了解 OAuth2 客户端凭据流 [英] Understanding OAuth2 Client credentials flow

问题描述

我正在尝试理解和实现我们新的 REST 服务器和我们现有的客户端应用程序之间的客户端凭据流.我已经设置了 spring-security OAuth2 就像 this.根据我目前的理解，我的服务器现在应该支持以下请求:

I'm trying to understand and implement a client credentials flow between our new REST server and our existing client app. I've setup spring-security OAuth2 like this. From my understanding so far, my server should now support the following request:

$ curl -X -v -d 'client_id=the_client&client_secret=secret&grant_type=client_credentials' -X POST "http://localhost:9090/oauth/token"

但我明白了

InsufficientAuthenticationException: There is no client authentication

由 Principal 为 null 引起(弹簧安全代码):

caused by the Principal being null here (spring-security code) :

@FrameworkEndpoint
@RequestMapping(value = "/oauth/token")
public class TokenEndpoint extends AbstractEndpoint {

    @RequestMapping
    public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal,
            @RequestParam("grant_type") String grantType, @RequestParam Map<String, String> parameters) {

        if (!(principal instanceof Authentication)) {
            throw new InsufficientAuthenticationException(

看来，我需要先对服务器进行身份验证.但这不是我想做的.我希望我的两台服务器使用共享密钥相互通信.OAuth 提供程序服务器应根据请求向(受信任的)客户端服务器提供访问令牌，以便客​​户端服务器可以使用该令牌访问服务器上的所有 REST 资源.这应该可以保护 REST 资源免受外部访问.

So it seems, I need to authenticate against the server first. But that's not what I want to do. I want two of my servers to talk to each other using a shared secret. The OAuth provider server should provide an access token to the (trusted) client server on request so that the client server can then use that token to access all REST resources on the server. This should protect the REST resources from external access.

稍后我想将选定的资源提供给第三方，并最终为服务器到服务器的通信实现一些更细粒度的安全性.但现在我需要保护 REST 服务器免受外部访问.

Later I want to provide selected resources to a third party and eventually implement some finer grained security for the server-to-server communication as well. But for now I need to protect the REST server from external access.

看起来我可能对整个客户端凭据流或 spring-security 的应用有一些误解，因此我们将不胜感激.

Looks like I might have some misunderstandings about the whole client credentials flow or the application of spring-security right there so any clarification would be greatly appreciated.

推荐答案

您没有向授权服务器验证您的客户端.

You are not authenticating your client to the Authorization server.

你需要做这样的事情:

curl --user the_client:secret --data "grant_type=client_credentials" http://localhost:9090/oauth/token

这是向授权服务器验证客户端，然后指定 grant_type 和其他参数.这将返回一个承载"类型的访问令牌，其范围由 oauth 客户端详细信息确定.获得令牌后，您可以通过设置授权标头来访问受保护的资源:

This is authenticating the client to the authorization server and then specifying grant_type and other parameters. This will return an access token of type 'bearer' with scope determined by the oauth client details. Once you have the token, you can access your protected resources by setting the Authorization header:

curl -H "Authorization: Bearer <accessToken>" <resourceUrl>

这篇关于了解 OAuth2 客户端凭据流的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！