java Spring @EnableResourceServer 与 @EnableOAuth2Sso
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/42938782/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring @EnableResourceServer vs @EnableOAuth2Sso
提问by André Teixeira dos Santos
Most of the tutorials I've read so far uses @EnableOAuth2Ssoinstead of @EnableResourceServeron the API gateway. What are the differences? What the OAuth2Ssodoes in contrast?
到目前为止,我读过的大多数教程都使用@EnableOAuth2Sso而不是@EnableResourceServerAPI 网关。有什么区别?什么是OAuth2Sso相反呢?
Details:I'm implementing a security/infra architecture for spring-based microservices and single page apps. For some time, while we didn't have security requirements, the SPAs talked directly to open microservices, on different hosts (CORS party).
详细信息:我正在为基于 spring 的微服务和单页应用程序实施安全/基础架构。有一段时间,虽然我们没有安全要求,但 SPA 直接与不同主机(CORS 方)上的开放微服务对话。
Now I'm adding a layer of security and the gateway pattern using spring-oauthand spring-zuul. So I have a service (uaa-service) with @EnableAuthorizationServerand a gateway with @EnableZuulProxy& @EnableResourceServer. I only need the passwordgrant type, so each SPA has it's own login form and authenticates with uaa-service token endpoint, trough the gateway, and then proceeds to use that token for further requests.
现在我正在使用spring-oauthand添加一层安全性和网关模式spring-zuul。所以我有一个服务(uaa-service)@EnableAuthorizationServer和一个带有@EnableZuulProxy&的网关@EnableResourceServer。我只需要密码授予类型,因此每个 SPA 都有自己的登录表单,并使用 uaa-service 令牌端点进行身份验证,通过网关,然后继续使用该令牌进行进一步请求。
Is there anything wrong with this approach? Should I be using @EnableOAuth2Sso?
这种方法有什么问题吗?我应该使用@EnableOAuth2Sso吗?
回答by Danylo Zatorsky
These annotations mark your services with different OAuth 2.0 roles.
这些注释用不同的OAuth 2.0 角色标记您的服务。
@EnableResourceServerannotation means that your service (in terms of OAuth 2.0 - Resource Server) expects an access token in order to process the request. Access token should be obtained from Authorization Server by OAuth 2.0 Client before calling the Resource Server.
@EnableResourceServer注释意味着您的服务(就 OAuth 2.0 - 资源服务器而言)需要访问令牌才能处理请求。访问令牌应在调用资源服务器之前由 OAuth 2.0 客户端从授权服务器获取。
@EnableOAuth2Sso:marks your service as an OAuth 2.0 Client. This means that it will be responsible for redirecting Resource Owner (end user) to the Authorization Server where the user has to enter their credentials. After it's done the user is redirected back to the Client with Authorization Code (don't confuse with Access Code). Then the Client takes the Authorization Code and exchanges it for an Access Token by calling Authorization Server. Only after that, the Client can make a call to a Resource Server with Access Token.
@EnableOAuth2Sso:将您的服务标记为 OAuth 2.0 客户端。这意味着它将负责将资源所有者(最终用户)重定向到用户必须输入其凭据的授权服务器。完成后,用户将被重定向回带有授权码的客户端(不要与访问码混淆)。然后客户端获取授权码并通过调用授权服务器将其交换为访问令牌。只有在此之后,客户端才能使用访问令牌调用资源服务器。
Also, if you take a look into the source code of @EnableOAuth2Ssoannotation you will see two interesting things:
此外,如果您查看@EnableOAuth2Sso注释的源代码,您会看到两件有趣的事情:
@EnableOAuth2Client. This is where your service becomes OAuth 2.0 Client. It makes it possible to forward access token (after it has been exchanged for Authorization Code) to downstream services in case you are calling those services viaOAuth2RestTemplate.@EnableConfigurationProperties(OAuth2SsoProperties.class). OAuth2SsoProperties has only one propertyString loginPathwhich is/loginby default. This will intercept browser requests to the/loginbyOAuth2ClientAuthenticationProcessingFilterand will redirect the user to the Authorization Server.
@EnableOAuth2Client. 这是您的服务成为 OAuth 2.0 客户端的地方。如果您通过OAuth2RestTemplate.@EnableConfigurationProperties(OAuth2SsoProperties.class). OAuth2SsoProperties只有一个属性String loginPath是/login默认。这将拦截浏览器对/loginby 的请求,OAuth2ClientAuthenticationProcessingFilter并将用户重定向到授权服务器。
Should I be using @EnableOAuth2Sso?
我应该使用@EnableOAuth2Sso 吗?
It depends:
这取决于:
- If you want your API gateway to be an OAuth 2.0 client which interacts with the browser using Authorization Code Flowor Resource Owner Password Credentials Flow, then the answer is yes, you probably should. I said probably as I am not sure if
@EnableOAuth2Ssosupports Resource Owner Password Credentials Flow very well. Anyway, I would suggest you moving with Authorization Code Flow unless you have really (like really!) good reasons not to do so. BTW, when using Authorization Code Flow you may want to mark your downstream microservices as@EnableResourceServer. Then the API Gateway will be OAuth 2.0 Client, and your microservices will be OAuth 2.0 Resource Servers which seems logical to me. - If you do not need interaction with the browser (e.g. Client Credentials Flow) or you have SPA that makes use of Implicit Flowthen you should use @EnableResourceServer, meaning that it will accept requests with valid Access Token only.
- 如果您希望您的 API 网关成为 OAuth 2.0 客户端,使用授权代码流或资源所有者密码凭证流与浏览器交互,那么答案是肯定的,您可能应该这样做。我说可能是因为我不确定是否
@EnableOAuth2Sso很好地支持 Resource Owner Password Credentials Flow。无论如何,我建议您使用授权代码流,除非您真的(真的!)有充分的理由不这样做。顺便说一句,在使用授权代码流时,您可能希望将下游微服务标记为@EnableResourceServer. 然后 API 网关将是 OAuth 2.0 客户端,而您的微服务将是 OAuth 2.0 资源服务器,这在我看来是合乎逻辑的。 - 如果您不需要与浏览器交互(例如Client Credentials Flow)或者您有使用隐式流的SPA,那么您应该使用@EnableResourceServer,这意味着它只会接受具有有效访问令牌的请求。
