使用JDBC和JWT实现Spring OAuth2，并使用基于XML的配置自定义现有授权流 [英] Implement Spring OAuth2 using JDBC with JWT and customize existing grant flows using XML based configuration

问题描述

我开始使用Spring OAuth2，在此过程中，我很难找到相关的教程和内容，主要是因为以下内容

I started to use Spring OAuth2 and in the process, I struggled to find relevant tutorials and content mostly because of the following

• I不想使用Spring Boot


• 我不想使用Java配置而不是xml配置


• 我需要自定义Spring OAuth2授权流程和其他针对我们特定需求的功能


• 我需要禁用一些授权流程


• 我需要Spring OAuth2来使用自定义用户和角色


• 我需要在自定义数据库选项卡中使用商店oauth_client详细信息


• 其他内容

• I did not want to use Spring Boot
• I did not want to use Java configs rather xml configuration
• I needed to customize Spring OAuth2 grant flows and other features for our specific needs
• I needed to disable some grant flows
• I needed to Spring OAuth2 to use custom Users and Roles
• I needed to use store oauth_client details in a custom database tab
• Other stuff

我设法编写了我的实现，解决了上述问题，现在我想分享我的发现，以便为其他人节省痛苦。

I have managed to write my implementation that addresses the above points and now I want to share my findings in order to save others the suffering.

请参阅我所采用的方法的答案，如果您有任何建议，请随时分享您的建议，建议和反馈。

See my answer for the approach I followed and feel free to share your advise, suggestions and feedback if you have any.

这个问题的主要目的是

• 获取反馈，建议和关于我遵循的方法的建议


• 分享我所学到的所有困难，希望能够帮助他人解决问题，并将社区学到的知识回馈给社区。
  

推荐答案

我开始使用主要使用XML配置的Spring Security框架的基本设置。

I started off with basic setup of Spring Security framework using mainly XML configuration.

Spring Security OAuth2
我做了大量的谷歌搜索并查看了一堆存储库，包括主要的 Spring OAuth 2 repo。

我从 OAuth2 XML Configs 我需要进行更改才能

I started off with OAuth2 XML Configs and I needed to make changes in order to

1. 整理，清理 spring-security.xml OAuth2配置文件


2. 指示Spring OAuth2查找不同的（自定义）数据库中的用户和角色表


3. 指示Spring OAuth2查找不同的（自定义的）oauth_client_details表（带有额外的列）


4. 使用JWT令牌并进行必要的更改以自定义 JWT令牌以包含自定义声明


5. 开发 OAuth2RequestValidator 的自定义实现并将其注入令牌端点使用XML配置


6. 禁用授权流程


7. 启用验证令牌endpion t / oauth / check_token 并验证JWT令牌自定义声明

1. Organize, clean up the spring-security.xml OAuth2 config file
2. Instruct Spring OAuth2 to lookup a different (customized) user and role tables from database
3. Instruct Spring OAuth2 to lookup a different (customized) oauth_client_details table (with extra columns)
4. Use JWT Tokens and make required changes to customize the JWT Token to include custom claims
5. Develop custom implementation of OAuth2RequestValidator and inject it to the Token endpoint using XML configuration
6. Disable a grant flow
7. Enable verify token endpiont /oauth/check_token and validate JWT token custom claims

而且，我已经达到以下要求

And, I have achieved the above as follow

上面链接的默认 spring-security.xml 带有以下假设

The default spring-security.xml linked above comes with the following assumptions

1. 授权服务器和资源服务器都在同一台机器上。


2. 使用内存中用户


3. 使用内存中的oauth客户端

1. Both Authorization server and Resource server are in the same machine.
2. Use in-memory users
3. Use in-memory oauth clients

我想将身份验证和资源服务器分开，因此我剥离了所有受保护的端点配置和内存中的用户服务和oauth-client-details。

I would like to keep the Authentication and Resource server separate hence, I stripped off all the protected endpoints configs and the in-memory user-service and oauth-client-details.

为实现此目的，我确保

1. MyUser 对象实现以下 org.springframework.security.core.userdetails.UserDetails
   和覆盖 getAuthorities ，它返回 GrantedAuthority
的集合

2. MyRole 对象实现 org.springframework.security.core.GrantedAuthority 并覆盖方法 getAuthority

1. MyUser object implements the following org.springframework.security.core.userdetails.UserDetails and overrides the getAuthorities which return a collection of GrantedAuthority
2. MyRole object implements the org.springframework.security.core.GrantedAuthorityand override the method getAuthority

我现在需要通知 Spring OAuth2 关于上面的自定义 MyUser和MyRole ，为了做到这一点，我需要做以下的事情

I now need to inform the Spring OAuth2 about the above customised MyUser and MyRole and in order to do that, I needed to do the following

1. 为 org.springframework.security.core.userdetails.UserDetailsS​​ervice 接口提供自定义实现并覆盖继承的 loadByUsername 方法来查询我的自定义用户数据库表并检索具有其角色的用户并构造 org.springframework.security.core.userdetails.User 的实例并将其返回。



2. 创建上述自定义实现的< bean> ，让我们称之为 MyUserDetailsS​​ervice 并将其放在 spring-security.xml 配置文件中。如下所示

1. Provide custom implementation for org.springframework.security.core.userdetails.UserDetailsService interface and override the inherited loadByUsername method to query my custom user database table and retrieve the user with its roles and construct an instance of org.springframework.security.core.userdetails.User and return it.

2. Create a <bean> of the above custom implementation and let's call it MyUserDetailsService and place it in spring-security.xml config file. Something as follow

< bean id =myUserDetailsS​​erviceclass =your.package.hierarcy.goes.here.MyUserDetailsS​​ervice/>

仅仅定义一个bean再次不够，我们必须告诉 Spring OAuth2 使用 MyUserDetailsS​​ervice 为此我们需要将 myUserDetailsS​​ervice 注入Spring OAuth2默认身份验证提供程序或我们自己的身份验证提供程序，然后将传递给 authentication-manager 元素，如下所示

Just defining a bean is once again not enough, we have to tell Spring OAuth2 to use the MyUserDetailsService and to do that we need to inject the myUserDetailsService into Spring OAuth2's default authentication provider or our own authentication provider that will then get passed to authentication-manager element, as shown below

<bean id="daoAuthenticationProvider"    class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
      <property name="userDetailsService" ref="myUserDetailsService"/>
      <!-- if you encode or encrypt your password, then pass encoder-->
      <!--<property name="passwordEncoder" ref="passwordEncoder"/>-->
    </bean>

最后，我们需要将上述身份验证提供程序注入指定的身份验证管理器在 spring-security.xml 中，如下所示

Finally we need to inject the above Authentication Provider into the Authentication Manager specified in spring-security.xml as shown below

<!-- Original --> 
<authentication-manager alias="authenticationManager"
        xmlns="http://www.springframework.org/schema/security">
        <authentication-provider>
            <user-service id="userDetailsService">
                <user name="marissa" password="koala" authorities="ROLE_USER" />
                <user name="paul" password="emu" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

将以上内容更改为

<!-- Modified with our own implementation of UserDetailsService --> 
<authentication-manager alias="authenticationManager"
        xmlns="http://www.springframework.org/schema/security">
        <authentication-provider ref="daoAuthenticationProvider" />
    </authentication-manager>

现在要使用上面使用的身份验证管理器，将其传递给<$中的授权流程c $ c>< oauth：authorization-server> 如下所示

And now to use the above Authentication Manager which uses, pass it to a grant flow in the <oauth:authorization-server> as follow

<oauth:password authentication-manager-ref="authenticationManager"/>

3。指示Spring OAuth2查找不同的oauth_client_table

如果仔细查看官方的 spring-security.xml <以上链接的em> Spring OAuth2 repo，您​​将看到以下引用链

3. Instruct Spring OAuth2 to look up different oauth_client_table

If you look closely at the default spring-security.xml from the official Spring OAuth2 repo linked above, you will see the following chain of references

clientCredentialsTokenEndpointFilter bean

引用

clientAuthenticationManager bean

引用

clientDetailsUserDetailsS​​ervice

参考

clientDetails

clientDetails 只不过是最后声明的固定oauth客户端列表在< oauth：client-details-service id =clientDetails> 标记下。

And clientDetails is nothing but a list of fixed oauth clients declared at the end under <oauth:client-details-service id="clientDetails"> tag.

好的，所以目标是指示 Spring OAuth2 从数据库中读取和存储oauth_clients。
如果我们不需要自定义默认的spring oauth数据库表来满足我们的特定需求，那么它非常简单，过程如下：

Alright, so the objective is to instruct Spring OAuth2 to read and store oauth_clients to/from a database. If we do not need to customize the the default spring oauth database tables to meet our specific needs, then its quite easy and the process is as follow

1. 设置默认的Spring OAuth2数据库表，如下所示 link


2. 在 spring-security.xml 更改 clientDetailsUserDetailsS​​ervice 以传递默认的Spring OAuth2 org.springframework.security.oauth2.provider.client.JdbcClientDetailsS​​ervice 并声明与 bean 相同，如下所示。

1. Setup the default Spring OAuth2 database tables as shown in this link
2. In the spring-security.xml change the clientDetailsUserDetailsService to pass the default Spring OAuth2 org.springframework.security.oauth2.provider.client.JdbcClientDetailsService and declare the same as a bean, as shown below.

Defautlt Spring OAuth2 JdbcClientDetailsS​​ervice bean定义

Defautlt Spring OAuth2 JdbcClientDetailsService bean definition

<bean class="org.springframework.security.oauth2.provider.client.JdbcClientDetailsService" id="myClientDetails">
      <constructor-arg index="0">
         <!-- This is your jdbc datasource, i.e. db details-->
         <ref bean="dataSource" />
      </constructor-arg>
   </bean>

现在 clientDetailsUserDetailsS​​ervice bean看起来如下

and now the clientDetailsUserDetailsService bean should look as follow

<bean id="clientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
        <constructor-arg ref="myClientDetails" />
    </bean>

其他一切保持不变。上述更改将指示Spring OAuth2从数据库中读取oath_clients（oauth_client_details）而不是硬编码的xml配置。

And everything else the stays the same. The above changes, will instruct the Spring OAuth2 to read oath_clients from the database (oauth_client_details) rather than hard-coded xml config.

如果您希望修改默认的 oauth_client_details 表以添加一些自定义列以满足您的特定需求，那么在这种情况下您需要进行一组不同的更改。所以我们有以下目标

What if, you wanted to modify the default oauth_client_details table to adda few custom columns to meet your specific needs, will in that case you need to make a different set of changes. So we have the following objective

1. 将额外的列添加到默认的 oauth_client_details 表

1. Add extra columns to the default oauth_client_details table

给出以下内容（默认 spring-security.xml ）

clientCredentialsTokenEndpointFilter bean

参考

clientAuthenticationManager bean

参考

clientDetailsUserDetailsS​​ervice

参考

clientDetails

我们需要转换上述工作流程（或参考链） ）以便Spring OAuth2能够访问我们新的自定义 oauth_client_details 数据库表。所以新的工作流程或引用链应类似于下面

We need to transform the above workflow (or chain of references) in order for Spring OAuth2 to be able to access our new customized oauth_client_details database table. So the new workflow or chain of references should be similar to below

clientCredentialsTokenEndpointFilter bean（无变化）

clientCredentialsTokenEndpointFilter bean (no change)

引用

clientAuthenticationManager bean （无变化）

clientAuthenticationManager bean (no change)

参考

clientDetailsUserDetailsS​​ervice （待更新）

参考

clientDetails （待替换）

为实现上述目标，让我们从下往上移动。默认的Spring OAuth2使用 org.springframework.security.oauth2.provider.ClientDetails 从默认的 oauth_client_details 表中加载oauth_client。我们需要通过实现它为 org.springframework.security.oauth2.provider.ClientDetails 提供自定义实现，因此，如下所示

And to achieve the above, lets move from bottom to top. The default Spring OAuth2 uses org.springframework.security.oauth2.provider.ClientDetails to load oauth_client from the default oauth_client_details table. We need to provide a custom implementation for org.springframework.security.oauth2.provider.ClientDetails by implementing it hence, something as follow

public class MyClientDetails implements ClientDetails { ... }

在我们继续之前，我只是想提一下，Spring OAuth2已经为上述界面提供了一个实现，这意味着我们可以通过实际扩展来实现上述的唯一实现接口（ClientDetails）是 org.springframework.security.oauth2.provider.client.BaseClientDetails 而不是从头开始实现它（利用所有可以从BaseClientDetails完成并添加我们自己的自定义字段）因此， MyClientDetails 看起来如下

Before we move on, I just wanted to mention that Spring OAuth2 already provides an implementation for the above interface meaning that we could make our life a lot easier by actually extending the only implementation of the above interface (ClientDetails) which is org.springframework.security.oauth2.provider.client.BaseClientDetails rather than implementing it from the beginning (leverage all that can be done from BaseClientDetails and add our own custom fields) hence, the MyClientDetails looks as follow then

public class MyClientDetails extends BaseClientDetails {
      //fields representing custom column for oauth_client
      //getters and setters 
      //make sure to call super() in the inherited constructors, before
      //setting custom fields.
}

好了，现在我们有了自己的 ClientDetails 对象，就像＃2一样，我们需要实现我们自己的 JdbcClientDetailsS​​ervice ，它将被注入 clientDetailsUserDetailsS​​ervice 。为了实现我们自己的 JdbcClientDetailsS​​ervice ，让我们看一下默认方法的签名

Alright, now that we have our own ClientDetails object, just like #2 we need to implement our own JdbcClientDetailsService that will get injected to clientDetailsUserDetailsService. In order to implement our own JdbcClientDetailsService let's look at the signature of the default method

public class JdbcClientDetailsService
extends Object
implements ClientDetailsService, ClientRegistrationService

如您所见，以上class implements ClientDetailsS​​ervice& ClientRegistrationService 接口。在实现我们自己的 JdbcClientDetailsS​​ervice 时，我不建议扩展默认的 JdbcClientDetailsS​​ervice ，因为有很多私有类变量（和方法）不会被继承，所以让我们使用我们自己写的默认实现。

As you can see, the above class implements ClientDetailsService & ClientRegistrationService interfaces. While implementing our own JdbcClientDetailsService I do not recommend extending the default JdbcClientDetailsService because there are quite a few private class variables (and methods) which will not be inherited hence, let's use the default implementation to write our own.

public class MyJdbcClientDetailsService implements ClientDetailsService, ClientRegistrationService {
   //override loadClientByClientId method, query the custom
   //oauth_client_details database table and populate the 
   //MyClientDetails object created above and return it. 

   //Implement other methods to CRUD oauth_clients  
}

现在您已经在 spring-security.xml 中实现了 MyJdbcClientDetailsS​​ervice 为它创建了一个bean，在以下行中

Now that you implemented MyJdbcClientDetailsService create a bean for it in spring-security.xml, in the following lines

现在将上面的bean注入 clientDetailsUserDetailsS​​ervice ，然后查看默认的 spring-security.xml ，我们有以下

Now inject the above bean to clientDetailsUserDetailsService, and looking into default spring-security.xml, we have the following

<!-- Original referencing hardcoded clients -->
<bean id="clientDetailsUserService"
        class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
        <constructor-arg ref="clientDetails" />
    </bean>

以上内容需要更改为以下内容

And the above will need to be changed to as follow

<bean id="clientDetailsUserService"
        class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
        <constructor-arg ref="myJdbcClientDetailsService" />
    </bean>

我们去了，现在指定我们自己的ClientDetailsS​​ervice后，链看起来如下：

There we go, now the chain looks as follow after specifying our own ClientDetailsService:

clientCredentialsTokenEndpointFilter bean（无变化）

clientCredentialsTokenEndpointFilter bean (no change)

引用

clientAuthenticationManager bean（无变化）

clientAuthenticationManager bean (no change)

引用

clientDetailsUserDetailsS​​ervice （ref updated）

clientDetailsUserDetailsService (ref updated)

参考

myJdbcClientDetailsS​​ervice （我们的自定义客户详情服务）

myJdbcClientDetailsService (our customized client details service)

上面指示Spring OAuth2查找自定义数据库表以获取oauth_client详细信息。

The above instructs the Spring OAuth2 to look up a customized database table for oauth_client details.

JWT 令牌或JSON Web令牌可用于OAuth2的三个不同参与者（授权服务器角色，资源服务器角色，客户角色），以便在执行与授权相关的不同操作时相互通信和访问受保护资源。 JWT令牌由授权服务器使用，并使用公钥/私钥进行签名，目的是确保JWT令牌的内容不会更新（除非有人可以访问私钥）。基本工作流程如下（让我们假设密码授予流程）

JWT Token or JSON Web Token can be used among three different actors of OAuth2 (Authorization server actor, Resource Server actor, Client actor) in order to communicate with each other in performing different actions relating to authorization and access of protected resources. The JWT token is used by Authorization server and it is signed using a public/private key and the objective is to make sure that the content of the JWT token do not get updated (unless someone have access to the private key). The basic workflow can be as follow (Let's assume password grant flow)

1. 客户角色代表请求资源所有者角色（用户）到授权服务器角色请求 OAuth2AccessToken


2. <如果客户端是验证和客户端密码匹配，然后它将验证用户名和密码（这可以使用 MyUserDetailsS​​ervice 在我们的数据库用户表中查找用户）这也是客户端演员（代表用户）传递的。如果找到了用户，则其密码匹配（可能使用自定义密码编码器 - 即由于缓慢的哈希函数而建议使用BCrypt），如果一切正常，则它将检索用户角色并构造JWT令牌，然后使用它是自己的公钥/私钥，将JWT令牌与客户端详细信息一起存储在数据库中（oauth_access_token默认表），并将JWT令牌的副本返回给请求客户端。


3. 客户端角色然后将用户的请求发送到资源服务器，要求受保护资源传递沿着JWT令牌。资源服务器验证JWT是否有效而不是篡改，然后相应地为客户端角色提供服务。

1. Client actor makes a request on behalf of the Resource owner actor (user) to the Authorization server actor asking for an OAuth2AccessToken
2. Authorization server actor verifies that the requesting client is trusted or not (by checking the requesting clients passed client_id and client_secret - the MyJdbcClientDetailsService is used to lookup the client), Once the client is verified and client secret matched, then it will verify the username and password (this could use the MyUserDetailsService to lookup the user in our database user table) that's also been passed by the Client actor (on behalf of user). If a user is found, then its password is matched (maybe using a custom Password encoder - i.e. BCrypt recommended due to slow hash function) and if all well, then it will retrieve the User's role and construct a JWT token, then sign it with it's own public/private key, store the JWT Token with client details in the database (oauth_access_token default table) and return a copy of the JWT Token to the requesting client.
3. The Client actor then sends the user's request to the Resource server asking for a protected resource passing along the JWT token. The Resource server validates that the JWT is valid and not tampered, and then accordingly serve the Client actor.

上面简要介绍了OAuth2如何使用JWT令牌。关于JWT和各种JWT的更多细节（签名，签名和加密等）。

Above briefly describes how the JWT token is used by OAuth2. There is a ton of more details on JWT and varieties of JWT out there (signed, signed and encrypted, etc etc).

有关Spring OAuth2的JWT实现的更多信息，请参阅官方repo 这里和JWT 网页。

For more information on JWT implementation of Spring OAuth2, see the official repo here and JWT webpage.

让我们看看，我们有以下JWT

Let's see, we have the following JWT

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

我们希望在上面的令牌中包含一组范围，因此资源服务器角色知道是否允许此用户提出这个要求。更改可能如下所示

and we would like to include a set of scopes to the above token, so the Resource server actor know whether this user is allowed to make this request or not. The change could look as follow

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true, 
  "scope": "read write delete"
}

要添加自定义声明（以上每个键/值都称为声明），我们需要创建一个实现<$ c的类 MyTokenEnhancer $ c> org.springframework.security.oauth2.provider.token.TokenEnhacer 接口并覆盖它的增强方法或扩展 org.springframework.security。 oauth2.provider.token.store.JwtAccessTokenConverter 反过来实现默认的 TokenEnhancer 并覆盖它的增强方法。

To add custom claims (each of above key/value is referred to as claims), we need to create a class MyTokenEnhancer which implement org.springframework.security.oauth2.provider.token.TokenEnhacer interface and override it's enhance method OR extend org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter which in turn implements the default TokenEnhancer and override it's enhance method.

通过覆盖增强方法，您可以向OAuth2AccessToken添加自定义声明。有关详细信息，请参阅上面链接的回购。

By overriding the enhance method, you can add custom claims to the OAuth2AccessToken. Please see the above linked repo for more details on this.

对我来说，oauth客户端发送一个自定义的 OAuth2Request ，我需要的不仅仅是deafult DefaultOAuth2RequestValidator 实现，因此，我必须自己编写并实现 org.springframework.security.oauth2.provider.OAuth2RequestValidator 。以下行中的内容

For me, the oauth clients send a customized OAuth2Request and I needed more than the deafult DefaultOAuth2RequestValidator implementation hence, I had to write my own and implemented the org.springframework.security.oauth2.provider.OAuth2RequestValidator. Something in the following lines

public class MyOAuth2RequestValidator implements OAuth2RequestValidator {
       //override the necessary methods
}

现在我们已经创建了自己的自定义 MyOAuth2RequestValidator 我们应该如何指示令牌端点使用XML配置使用它？嗯，这个花了我一点时间搞清楚。查看默认的 spring-security.xml ，我们有以下内容

Now that we have created our own custom MyOAuth2RequestValidator how should we instruct the Token endpoint to use it using XML configuration? Well, this one took me a little time for figure it out. Looking into the default spring-security.xml we have the following

<oauth:authorization-server
        client-details-service-ref="clientDetails" token-services-ref="tokenServices"
        user-approval-handler-ref="userApprovalHandler">
        <oauth:authorization-code />
        <oauth:implicit />
        <oauth:refresh-token />
        <oauth:client-credentials />
        <oauth:password />
    </oauth:authorization-server>

当我们向 / oauth / token endpoint，请求首先映射到 ClientCredentialsTokenEndpointFilter ，并在某个阶段将请求委托给 org.springframework.security。 oauth2.provider.endpoint.TokenEndpoint 如果你看一下源代码 TokenEndpoint 您将看到以下内容

When we make an OAuth2 request to the /oauth/token endpoint, the request is mapped to ClientCredentialsTokenEndpointFilter first, and from there at some stage the request is delegated to org.springframework.security.oauth2.provider.endpoint.TokenEndpoint and if you look at the source code TokenEndpoint you will see the following

private OAuth2RequestValidator oAuth2RequestValidator = new DefaultOAuth2RequestValidator();

现在用我们的自定义验证器替换它 MyOAuth2RequestValidator 我们需要执行以下操作

Now to replace that with our Custom validator MyOAuth2RequestValidator we need to do the following

1. 创建一个引用我们的自定义 MyOAuth2RequestValidator 的bean，并将其命名为id myOAuth2RequestValidator


2. 在 spring-security 中更新< oauth：authorization-server> 使用我们的自定义验证器＃1

1. Create a bean that references our custom MyOAuth2RequestValidator and name give it id of "myOAuth2RequestValidator"
2. Update the <oauth:authorization-server> in the spring-security to use our custom validator from #1

请参阅下面更新的授权服务器标签

See below the updated authorization-server tag

<oauth:authorization-server
            client-details-service-ref="clientDetails" token-services-ref="tokenServices"
            user-approval-handler-ref="userApprovalHandler"
            request-validator-ref="myOAuth2RequestValidator">
            <oauth:authorization-code />
            <oauth:implicit />
            <oauth:refresh-token />
            <oauth:client-credentials />
            <oauth:password />
        </oauth:authorization-server>

就是这样。现在，每次点击 TokenEndpoint ，它都将使用我们的自定义验证器而不是默认验证器。

And that's it. Now, every time the TokenEndpoint is hit, it will use our custom validator instead of default one.

我们可能不会使用所有可用的授权流程，因此有意义禁用未使用的授权流程。比方说，我不想使用刷新令牌授权流程（只是一个示例）并禁用它，我们必须更新< oauth：authorization-server>

We might not use all of the available grant flows hence, make sense to disable those not used. Let's say, I don't want to use refresh-token grant flow (just an example) and to disable it we have to update the <oauth:authorization-server>

已禁用刷新令牌授权流程的授权服务器如下所示

The authorization server with disabled refresh-token grant flow looks as follow

您还可以禁用其他流量。显然，你可以放弃而不是禁用它，因为如果你不支持让我们说授权代码授权流程那么就不要注册一个值为 authorization_code 的oauth_client它是oauth_client_table（如果是默认的oauth表）的 authorized_grant_types 列。

You can also disable other flows. Obviously you can get away with not disabling it because, if you do not support let's say Authorization Code grant flow then simply do not register an oauth_client that has a value of authorization_code in it's oauth_client_table (if default oauth table)'s authorized_grant_types column.

另外，为了与您分享帮助我了解Spring OAuth2的经验，我实际调试了Spring OAuth2类，以了解每个工作流程的工作原理并跟踪所有类在不同的资助流程中受到打击。让您全面了解Spring OAuth2的工作原理，然后在Spring OAuth2之上实现您自己的OAuth2实现变得不那么痛苦。

Also to share with you an experience that helped me understand Spring OAuth2, I actually debugged the Spring OAuth2 classes to understand how each workflow worked and kept track of all the classes that got hit during different grant flows. It's helpful to give you an overall understanding of how Spring OAuth2 works and then it will become less painful to implement your own OAuth2 implementation on top of Spring OAuth2.

如果资源和授权服务器不在同一服务器中且不共享同一数据库，则资源服务器需要在收到资源请求后仔细检查授权服务器以确保令牌仍然有效（这在令牌过期不会过期时很有用）并拥有正确的权限/声明。为了实现这一目标，OAuth提供了 Check Token Endpoint ，可以通过添加以下内容来启用

If the Resource and Authorization server are not in the same server and not sharing the same database, then Resource server requires to double check with Authorization server after it receives a request for a resource to make sure that the token is still valid (this is useful when tokens don't expire too soon) and has the right permissions/claims. In order to achieve this Spring OAuth provides Check Token Endpoint that can be enabled by adding the following

check-token-enabled="true"

到< oauth： XML配置文件中的authorization-server ...> 元素。添加上述内容后，POST请求 {server-url} / oauth / check_token ，其中包含带有键标记的表单参数和value JWT访问令牌将指示授权服务器验证令牌是否有效。默认实现执行默认检查，例如

to the <oauth:authorization-server ...> element in the XML configuration file. Once the above is added, a POST request to {server-url}/oauth/check_token with a form parameter with key token and value JWT access token will instruct the Authorization server to validate that the token is valid. The default implementation does the default checks such as

• 有效期


• 签名验证


• Etc

您必须进行一些自定义以验证您的自定义声明。请参阅此处的其他帖子了解更多详情。

And you will have to do a little bit of customization to validate your custom claims. See my other post in here for more details.

这篇关于使用JDBC和JWT实现Spring OAuth2，并使用基于XML的配置自定义现有授权流的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！