl}")
    private String jwkUrl;

    public OAuth2RestOperations restTemplate;

    public OpenIdConnectFilter(String defaultFilterProcessesUrl) {
        super(defaultFilterProcessesUrl);
        setAuthenticationManager(new NoopAuthenticationManager());
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {

        OAuth2AccessToken accessToken;
        logger.info("ewd here: b " );
        try {
            accessToken = restTemplate.getAccessToken();
        } catch (final OAuth2Exception e) {
            throw new BadCredentialsException("Could not obtain access token", e);
        }
        try {
            logger.info("ewd access token: " + accessToken);
            final String idToken = accessToken.getAdditionalInformation().get("id_token").toString();
            String kid = JwtHelper.headers(idToken)
                .get("kid");
            final Jwt tokenDecoded = JwtHelper.decodeAndVerify(idToken, verifier(kid));
            final Map<String, String> authInfo = new ObjectMapper().readValue(tokenDecoded.getClaims(), Map.class);
            verifyClaims(authInfo);
            final OpenIdConnectUserDetails user = new OpenIdConnectUserDetails(authInfo, accessToken);
            logger.info("ewd user token: " + tokenDecoded);
            return new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
        } catch (final Exception e) {
            throw new BadCredentialsException("Could not obtain user details from token", e);
        }

    }

    public void verifyClaims(Map claims) {
        int exp = (int) claims.get("exp");
        Date expireDate = new Date(exp * 1000L);
        Date now = new Date();
        if (expireDate.before(now) || !claims.get("iss").equals(issuer) || !claims.get("aud").equals(clientId)) {
            throw new RuntimeException("Invalid claims");
        }
    }


    private RsaVerifier verifier(String kid) throws Exception {
        JwkProvider provider = new UrlJwkProvider(new URL(jwkUrl));
        Jwk jwk = provider.get(kid);
        return new RsaVerifier((RSAPublicKey) jwk.getPublicKey());
    }

    public void setRestTemplate(OAuth2RestTemplate restTemplate2) {
        restTemplate = restTemplate2;

    }

    private static class NoopAuthenticationManager implements AuthenticationManager {

        @Override
        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            throw new UnsupportedOperationException("No authentication should be done with this AuthenticationManager");
        }

    }
}

推荐答案

如果你需要用户名，你可以从 JwtAuthenticationToken 对象中获取，如下所示:

If you need username, you can get it from JwtAuthenticationToken object as below:

@GetMapping("/home")
public String home(JwtAuthenticationToken user) {
        String name = user.getName();

如果您需要来自用户个人资料的其他信息，您可以使用访问令牌调用您的身份验证服务器的 /userinfo 端点，如下所示:仅当您在 authorize 调用中包含 profile 范围时，这才会获取信息.

If you need some other information from user's profile, you can call your auth server's /userinfo endpoint with the access token as below: This will fetch info only if you had included profile scope in your authorize call.

@GetMapping("/home")
public String home(JwtAuthenticationToken user) {

        HttpHeaders headers = new HttpHeaders();
        headers.add(HttpHeaders.AUTHORIZATION, "Bearer "+user.getToken().getTokenValue());
        HttpEntity entity = new HttpEntity(headers);
        ResponseEntity<Map> userinfo = template.exchange("https://your-auth-server/default/v1/userinfo", HttpMethod.GET, entity, Map.class);
        String name = (String) userinfo.getBody().get("given_name");

您可以从此响应中检索所有个人资料属性.

You can retrieve all profile attributes from this response.

这篇关于如何在 Spring Boot OIDC 应用程序的控制器中获取用户详细信息?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！