从Spring RESTful资源服务器验证OAuth 2.0访问令牌 [英] validate OAuth 2.0 access token from a Spring RESTful resource server

问题描述

我想保护我的Spring RESTful后端。一种方式（右边？）是使用OAuth 2.0，如下所示：

I want to secure my Spring RESTful backend. One way (the right?) is to use OAuth 2.0 like shown here:

http://www.youtube.com/watch?v=8uBcpsIEz2I

在我的架构中，资源服务器和授权服务器 ARE不相同的实体。我真的只是提供一些JSON REST服务。没有UI。如果我阅读 OAuth2 RFC ，他们只会说：

Within my architecture the resource server and authorization server ARE NOT the same entity. I really just provide some JSON REST services. No UI. If I read the OAuth2 RFC they just say:

授权服务器和资源服务器
之间的交互超出了本规范的范围。授权服务器
可以是与资源服务器相同的服务器或单独的实体。
单个授权服务器可以发出
多个资源服务器接受的访问令牌。

The interaction between the authorization server and resource server is beyond the scope of this specification. The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.

我找到了一个好的图表在 cloudfoundry.com 上（与上述YouTube视频相关） ）我用它来说明我的看法：

I found a good diagram on cloudfoundry.com (related to the above youtube video) which I'm using to illustrate my view:

令牌提供者：这可能/应该是google或facebook。

"token" provider: This could/should be google or facebook for example.

RESTful后端：这实际上是我的代码。 Spring RESTful服务，例如：

RESTful backend: This is actually my code. Spring RESTful services like:

@Controller
@RequestMapping("/api/v1")
public class MyResourceToProtect {

    @Autowired
    private MyService service;

    @RequestMapping(value = "/resource/delete/{name}",
                    method = RequestMethod.DELETE,
                    consumes = MediaType.APPLICATION_JSON_VALUE,
                    headers = "Content-Type=application/json")
    @ResponseStatus(HttpStatus.OK)
    public void delete(@PathVariable("name") String name) {
        service.delete(name);
    }
}

（这只是一些示例代码）

(This is just some sample code)

现在我的问题：是否有可能验证由AuthServer（Facebook，Google）生成的访问令牌？我知道我需要在ResourceServer的某个地方有一个令牌到用户映射（数据库）。基本上我想设计一个来自PayPal的RESTful API：

Now my question: Is it somehow possible to validate the access tokens which are generated by the AuthServer (Facebook, Google)? I know that I need to have a "token to user" mapping (database) somewhere on my ResourceServer. Basically I'd like to design my RESTful API like to one from PayPal:

https://developer.paypal.com/webapps/developer/docs/integration/direct/make-your-first-call/

但我如何处理步骤1& 2如果我想使用Facebook或Google作为auth提供商？这甚至可能吗？

But how can I handle the steps 1 & 2 if I want to use Facebook or Google as auth providers? Is this even possible?

另外的想法：可能我需要提供我自己的 / oauth2 / token 端点然后委托给基础的AuthProvider。

Additional thought: Probably I need to provide my own /oauth2/token endpoint and then delegate to the underlying AuthProvider.

推荐答案

不确定如何用一个漂亮的弓来回答所有问题，所以我只是把以下指出：

Not sure how to answer all the questions with a nice bow, so I'll just put the following points out there:

• 您是否尝试以OAuth安全的方式使用Facebook等OAuth安全API？使用Spring Social。


• 如果您正在尝试创建OWN REST API并使用OWN用户上下文，请使用Spring Security OAuth。在这种情况下，您需要客户使用OAuth对您的API进行身份验证，而不是Facebook或LinkedIn等。


• Spring Social Security（在1.2.x系列中）支持'签署'用户进入OAuth连接的结果（例如，'与facebook签名'，'..'，'..'，'..链接，'等等，您的应用程序最终会在会话中以Spring Security主体结束，就好像您曾使用HTTP表单手动签署用户。


• Spring Security OAuth并不关心您从哪里获得Spring Security主体。它只关心主体是否具有正确的角色/ Spring Security OAuth客户端所需的范围。因此，没有理由不能使用Spring Social安全连接到Facebook，使用Spring Social Security让该连接创建Spring Security Authentication对象，然后使用Spring Security OAuth然后保护对您的API的任何访问权限，这反过来可以安全地连接到Facebook的A. PI幕后。客户端将使用OAuth访问令牌为您的API，而不是Facebook。这在服务中处理。

• Are you trying to just consume an OAuth-secured API like Facebook in a OAuth-secured fashion? Use Spring Social.
• If you're trying to create your OWN REST API and use your OWN user context, then use Spring Security OAuth. In this case, you would require clients to authenticate using OAuth against YOUR API, not Facebook or LinkedIn, etc.
• Spring Social Security (in the 1.2.x series) supports 'signing' the user in as the result of an OAuth connection (e.g., 'signin with facebook,' '..twitter,' '..linkedin,' etc., and your application ultimately ends up with a Spring Security principal in session, just as if you had used an HTTP form to sign the user in manually.
• Spring Security OAuth doesn't care where you got the Spring Security principal from. It just cares if the principal has the right roles / scopes required by the Spring Security OAuth client. So, there's no reason you couldn't use Spring Social to securely connect to Facebook, use Spring Social Security to have that connection create a Spring Security Authentication object, and then use Spring Security OAuth to then secure any access to YOUR API, which in turn might securely connect to Facebook's API behind the scenes. Clients would use the OAuth access token for YOUR API, not Facebook. That gets handled in the service.

这篇关于从Spring RESTful资源服务器验证OAuth 2.0访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！