了解OAuth2客户端凭据流 [英] Understanding OAuth2 Client credentials flow

问题描述

我正在尝试理解并实现新REST服务器和现有客户端应用之间的客户端凭据流。我已经设置了spring-security OAuth2，例如这个。根据我的理解，到目前为止，我的服务器现在应该支持以下请求：

I'm trying to understand and implement a client credentials flow between our new REST server and our existing client app. I've setup spring-security OAuth2 like this. From my understanding so far, my server should now support the following request:

$ curl -X -v -d 'client_id=the_client&client_secret=secret&grant_type=client_credentials' -X POST "http://localhost:9090/oauth/token"

但我得到了

InsufficientAuthenticationException: There is no client authentication

由 Principal 导致 null 这里（spring-security code）：

caused by the Principal being null here (spring-security code) :

@FrameworkEndpoint
@RequestMapping(value = "/oauth/token")
public class TokenEndpoint extends AbstractEndpoint {

    @RequestMapping
    public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal,
            @RequestParam("grant_type") String grantType, @RequestParam Map<String, String> parameters) {

        if (!(principal instanceof Authentication)) {
            throw new InsufficientAuthenticationException(

所以看来，我需要对服务器进行身份验证首先。但是不是我想做的事情。我希望我的两台服务器使用共享密钥互相通信.OAuth提供商服务器应该为（受信任的）提供访问令牌）请求客户端服务器，以便客户端服务器可以使用该令牌访问服务器上的所有REST资源。这应该保护REST资源免受外部访问。

So it seems, I need to authenticate against the server first. But that's not what I want to do. I want two of my servers to talk to each other using a shared secret. The OAuth provider server should provide an access token to the (trusted) client server on request so that the client server can then use that token to access all REST resources on the server. This should protect the REST resources from external access.

稍后我想为第三方提供所选资源，并最终为服务器到服务器通信实现一些更细粒度的安全性。但是现在我需要保护REST服务器fr外部访问。

Later I want to provide selected resources to a third party and eventually implement some finer grained security for the server-to-server communication as well. But for now I need to protect the REST server from external access.

看起来我可能对整个客户端凭证流程或spring-security的应用有一些误解，所以任何澄清都将非常感激。

Looks like I might have some misunderstandings about the whole client credentials flow or the application of spring-security right there so any clarification would be greatly appreciated.

推荐答案

您没有向授权服务器验证您的客户端。

You are not authenticating your client to the Authorization server.

你需要这样做：

curl --user the_client:secret --data "grant_type=client_credentials" http://localhost:9090/oauth/token

这是对授权服务器的客户端进行身份验证，然后指定grant_type和其他参数。这将返回类型为bearer的访问令牌，其范围由oauth客户端详细信息确定。获得令牌后，您可以通过设置授权标头来访问受保护资源：

This is authenticating the client to the authorization server and then specifying grant_type and other parameters. This will return an access token of type 'bearer' with scope determined by the oauth client details. Once you have the token, you can access your protected resources by setting the Authorization header:

curl -H "Authorization: Bearer <accessToken>" <resourceUrl>

这篇关于了解OAuth2客户端凭据流的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！