java 了解 OAuth2 客户端凭据流
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14140020/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Understanding OAuth2 Client credentials flow
提问by Pete
I'm trying to understand and implement a client credentials flow between our new REST server and our existing client app. I've setup spring-security OAuth2 like this. From my understanding so far, my server should now support the following request:
我正在尝试理解和实现我们新的 REST 服务器和我们现有的客户端应用程序之间的客户端凭据流。我已经像这样设置了 spring-security OAuth2 。根据我目前的理解,我的服务器现在应该支持以下请求:
$ curl -X -v -d 'client_id=the_client&client_secret=secret&grant_type=client_credentials' -X POST "http://localhost:9090/oauth/token"
but I get
但我明白了
InsufficientAuthenticationException: There is no client authentication
caused by the Principalbeing nullhere (spring-security code) :
由引起的Principal是null这里(弹簧安全码):
@FrameworkEndpoint
@RequestMapping(value = "/oauth/token")
public class TokenEndpoint extends AbstractEndpoint {
@RequestMapping
public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal,
@RequestParam("grant_type") String grantType, @RequestParam Map<String, String> parameters) {
if (!(principal instanceof Authentication)) {
throw new InsufficientAuthenticationException(
So it seems, I need to authenticate against the serverfirst. But that's not what I want to do. I want two of my servers to talk to each other using a shared secret. The OAuth provider server should provide an access token to the (trusted) client server on request so that the client server can then use that token to access all REST resources on the server. This should protect the REST resources from external access.
所以看起来,我需要先对服务器进行身份验证。但这不是我想做的。我希望我的两台服务器使用共享密钥相互通信。OAuth 提供程序服务器应根据请求向(受信任的)客户端服务器提供访问令牌,以便客户端服务器可以使用该令牌访问服务器上的所有 REST 资源。这应该可以保护 REST 资源免受外部访问。
Later I want to provide selected resources to a third party and eventually implement some finer grained security for the server-to-server communication as well. But for now I need to protect the REST server from external access.
后来我想将选定的资源提供给第三方,并最终为服务器到服务器的通信实现一些更细粒度的安全性。但现在我需要保护 REST 服务器免受外部访问。
Looks like I might have some misunderstandings about the whole client credentials flow or the application of spring-security right there so any clarification would be greatly appreciated.
看起来我可能对整个客户端凭据流或 spring-security 的应用有一些误解,因此将不胜感激任何澄清。
回答by kldavis4
You are not authenticating your client to the Authorization server.
您没有向授权服务器验证您的客户端。
You need to do something like this:
你需要做这样的事情:
curl --user the_client:secret --data "grant_type=client_credentials" http://localhost:9090/oauth/token
This is authenticating the client to the authorization server and then specifying grant_type and other parameters. This will return an access token of type 'bearer' with scope determined by the oauth client details. Once you have the token, you can access your protected resources by setting the Authorization header:
这是向授权服务器验证客户端,然后指定 grant_type 和其他参数。这将返回一个“承载”类型的访问令牌,其范围由 oauth 客户端详细信息确定。获得令牌后,您可以通过设置 Authorization 标头来访问受保护的资源:
curl -H "Authorization: Bearer <accessToken>" <resourceUrl>
