高级配置
HttpSecurity.oauth2Login() 提供了许多配置选项,用于自定义 OAuth 2.0 登录。主要配置选项按其协议端点对应部分进行分组。
例如,oauth2Login().authorizationEndpoint() 允许配置授权端点,而 oauth2Login().tokenEndpoint() 允许配置令牌端点。
以下代码展示了一个示例
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.oauth2Login(oauth2 -> oauth2
.authorizationEndpoint(authorization -> authorization
...
)
.redirectionEndpoint(redirection -> redirection
...
)
.tokenEndpoint(token -> token
...
)
.userInfoEndpoint(userInfo -> userInfo
...
)
);
return http.build();
}
}@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
oauth2Login {
authorizationEndpoint {
...
}
redirectionEndpoint {
...
}
tokenEndpoint {
...
}
userInfoEndpoint {
...
}
}
}
return http.build()
}
}oauth2Login() DSL 的主要目标是与规范中定义的命名保持一致。
OAuth 2.0 授权框架将 协议端点 定义如下
授权过程使用两个授权服务器端点(HTTP 资源)
-
授权端点:客户端用于通过用户代理重定向从资源所有者获取授权。
-
令牌端点:客户端用于将授权授予交换为访问令牌,通常使用客户端身份验证。
授权过程还使用一个客户端端点
-
重定向端点:授权服务器用于通过资源所有者用户代理将包含授权凭据的响应返回给客户端。
OpenID Connect Core 1.0 规范将 用户信息端点 定义如下
用户信息端点是一个 OAuth 2.0 受保护资源,它返回有关已验证最终用户的声明。为了获取有关最终用户的请求声明,客户端使用通过 OpenID Connect 身份验证获得的访问令牌向用户信息端点发出请求。这些声明通常由一个 JSON 对象表示,该对象包含声明的名称-值对集合。
以下代码展示了 oauth2Login() DSL 可用的完整配置选项
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.oauth2Login(oauth2 -> oauth2
.clientRegistrationRepository(this.clientRegistrationRepository())
.authorizedClientRepository(this.authorizedClientRepository())
.authorizedClientService(this.authorizedClientService())
.loginPage("/login")
.authorizationEndpoint(authorization -> authorization
.baseUri(this.authorizationRequestBaseUri())
.authorizationRequestRepository(this.authorizationRequestRepository())
.authorizationRequestResolver(this.authorizationRequestResolver())
)
.redirectionEndpoint(redirection -> redirection
.baseUri(this.authorizationResponseBaseUri())
)
.tokenEndpoint(token -> token
.accessTokenResponseClient(this.accessTokenResponseClient())
)
.userInfoEndpoint(userInfo -> userInfo
.userAuthoritiesMapper(this.userAuthoritiesMapper())
.userService(this.oauth2UserService())
.oidcUserService(this.oidcUserService())
)
);
return http.build();
}
}@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
oauth2Login {
clientRegistrationRepository = clientRegistrationRepository()
authorizedClientRepository = authorizedClientRepository()
authorizedClientService = authorizedClientService()
loginPage = "/login"
authorizationEndpoint {
baseUri = authorizationRequestBaseUri()
authorizationRequestRepository = authorizationRequestRepository()
authorizationRequestResolver = authorizationRequestResolver()
}
redirectionEndpoint {
baseUri = authorizationResponseBaseUri()
}
tokenEndpoint {
accessTokenResponseClient = accessTokenResponseClient()
}
userInfoEndpoint {
userAuthoritiesMapper = userAuthoritiesMapper()
userService = oauth2UserService()
oidcUserService = oidcUserService()
}
}
}
return http.build()
}
}除了 oauth2Login() DSL 之外,还支持 XML 配置。
以下代码展示了 安全命名空间 中可用的完整配置选项
<http>
<oauth2-login client-registration-repository-ref="clientRegistrationRepository"
authorized-client-repository-ref="authorizedClientRepository"
authorized-client-service-ref="authorizedClientService"
authorization-request-repository-ref="authorizationRequestRepository"
authorization-request-resolver-ref="authorizationRequestResolver"
access-token-response-client-ref="accessTokenResponseClient"
user-authorities-mapper-ref="userAuthoritiesMapper"
user-service-ref="oauth2UserService"
oidc-user-service-ref="oidcUserService"
login-processing-url="/login/oauth2/code/*"
login-page="/login"
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-handler-ref="authenticationFailureHandler"
jwt-decoder-factory-ref="jwtDecoderFactory"/>
</http>以下部分将详细介绍每个可用的配置选项
OAuth 2.0 登录页面
默认情况下,OAuth 2.0 登录页面由 DefaultLoginPageGeneratingFilter 自动生成。默认登录页面显示每个配置的 OAuth 客户端,其 ClientRegistration.clientName 作为链接,能够启动授权请求(或 OAuth 2.0 登录)。
|
为了让 |
每个 OAuth 客户端的链接目标默认如下
OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI + "/{registrationId}"
以下行显示了一个示例
<a href="/oauth2/authorization/google">Google</a>要覆盖默认登录页面,请配置 oauth2Login().loginPage() 和(可选)oauth2Login().authorizationEndpoint().baseUri()。
以下清单显示了一个示例
-
Java
-
Kotlin
-
Xml
@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.oauth2Login(oauth2 -> oauth2
.loginPage("/login/oauth2")
...
.authorizationEndpoint(authorization -> authorization
.baseUri("/login/oauth2/authorization")
...
)
);
return http.build();
}
}@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
oauth2Login {
loginPage = "/login/oauth2"
authorizationEndpoint {
baseUri = "/login/oauth2/authorization"
}
}
}
return http.build()
}
}<http>
<oauth2-login login-page="/login/oauth2"
...
/>
</http>|
您需要提供一个带有 |
|
如前所述,配置 以下行显示了一个示例 |
重定向端点
重定向端点由授权服务器用于通过资源所有者用户代理将授权响应(包含授权凭据)返回给客户端。
|
OAuth 2.0 登录利用授权码授予。因此,授权凭据是授权码。 |
默认授权响应 baseUri(重定向端点)是 /login/oauth2/code/*,它在 OAuth2LoginAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI 中定义。
如果您想自定义授权响应 baseUri,请按如下方式配置它
-
Java
-
Kotlin
-
Xml
@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.oauth2Login(oauth2 -> oauth2
.redirectionEndpoint(redirection -> redirection
.baseUri("/login/oauth2/callback/*")
...
)
);
return http.build();
}
}@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
oauth2Login {
redirectionEndpoint {
baseUri = "/login/oauth2/callback/*"
}
}
}
return http.build()
}
}<http>
<oauth2-login login-processing-url="/login/oauth2/callback/*"
...
/>
</http>|
您还需要确保 以下清单显示了一个示例
|
用户信息端点
用户信息端点包含许多配置选项,如下面的子部分所述
映射用户权限
用户成功通过 OAuth 2.0 身份验证提供者进行身份验证后,OAuth2User.getAuthorities()(或 OidcUser.getAuthorities())将包含一个已授予权限列表,该列表从 OAuth2UserRequest.getAccessToken().getScopes() 中填充,并以 SCOPE_ 为前缀。这些已授予的权限可以映射到一组新的 GrantedAuthority 实例,这些实例在完成身份验证时提供给 OAuth2AuthenticationToken。
OAuth2AuthenticationToken.getAuthorities() 用于授权请求,例如在 hasRole('USER') 或 hasRole('ADMIN') 中。
|
在映射用户权限时,可以选择以下几种方法:
使用 GrantedAuthoritiesMapper
GrantedAuthoritiesMapper 将获得一个已授予权限列表,其中包含一个类型为 OAuth2UserAuthority 的特殊权限和权限字符串 OAUTH2_USER(或 OidcUserAuthority 和权限字符串 OIDC_USER)。
提供 GrantedAuthoritiesMapper 的实现并配置它,如下所示:
-
Java
-
Kotlin
-
Xml
@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.oauth2Login(oauth2 -> oauth2
.userInfoEndpoint(userInfo -> userInfo
.userAuthoritiesMapper(this.userAuthoritiesMapper())
...
)
);
return http.build();
}
private GrantedAuthoritiesMapper userAuthoritiesMapper() {
return (authorities) -> {
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
authorities.forEach(authority -> {
if (OidcUserAuthority.class.isInstance(authority)) {
OidcUserAuthority oidcUserAuthority = (OidcUserAuthority)authority;
OidcIdToken idToken = oidcUserAuthority.getIdToken();
OidcUserInfo userInfo = oidcUserAuthority.getUserInfo();
// Map the claims found in idToken and/or userInfo
// to one or more GrantedAuthority's and add it to mappedAuthorities
} else if (OAuth2UserAuthority.class.isInstance(authority)) {
OAuth2UserAuthority oauth2UserAuthority = (OAuth2UserAuthority)authority;
Map<String, Object> userAttributes = oauth2UserAuthority.getAttributes();
// Map the attributes found in userAttributes
// to one or more GrantedAuthority's and add it to mappedAuthorities
}
});
return mappedAuthorities;
};
}
}@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
oauth2Login {
userInfoEndpoint {
userAuthoritiesMapper = userAuthoritiesMapper()
}
}
}
return http.build()
}
private fun userAuthoritiesMapper(): GrantedAuthoritiesMapper = GrantedAuthoritiesMapper { authorities: Collection<GrantedAuthority> ->
val mappedAuthorities = emptySet<GrantedAuthority>()
authorities.forEach { authority ->
if (authority is OidcUserAuthority) {
val idToken = authority.idToken
val userInfo = authority.userInfo
// Map the claims found in idToken and/or userInfo
// to one or more GrantedAuthority's and add it to mappedAuthorities
} else if (authority is OAuth2UserAuthority) {
val userAttributes = authority.attributes
// Map the attributes found in userAttributes
// to one or more GrantedAuthority's and add it to mappedAuthorities
}
}
mappedAuthorities
}
}<http>
<oauth2-login user-authorities-mapper-ref="userAuthoritiesMapper"
...
/>
</http>或者,您可以注册一个 GrantedAuthoritiesMapper @Bean,使其自动应用于配置,如下所示:
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.oauth2Login(withDefaults());
return http.build();
}
@Bean
public GrantedAuthoritiesMapper userAuthoritiesMapper() {
...
}
}@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
oauth2Login { }
}
return http.build()
}
@Bean
fun userAuthoritiesMapper(): GrantedAuthoritiesMapper {
...
}
}基于委托的策略,使用 OAuth2UserService
与使用 GrantedAuthoritiesMapper 相比,此策略更高级。但是,它也更灵活,因为它允许您访问 OAuth2UserRequest 和 OAuth2User(当使用 OAuth 2.0 UserService 时)或 OidcUserRequest 和 OidcUser(当使用 OpenID Connect 1.0 UserService 时)。
OAuth2UserRequest(和 OidcUserRequest)允许您访问关联的 OAuth2AccessToken,这在委托人需要从受保护资源中获取权限信息才能为用户映射自定义权限的情况下非常有用。
以下示例展示了如何使用 OpenID Connect 1.0 UserService 实现和配置基于委托的策略:
-
Java
-
Kotlin
-
Xml
@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.oauth2Login(oauth2 -> oauth2
.userInfoEndpoint(userInfo -> userInfo
.oidcUserService(this.oidcUserService())
...
)
);
return http.build();
}
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
final OidcUserService delegate = new OidcUserService();
return (userRequest) -> {
// Delegate to the default implementation for loading a user
OidcUser oidcUser = delegate.loadUser(userRequest);
OAuth2AccessToken accessToken = userRequest.getAccessToken();
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
// TODO
// 1) Fetch the authority information from the protected resource using accessToken
// 2) Map the authority information to one or more GrantedAuthority's and add it to mappedAuthorities
// 3) Create a copy of oidcUser but use the mappedAuthorities instead
ProviderDetails providerDetails = userRequest.getClientRegistration().getProviderDetails();
String userNameAttributeName = providerDetails.getUserInfoEndpoint().getUserNameAttributeName();
if (StringUtils.hasText(userNameAttributeName)) {
oidcUser = new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo(), userNameAttributeName);
} else {
oidcUser = new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo());
}
return oidcUser;
};
}
}@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
oauth2Login {
userInfoEndpoint {
oidcUserService = oidcUserService()
}
}
}
return http.build()
}
@Bean
fun oidcUserService(): OAuth2UserService<OidcUserRequest, OidcUser> {
val delegate = OidcUserService()
return OAuth2UserService { userRequest ->
// Delegate to the default implementation for loading a user
val oidcUser = delegate.loadUser(userRequest)
val accessToken = userRequest.accessToken
val mappedAuthorities = HashSet<GrantedAuthority>()
// TODO
// 1) Fetch the authority information from the protected resource using accessToken
// 2) Map the authority information to one or more GrantedAuthority's and add it to mappedAuthorities
// 3) Create a copy of oidcUser but use the mappedAuthorities instead
val providerDetails = userRequest.getClientRegistration().getProviderDetails()
val userNameAttributeName = providerDetails.getUserInfoEndpoint().getUserNameAttributeName()
if (StringUtils.hasText(userNameAttributeName)) {
DefaultOidcUser(mappedAuthorities, oidcUser.idToken, oidcUser.userInfo, userNameAttributeName)
} else {
DefaultOidcUser(mappedAuthorities, oidcUser.idToken, oidcUser.userInfo)
}
}
}
}<http>
<oauth2-login oidc-user-service-ref="oidcUserService"
...
/>
</http>OAuth 2.0 UserService
DefaultOAuth2UserService 是 OAuth2UserService 的实现,它支持标准的 OAuth 2.0 身份验证提供者。
|
|
DefaultOAuth2UserService 在向用户信息端点请求用户属性时使用 RestOperations 实例。
如果您需要自定义用户信息请求的预处理,您可以使用自定义 Converter<OAuth2UserRequest, RequestEntity<?>> 为 DefaultOAuth2UserService.setRequestEntityConverter() 提供值。默认实现 OAuth2UserRequestEntityConverter 会构建一个用户信息请求的 RequestEntity 表示形式,默认情况下,该表示形式会在 Authorization 标头中设置 OAuth2AccessToken。
另一方面,如果您需要自定义用户信息响应的后处理,则需要使用自定义配置的 RestOperations 为 DefaultOAuth2UserService.setRestOperations() 提供值。默认 RestOperations 的配置如下
RestTemplate restTemplate = new RestTemplate();
restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());OAuth2ErrorResponseErrorHandler 是一个 ResponseErrorHandler,它可以处理 OAuth 2.0 错误(400 错误请求)。它使用 OAuth2ErrorHttpMessageConverter 将 OAuth 2.0 错误参数转换为 OAuth2Error。
无论您是自定义 DefaultOAuth2UserService 还是提供您自己的 OAuth2UserService 实现,您都需要按如下方式进行配置
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.oauth2Login(oauth2 -> oauth2
.userInfoEndpoint(userInfo -> userInfo
.userService(this.oauth2UserService())
...
)
);
return http.build();
}
private OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() {
...
}
}@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
oauth2Login {
userInfoEndpoint {
userService = oauth2UserService()
// ...
}
}
}
return http.build()
}
private fun oauth2UserService(): OAuth2UserService<OAuth2UserRequest, OAuth2User> {
// ...
}
}OpenID Connect 1.0 用户服务
OidcUserService 是 OAuth2UserService 的一个实现,它支持 OpenID Connect 1.0 提供商。
OidcUserService 在向用户信息端点请求用户属性时利用 DefaultOAuth2UserService。
如果您需要自定义用户信息请求的预处理或用户信息响应的后处理,则需要使用自定义配置的 DefaultOAuth2UserService 为 OidcUserService.setOauth2UserService() 提供值。
无论您是自定义 OidcUserService 还是为 OpenID Connect 1.0 提供商提供您自己的 OAuth2UserService 实现,您都需要按如下方式进行配置
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.oauth2Login(oauth2 -> oauth2
.userInfoEndpoint(userInfo -> userInfo
.oidcUserService(this.oidcUserService())
...
)
);
return http.build();
}
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
...
}
}@Configuration
@EnableWebSecurity
class OAuth2LoginSecurityConfig {
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
oauth2Login {
userInfoEndpoint {
oidcUserService = oidcUserService()
// ...
}
}
}
return http.build()
}
private fun oidcUserService(): OAuth2UserService<OidcUserRequest, OidcUser> {
// ...
}
}ID 令牌签名验证
OpenID Connect 1.0 身份验证引入了 ID 令牌,它是一个安全令牌,包含授权服务器在客户端使用时对最终用户的身份验证的声明。
ID 令牌表示为 JSON Web 令牌 (JWT),并且必须使用 JSON Web 签名 (JWS) 进行签名。
OidcIdTokenDecoderFactory 提供一个 JwtDecoder,用于 OidcIdToken 签名验证。默认算法是 RS256,但在客户端注册期间分配时可能会有所不同。对于这些情况,您可以配置一个解析器来返回为特定客户端分配的预期 JWS 算法。
JWS 算法解析器是一个 Function,它接受一个 ClientRegistration 并返回客户端的预期 JwsAlgorithm,例如 SignatureAlgorithm.RS256 或 MacAlgorithm.HS256
以下代码展示了如何配置 OidcIdTokenDecoderFactory @Bean,使其默认情况下对所有 ClientRegistration 实例使用 MacAlgorithm.HS256
-
Java
-
Kotlin
@Bean
public JwtDecoderFactory<ClientRegistration> idTokenDecoderFactory() {
OidcIdTokenDecoderFactory idTokenDecoderFactory = new OidcIdTokenDecoderFactory();
idTokenDecoderFactory.setJwsAlgorithmResolver(clientRegistration -> MacAlgorithm.HS256);
return idTokenDecoderFactory;
}@Bean
fun idTokenDecoderFactory(): JwtDecoderFactory<ClientRegistration?> {
val idTokenDecoderFactory = OidcIdTokenDecoderFactory()
idTokenDecoderFactory.setJwsAlgorithmResolver { MacAlgorithm.HS256 }
return idTokenDecoderFactory
}|
对于基于 MAC 的算法(如 |
|
如果为 OpenID Connect 1.0 身份验证配置了多个 |
然后,您可以继续配置 注销
