I have a site that uses Spring security and has users (username & password) and standard form authentication. I allow users to generate a client Id and client secret linked to their account for use with an OAuth2 secured rest API.

我有一个使用 Spring 安全性并具有用户（用户名和密码）和标准表单身份验证的站点。我允许用户生成链接到他们帐户的客户端 ID 和客户端密码，以便与 OAuth2 安全的休息 API 一起使用。

I use a separate client id & client secret for the API and not username and password so the user can change their password etc without breaking the API credentials, set specific scopes, disable API access etc.

我为 API 使用单独的客户端 ID 和客户端密钥，而不是用户名和密码，因此用户可以更改密码等而不会破坏 API 凭据、设置特定范围、禁用 API 访问等。

I use spring-security-oauth2 (provider) to secure the rest API and I have allowed a client credentials flow. I have setup client authentication for the api so that client id and secret are checked.

我使用 spring-security-oauth2（提供程序）来保护其余 API，并且我允许客户端凭据流。我已经为 api 设置了客户端身份验证，以便检查客户端 ID 和密码。

From a separate application I use the client id and client secret to retreive an access token and start to use it with the api. For the most part I use simple @PreAuthorize expressions typically based on client roles and scope and these appear to work correctly.

从一个单独的应用程序中，我使用客户端 ID 和客户端密码来检索访问令牌并开始将它与 api 一起使用。在大多数情况下，我通常基于客户端角色和范围使用简单的 @PreAuthorize 表达式，这些表达式似乎可以正常工作。

All above appears to work fine

以上所有似乎工作正常

However... I have a few API endpoints now however where I need to implement some more complex rules based on some details from the underlying user - in this case the user that generated the client id and secret.

但是......我现在有一些 API 端点，但是我需要根据底层用户的一些细节来实现一些更复杂的规则 - 在这种情况下是生成客户端 ID 和密码的用户。

As a simple example consider a messaging application where I have an endpoint that allows users to post a new "message" of a specific type that can vary. I have a table of allowed recipients for each user and each type and I want to check that the recipients of the posted message match the allowed recipient for the type. (User allowed recipients data is typically not large, and rarely changes so I'm happy to store a copy of it when generating an access token)

作为一个简单的例子，考虑一个消息传递应用程序，我有一个端点，允许用户发布可以变化的特定类型的新“消息”。我有每个用户和每种类型的允许收件人表，我想检查已发布消息的收件人是否与该类型的允许收件人匹配。（用户允许的收件人数据通常不大，而且很少更改，因此我很乐意在生成访问令牌时存储它的副本）

I get the principal at these endpoints and I see it is an instance of OAuth2Authentication containing:

我在这些端点获得了主体，我看到它是 OAuth2Authentication 的一个实例，其中包含：

• userAuthentication - null - This seems expectable for client credentials flow.
• clientAuthentication is populated and authorizationParameters contains the grant type and client_id

• userAuthentication - null - 这对于客户端凭据流来说似乎是可以预期的。
• 填充了 clientAuthentication 并且 authorizationParameters 包含授权类型和 client_id

I suppose I could use the client id from clientAuthentication.authorizationParameters to lookup the user and the details I require, but that would be a few queries each api call which doesn't seem to make sense.

我想我可以使用 clientAuthentication.authorizationParameters 中的客户端 ID 来查找用户和我需要的详细信息，但这将是每个 api 调用的一些查询，这似乎没有意义。

I would guess there's a nice place/way in Spring OAuth2 libs that while granting the access token that I could add some extra details so that later I could get them from the OAuth2Authentication (principal) object (or something that extends it?)

我猜想在 Spring OAuth2 库中有一个不错的地方/方式，在授予访问令牌的同时，我可以添加一些额外的细节，以便以后我可以从 OAuth2Authentication（主体）对象（或扩展它的东西？）

Alternatively is there a better approach entirely to such issue?

或者，是否有更好的方法完全解决此类问题？

Thx!

谢谢！