oauth2 重载用户权限 [英] oauth2 reload user authorities

问题描述

我想知道什么是最好的方法.我的场景如下:

I am wondering what's the best way to this. My scenario is the following:

我有单独的 oath2 服务器和资源服务器通过数据库共享身份验证信息.用户身份验证由从 AbstractUserDetailsAuthenticationProvider 扩展的提供程序进行.每当我构建 UserDetails 对象时，我都会将权限附加到该用户详细信息.问题是，对我的资源服务器的特定调用可能会更改用户权限.据我了解，UserDetails 被序列化存储在数据库中，这似乎使该过程更加困难.

I have separate oath2 server and resource server sharing the auth information via database. The user authentication is being made by a provider that extends from AbstractUserDetailsAuthenticationProvider. Whenever I build UserDetails object, I attach the authorities to that user details. The thing is, a specific call to my resource server might change the user authorities. As far as I understand the UserDetails is stored serialized in the database which it seems to make the process even more difficult.

我的问题:这是一种正确的做法吗?或者更好的是，API 是否准备好处理此类需求?如果不是，我有什么选择?

My question: is that a way of doing this right? Or better, is the API prepared to handle such requirement? If not what are my options here?

另请注意，以某种方式对权限进行可能更改的服务器是资源服务器，而不是运行 oauth2 内容的服务器.

Also note that the server that will make somehow a possible change in the authorities is the resource server and not the one running the oauth2 stuff.

推荐答案

我想您处理这个问题的方式取决于您的业务需求.访问令牌有点像会话 - 它会过期并且可以以一种或另一种方式撤销.最容易撤销批准并因此禁用刷新令牌，因此处理权限更改的最直接方法是使用访问令牌的短期到期并在刷新时重新加载权限.(2.0.7 快照有一些配置选项可以使这变得简单或自动，但它正在进行中.)

I suppose the way you handle this depends on your business requirements. An access token is a bit like a session - it expires and it can be revoked in one way or another. Most easily the approvals can be revoked and the refresh token thereby disabled, so the most straightforward way to handle the authority change is to use a short expiry for the access token and re-load the authorities when you refresh. (The 2.0.7 snapshots have some configuration options to make that easy or automatic, but it's work in progress.)

这篇关于oauth2 重载用户权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！