java 从 Spring RESTful 资源服务器验证 OAuth 2.0 访问令牌
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/17642224/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
validate OAuth 2.0 access token from a Spring RESTful resource server
提问by domi
I want to secure my Spring RESTful backend. One way (the right?) is to use OAuth 2.0 like shown here:
我想保护我的 Spring RESTful 后端。一种方法(正确的?)是使用 OAuth 2.0,如下所示:
http://www.youtube.com/watch?v=8uBcpsIEz2I
http://www.youtube.com/watch?v=8uBcpsIEz2I
Within my architecture the resource server and authorization server ARE NOTthe same entity. I really just provide some JSON REST services. No UI. If I read the OAuth2 RFCthey just say:
在我的架构中,资源服务器和授权服务器不是同一个实体。我真的只是提供了一些 JSON REST 服务。没有用户界面。如果我阅读OAuth2 RFC,他们只会说:
The interaction between the authorization server and resource server is beyond the scope of this specification. The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.
授权服务器和资源服务器之间的交互超出了本规范的范围。授权服务器可以是与资源服务器相同的服务器,也可以是单独的实体。单个授权服务器可以发布多个资源服务器接受的访问令牌。
I found a good diagram on cloudfoundry.com(related to the above youtube video) which I'm using to illustrate my view:
我在cloudfoundry.com上找到了一个很好的图表(与上面的 youtube 视频相关),我用它来说明我的观点:
"token" provider: This could/should be google or facebook for example.
“令牌”提供者:例如,这可以/应该是 google 或 facebook。
RESTful backend: This is actually my code. Spring RESTful services like:
RESTful 后端:这实际上是我的代码。Spring RESTful 服务,例如:
@Controller
@RequestMapping("/api/v1")
public class MyResourceToProtect {
@Autowired
private MyService service;
@RequestMapping(value = "/resource/delete/{name}",
method = RequestMethod.DELETE,
consumes = MediaType.APPLICATION_JSON_VALUE,
headers = "Content-Type=application/json")
@ResponseStatus(HttpStatus.OK)
public void delete(@PathVariable("name") String name) {
service.delete(name);
}
}
(This is just some sample code)
(这只是一些示例代码)
Now my question: Is it somehow possible to validate the access tokens which are generated by the AuthServer (Facebook, Google)? I know that I need to have a "token to user" mapping (database) somewhere on my ResourceServer. Basically I'd like to design my RESTful API like to one from PayPal:
现在我的问题是:是否有可能以某种方式验证由 AuthServer(Facebook、Google)生成的访问令牌?我知道我需要在我的 ResourceServer 上的某个地方有一个“用户令牌”映射(数据库)。基本上我想设计我的 RESTful API 就像一个来自 PayPal 的 API:
https://developer.paypal.com/webapps/developer/docs/integration/direct/make-your-first-call/
https://developer.paypal.com/webapps/developer/docs/integration/direct/make-your-first-call/
But how can I handle the steps 1 & 2 if I want to use Facebook or Google as auth providers? Is this even possible?
但是,如果我想使用 Facebook 或 Google 作为身份验证提供商,我该如何处理第 1 步和第 2 步?这甚至可能吗?
Additional thought: Probably I need to provide my own /oauth2/tokenendpoint and then delegate to the underlying AuthProvider.
额外的想法:可能我需要提供我自己的/oauth2/token端点,然后委托给底层的 AuthProvider。
回答by Josh Long
Not sure how to answer all the questions with a nice bow, so I'll just put the following points out there:
不知道如何用漂亮的鞠躬来回答所有问题,所以我将在那里提出以下几点:
- Are you trying to just consume an OAuth-secured API like Facebook in a OAuth-secured fashion? Use Spring Social.
- If you're trying to create your OWN REST API and use your OWN user context, then use Spring Security OAuth. In this case, you would require clients to authenticate using OAuth against YOUR API, not Facebook or LinkedIn, etc.
- Spring Social Security (in the 1.2.x series) supports 'signing' the user in as the result of an OAuth connection (e.g., 'signin with facebook,' '..twitter,' '..linkedin,' etc., and your application ultimately ends up with a Spring Security principal in session, just as if you had used an HTTP form to sign the user in manually.
- Spring Security OAuth doesn't care where you got the Spring Security principal from. It just cares if the principal has the right roles / scopes required by the Spring Security OAuth client. So, there's no reason you couldn't use Spring Social to securely connect to Facebook, use Spring Social Security to have that connection create a Spring Security Authentication object, and then use Spring Security OAuth to then secure any access to YOUR API, which in turn might securely connect to Facebook's API behind the scenes. Clients would use the OAuth access token for YOUR API, not Facebook. That gets handled in the service.
- 您是否正在尝试以 OAuth 安全的方式使用像 Facebook 这样的 OAuth 安全的 API?使用 Spring 社交。
- 如果您尝试创建自己的 REST API 并使用自己的用户上下文,请使用 Spring Security OAuth。在这种情况下,您将要求客户端使用 OAuth 针对您的 API 进行身份验证,而不是 Facebook 或 LinkedIn 等。
- Spring Social Security(在 1.2.x 系列中)支持将用户作为 OAuth 连接的结果“登录”(例如,“使用 Facebook 登录”、“..twitter”、“..linkedin”等,以及您的应用程序最终以会话中的 Spring Security 主体结束,就像您使用 HTTP 表单手动登录用户一样。
- Spring Security OAuth 不关心您从哪里获得 Spring Security 主体。它只关心主体是否具有 Spring Security OAuth 客户端所需的正确角色/范围。因此,您没有理由不能使用 Spring Social 安全地连接到 Facebook,使用 Spring Social Security 让该连接创建一个 Spring Security Authentication 对象,然后使用 Spring Security OAuth 来保护对您的 API 的任何访问,这在turn 可能会在幕后安全地连接到 Facebook 的 API。客户将使用 OAuth 访问令牌用于您的 API,而不是 Facebook。这在服务中得到处理。
