Spring Oauth2 隐式流 [英] Spring Oauth2 implicit flow

问题描述

致力于使用 Spring 实现 Oauth2.我想实现隐式工作流:

Working on implementing Oauth2 with Spring. I want to implement the implicit workflow:

我的配置文件:

@Configuration
@EnableAutoConfiguration
@RestController
public class App {

    @Autowired
    private DataSource dataSource;

    public static void main(String[] args) {
        SpringApplication.run(App.class, args);
    }

    @RequestMapping("/")
    public String home() {
        return "Hello World";
    }

    @Configuration
    @EnableResourceServer
    protected static class ResourceServer extends ResourceServerConfigurerAdapter {

        @Autowired
        private TokenStore tokenStore;

        @Override
        public void configure(ResourceServerSecurityConfigurer resources)
                throws Exception {
            resources.tokenStore(tokenStore);
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            // @formatter:off
        http.authorizeRequests().antMatchers("/oauth/token").authenticated()
                .and()
                .authorizeRequests().anyRequest().permitAll()
                .and()
                .formLogin().loginPage("/login").permitAll()
                .and()
                .csrf().disable();
        }

    }

    @Configuration
    @EnableAuthorizationServer
    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

        @Autowired
        private AuthenticationManager auth;

        private BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();

        @Bean
        public JdbcTokenStore tokenStore() {
            return new JdbcTokenStore(DBConnector.dataSource);
        }

        @Bean
        protected AuthorizationCodeServices authorizationCodeServices() {
            return new JdbcAuthorizationCodeServices(DBConnector.dataSource);
        }

        @Override
        public void configure(AuthorizationServerSecurityConfigurer security)
                throws Exception {
            security.passwordEncoder(passwordEncoder);
        }

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints)
                throws Exception {
            endpoints.authorizationCodeServices(authorizationCodeServices())
                    .authenticationManager(auth).tokenStore(tokenStore())
                    .approvalStoreDisabled();            
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            // @formatter:off
            clients.jdbc(DBConnector.dataSource)
                    .passwordEncoder(passwordEncoder)
                    .withClient("my-trusted-client")
                    .secret("test")
                    .authorizedGrantTypes("password", "authorization_code",
                            "refresh_token", "implicit")
                    .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
                    .scopes("read", "write", "trust")
                    .resourceIds("oauth2-resource")
                    .accessTokenValiditySeconds(0);

            // @formatter:on
        }

    }

    @Autowired
    public void init(AuthenticationManagerBuilder auth) throws Exception {
        // @formatter:off 
        auth.jdbcAuthentication().dataSource(DBConnector.dataSource).withUser("dave")
                .password("secret").roles("USER");

        // @formatter:on
    }

}

到目前为止，这是有效的.数据库中也会生成一个用户.

This is working so far. A user is also generated in the database.

问题如下.当我尝试执行以下请求时:

Problem is following. When i try to do following request:

http://本地主机:8080/oauth/token?grant_type=authorization_code&client_id=my-trusted-client&username=dave&password=secret

我总是收到一个弹出窗口(身份验证)，要求我输入用户名和密码.但不管我进入那里，我永远不会通过.那么有什么问题呢?

I always get a popup window (authentication) asking me to enter a username and a password. But it doesn't matter what i enter there i never pass through. So what is wrong there?

我想要它，当我调用这个 url 时，我会取回我的 access_token.

I would like to have it, that when i call this url, that i get back my access_token.

推荐答案

在隐式流的情况下，所有令牌将通过授权 url 而不是令牌 url 生成.所以你应该使用隐式响应类型点击 ../oauth/authorize 端点.即

In case of implicit flow all token will be generated through authorization url instead of token url. so you should hit ../oauth/authorize endpoint with implicit response type. i.e

../oauth/authorize?response_type=implicit&client_id=trusted_client&redirect_uri=<redirect-uri-of-client-application>.

您正在收到用户名密码弹出窗口，因为令牌端点已经通过 spring 的 BasicAuthenticationFilter 受到保护，并且希望您将 client_id 作为用户名传递，将 client_secret 作为密码传递.您需要保护授权端点而不是令牌端点，因此请按照给定的方式进行端点安全配置...

You are getting the username password popup because token endpoint is already protected through spring's BasicAuthenticationFilter and it is expecting you to pass your client_id as username and client_secret as password. Instead of token endpoint you need to protect authorization endpoint so do your endpoint security configuration as given...

 @Override
        public void configure(HttpSecurity http) throws Exception {
            // @formatter:off
        http.authorizeRequests().antMatchers("/oauth/authorize").authenticated()
                .and()
                .authorizeRequests().anyRequest().permitAll()
                .and()
                .formLogin().loginPage("/login").permitAll()
                .and()
                .csrf().disable();
        }

这篇关于Spring Oauth2 隐式流的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！