Rest，Spring 拥有 OAuth2 服务器 + OAuth2 提供商，如 Facebook、Google、Yahoo [英] Rest, Spring own OAuth2 server + OAuth2 providers like Facebook, Google, Yahoo

问题描述

在 Spring Boot 应用程序中，我使用 Spring Security 和 Spring OAuth2 保护了我的 Spring MVC REST 端点.我有自己的授权资源服务器，所以为了与我们的 API 通信，客户端(AngularJS)需要从我的 API 授权服务器获取 accessToken.

In Spring Boot application I have secured my Spring MVC REST endpoints with Spring Security and Spring OAuth2. I have own AuthorizationResource servers so in order to comunicate with our API, client(AngularJS) needs to obtain acessToken from my API Authorization Server.

一切正常，但对于我的 API 的身份验证/授权，用户需要创建他的帐户并向我们提供他的用户名/密码.

Everything works fine but for authentication/authorization on my API, user needs to create his account and provide us with his username/password.

我想简化此过程，并建议用户通过 Google/Facebook/Twitter oAuth 提供商在我的 API 上进行身份验证.

I'd like to simplify this process and would like to propose user to authenticate on my API via Google/Facebook/Twitter oAuth providers.

现在我还不清楚它必须如何工作.例如，我的一个想法 - Facebook 将发布自己的 accessToken 并将其传递回我的 API.基于这个 accessToken，我的 API 将发布自己的 accessToken 并将其传递回客户端应用程序(AngularJS).还是应该将 Facebook accessToken 直接传递给客户端应用?

Right now I have no clear understanding how it must work.. For example one of my ideas - Facebook will issue own accessToken and pass it back to my API. Based on this accessToken my API will issue own accessToken and pass it back to client application(AngularJS). Or should I pass Facebook accessToken directly to client app ?

所描述案例的正确架构是什么?它应该如何工作?

What is the correct architecture for the described case ? How should it work ?

也许有一些示例可以演示基于 Spring 框架的这种架构?

Maybe there is some example that demonstrates this architecture based on Spring framework ?

推荐答案

如果您想将身份验证委托给外部提供者，您可以使用 OAuth2ClientAuthenticationProcessingFilter，或 OAuth2ClientAuthenticationProcessingFilter 或 OAuth2ClientAuthenticationProcessingFilter 中提供的便利注释和外部配置a href="http://cloud.spring.io/spring-cloud-security/" rel="nofollow">Spring Cloud 安全性.示例(来自 Spring Cloud Security 主页):

If you want to delegate authentication to an external provider you can use the OAuth2ClientAuthenticationProcessingFilter, or the convenience annotations and external configuration provided in Spring Cloud Security. Example (from the Spring Cloud Security home page):

应用程序.java:

@SpringBootApplication
@EnableOAuth2Sso
public class Application {
   ...
}

application.yml:

application.yml:

spring:
  oauth2:
    client:
      clientId: bd1c0a783ccdd1c9b9e4
      clientSecret: 1a9030fbca47a5b2c28e92f19050bb77824b5ad1
      accessTokenUri: https://github.com/login/oauth/access_token
      userAuthorizationUri: https://github.com/login/oauth/authorize
      clientAuthenticationScheme: form
    resource:
      userInfoUri: https://api.github.com/user
      preferTokenInfo: false

如果您的应用程序在端口 8080 上运行(我相信)，那么这适用于 github.类似的配置适用于 facebook、cloud Foundry、google 和其他 OAuth2 提供商.

That works with github if your app is running on port 8080 (I believe). Similar configuration works with facebook, cloud foundry, google and other OAuth2 providers.

这篇关于Rest，Spring 拥有 OAuth2 服务器 + OAuth2 提供商，如 Facebook、Google、Yahoo的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！