我可以在发布访问令牌时包含用户信息吗? [英] can I include user information while issuing an access token?
问题描述
我在一些 oauth2 实现中看到了有关授权服务器在发出访问令牌时返回的响应的附加信息.我想知道是否有办法使用 spring-security-oauth2 来实现这一点.我希望能够在访问令牌响应中包含一些用户权限,以便我的消费应用程序不需要管理用户权限,但仍然可以在他们自己的安全上下文中设置用户并应用他们自己的任何 spring-security检查.
I have seen in some oauth2 implementations additional information on the response returned by the authorization server when it issues access tokens. I'm wondering if there is a way to accomplish this using spring-security-oauth2. I would love to be able to include some user authorities on the access token response so that my consuming applications don't need to manage the user authorities but can still set the user on their own security contexts and apply any of their own spring-security checks.
- 如何获取有关访问令牌响应的信息?
- 如何在 oauth2 客户端拦截该信息并将其设置在安全上下文中?
我想另一种选择是使用 JWT 令牌并与客户端应用程序共享适当的信息,以便他们可以从令牌中解析用户/权限并将其设置在上下文中.这让我更不舒服,因为我更愿意控制哪些客户端应用程序可以访问这些信息(仅限受信任的应用程序),而 AFAIK 只有授权服务器和资源服务器应该知道如何解析 JWT 令牌.
I suppose another option would be to use JWT tokens and share the appropriate information with the client applications so that they can parse the user / authorities out of the token and set it on the context. This makes me more uncomfortable since I'd prefer to be in control of which client applications could have access to this information (trusted apps only) and AFAIK only the authorization server and resource server should know how to parse the JWT tokens.
推荐答案
您需要像这样实现自定义 TokenEnhancer:
You will need to implement a custom TokenEnhancer like so:
public class CustomTokenEnhancer implements TokenEnhancer {
@Override
public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
User user = (User) authentication.getPrincipal();
final Map<String, Object> additionalInfo = new HashMap<>();
additionalInfo.put("customInfo", "some_stuff_here");
additionalInfo.put("authorities", user.getAuthorities());
((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);
return accessToken;
}
}
并将其添加到您的 AuthorizationServerConfigurerAdapter 作为具有相应设置器的 bean
and add it to your AuthorizationServerConfigurerAdapter as a bean with the corresponding setters
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
// Some autowired stuff here
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
// @formatter:off
endpoints
// ...
.tokenEnhancer(tokenEnhancer());
// @formatter:on
}
@Bean
@Primary
public AuthorizationServerTokenServices tokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
// ...
tokenServices.setTokenEnhancer(tokenEnhancer());
return tokenServices;
}
// Some @Bean here like tokenStore
@Bean
public TokenEnhancer tokenEnhancer() {
return new CustomTokenEnhancer();
}
}
然后在控制器中(例如)
then in a controller (for example)
@RestController
public class MyController {
@Autowired
private AuthorizationServerTokenServices tokenServices;
@RequestMapping(value = "/getSomething", method = RequestMethod.GET)
public String getSection(OAuth2Authentication authentication) {
Map<String, Object> additionalInfo = tokenServices.getAccessToken(authentication).getAdditionalInformation();
String customInfo = (String) additionalInfo.get("customInfo");
Collection<? extends GrantedAuthority> authorities = (Collection<? extends GrantedAuthority>) additionalInfo.get("authorities");
// Play with authorities
return customInfo;
}
}
我个人正在使用 JDBC TokenStore,所以我的这里的一些自动装配的东西"对应于一些 @Autowired 数据源、PasswordEncoder 等等.
I'm personnaly using a JDBC TokenStore so my "Some autowired stuff here" are corresponding to some @Autowired Datasource, PasswordEncoder and what not.
希望这有帮助!
这篇关于我可以在发布访问令牌时包含用户信息吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
