Spring Security OAuth2 check_token 端点
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26750999/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring Security OAuth2 check_token endpoint
提问by sowdri
I'm trying to setup a resource server to work with separate authorization server using spring security oauth. I'm using RemoteTokenServiceswhich requires /check_tokenendpoint.
我正在尝试设置一个资源服务器以使用 spring security oauth 与单独的授权服务器一起工作。我正在使用RemoteTokenServices它需要/check_token端点。
I could see that /oauth/check_tokenendpoint is enabled by default when @EnableAuthorizationServeris used. However the endpoint is not accessible by default.
我可以看到/oauth/check_token端点在@EnableAuthorizationServer使用时默认启用。但是,默认情况下无法访问端点。
Should the following entry be added manually to whitelist this endpoint?
是否应该手动添加以下条目以将此端点列入白名单?
http.authorizeRequests().antMatchers("/oauth/check_token").permitAll();
This will make this endpoint accessible to all, is this the desired behavior? Or am I missing something.
这将使所有人都可以访问此端点,这是所需的行为吗?或者我错过了什么。
Thanks in advance,
提前致谢,
回答by Pratik Shah
You have to
你必须
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception
{
oauthServer.checkTokenAccess("permitAll()");
}
For more information on this ::
有关这方面的更多信息 ::
回答by Gerardo Roza
Just to clarify a couple of points, and to add some more information to the answer provided by Pratik Shah(and by Alexin the related thread):
只是为了澄清几点,并在Pratik Shah(以及相关主题中的Alex)提供的答案中添加更多信息:
1- The configuremethod mentioned is overridden by creating a class that extends AuthorizationServerConfigurerAdapter:
1-configure通过创建一个扩展的类来覆盖提到的方法AuthorizationServerConfigurerAdapter:
@EnableAuthorizationServer
@Configuration
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients
.inMemory()
.withClient("ger-client-id")
.secret("ger-secret")
.authorizedGrantTypes("password")
.scopes("read", "write");
}
}
2- I suggest reading this Spring guideexplaining the automatic configuration carried out by Spring Boot when we include the @EnableAuthorizationServerannotation, including an AuthorizationServerConfigurerbean. If you create a configuration bean extending the AuthorizationServerConfigurerAdapteras I did above, then that whole automatic configuration is disabled.
2- 我建议阅读这篇 Spring 指南,解释当我们包含@EnableAuthorizationServer注释(包括AuthorizationServerConfigurerbean)时 Spring Boot 执行的自动配置。如果你AuthorizationServerConfigurerAdapter像我上面那样创建一个扩展的配置 bean ,那么整个自动配置将被禁用。
3- If the automatic configuration suits you just well, and you JUST want to manipulate the access to the /oauth/check_tokenendpoint, you can still do so without creating an AuthorizationServerConfigurerbean (and therefore without having to configure everything programmatically).
3- 如果自动配置非常适合您,并且您只想操作对/oauth/check_token端点的访问,您仍然可以在不创建AuthorizationServerConfigurerbean 的情况下执行此操作(因此无需以编程方式配置所有内容)。
You'll have to add the security.oauth2.authorization.check-token-accessproperty to the application.propertiesfile, for example:
您必须将该security.oauth2.authorization.check-token-access属性添加到application.properties文件中,例如:
security.oauth2.client.client-id=ger-client-id
security.oauth2.client.client-secret=ger-secret
security.oauth2.client.scope=read,write
security.oauth2.authorization.check-token-access=permitAll()
Of course, you can give it an isAuthenticated()value if you prefer.
当然,isAuthenticated()如果你愿意,你可以给它一个值。
You can set the log level to DEBUG to check that everything is being configured as expected:
您可以将日志级别设置为 DEBUG 以检查所有内容是否按预期配置:
16:16:42.763 [main] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Adding web access control expression 'permitAll()', for Ant [pattern='/oauth/check_token']
There is no much documentation about these properties, but you can figure them out from this autoconfiguration class.
没有太多关于这些属性的文档,但您可以从这个自动配置类中找出它们。
One last thing worth mentioning, even though it seems to be fixed in latest Spring versions, I just submitted an issuein the spring-security-oauthproject; it seems that the token_check functionality is enabled by default if you add a trailing slash to the request:
最后值得一提的是,虽然在最新的 Spring 版本中似乎已经修复了,但我只是在spring-security-oauth项目中提交了一个问题;如果您向请求添加尾部斜杠,则似乎默认启用了 token_check 功能:
$ curl localhost:8080/oauth/check_token/?token=fc9e4ad4-d6e8-4f57-b67e-c0285dcdeb58
{"scope":["read","write"],"active":true,"exp":1544940147,"authorities":["ROLE_USER"],"client_id":"ger-client-id"}
回答by smartwjw
First, config token access expression:
首先,配置令牌访问表达式:
@Override
public void configure(AuthorizationServerSecurityConfigurer securityConfigurer) throws Exception {
securityConfigurer
.allowFormAuthenticationForClients()
.checkTokenAccess("isAuthenticated()")
.addTokenEndpointAuthenticationFilter(checkTokenEndpointFilter());
}
Then, we need define a filter to process client authentication:
然后,我们需要定义一个过滤器来处理客户端认证:
@Bean
public ClientCredentialsTokenEndpointFilter checkTokenEndpointFilter() {
ClientCredentialsTokenEndpointFilter filter = new ClientCredentialsTokenEndpointFilter("/oauth/check_token");
filter.setAuthenticationManager(authenticationManager);
filter.setAllowOnlyPost(true);
return filter;
}
