我正在尝试使用带有客户端凭据流的Oath2在Spring Boot上保护我的微服务。
顺便说一句,那些微服务只会在中间件层上互相交谈,我的意思是不需要用户凭证即可进行授权(用户登录过程为Facebook)。
我在Internet上寻找了一些示例,这些示例显示了如何创建授权和资源服务器来管理此通信。但是,我只是找到了一些示例,说明了如何使用用户凭据(三段式)来执行此操作。
有人在Spring Boot和Oauth2中有任何示例吗?如果有可能提供有关所使用范围的更多详细信息,令牌交换将不胜感激。
我们有受Oauth2客户端凭据方案保护的REST服务。资源和授权服务在同一应用程序中运行,但可以拆分为不同的应用程序。
@Configuration public class SecurityConfig { @Configuration @EnableResourceServer protected static class ResourceServer extends ResourceServerConfigurerAdapter { // Identifies this resource server. Usefull if the AuthorisationServer authorises multiple Resource servers private static final String RESOURCE_ID = "*****"; @Resource(name = "OAuth") @Autowired DataSource dataSource; @Override public void configure(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests().anyRequest().authenticated(); // @formatter:on } @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources.resourceId(RESOURCE_ID); resources.tokenStore(tokenStore()); } @Bean public TokenStore tokenStore() { return new JdbcTokenStore(dataSource); } } @Configuration @EnableAuthorizationServer protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { @Resource(name = "OAuth") @Autowired DataSource dataSource; @Bean public TokenStore tokenStore() { return new JdbcTokenStore(dataSource); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.tokenStore(tokenStore()); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.jdbc(dataSource); } } }
Oauth2表的数据源配置:
@Bean(name = "OAuth") @ConfigurationProperties(prefix="datasource.oauth") public DataSource secondaryDataSource() { return DataSourceBuilder.create().build(); }
与身份验证和资源服务器通信如下
curl -H "Accept: application/json" user:password@localhost:8080/oauth/token -d grant_type=client_credentials curl -H "Authorization: Bearer token" localhost:8080/...
Oauth2数据库中存在以下记录:
client_id resource_ids client_secret scope authorized_grant_types web_server_redirect_uri authorities access_token_validity refresh_token_validity additional_information autoapprove user **** password NULL client_credentials NULL X NULL NULL NULL NULL
客户端应用程序中的Resttemplate配置
@Configuration @EnableOAuth2Client public class OAuthConfig { @Value("${OAuth2ClientId}") private String oAuth2ClientId; @Value("${OAuth2ClientSecret}") private String oAuth2ClientSecret; @Value("${Oauth2AccesTokenUri}") private String accessTokenUri; @Bean public RestTemplate oAuthRestTemplate() { ClientCredentialsResourceDetails resourceDetails = new ClientCredentialsResourceDetails(); resourceDetails.setId("1"); resourceDetails.setClientId(oAuth2ClientId); resourceDetails.setClientSecret(oAuth2ClientSecret); resourceDetails.setAccessTokenUri(accessTokenUri); /* When using @EnableOAuth2Client spring creates a OAuth2ClientContext for us: "The OAuth2ClientContext is placed (for you) in session scope to keep the state for different users separate. Without that you would have to manage the equivalent data structure yourself on the server, mapping incoming requests to users, and associating each user with a separate instance of the OAuth2ClientContext." (http://projects.spring.io/spring-security-oauth/docs/oauth2.html#client-configuration) Internally the SessionScope works with a threadlocal to store variables, hence a new thread cannot access those. Therefore we can not use @Async Solution: create a new OAuth2ClientContext that has no scope. *Note: this is only safe when using client_credentials as OAuth grant type! */ // OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resourceDetails, oauth2ClientContext); OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resourceDetails, new DefaultOAuth2ClientContext()); return restTemplate; } }
您可以注入restTemplate以(异步)与Oauth2安全服务进行通信。我们目前不使用范围。
