|
此版本仍在开发中,尚未被视为稳定版本。对于最新的稳定版本,请使用 Spring Authorization Server 1.4.0! |
协议端点
OAuth2 授权端点
OAuth2AuthorizationEndpointConfigurer提供自定义 OAuth2 授权端点的功能。
它定义了扩展点,允许您自定义 OAuth2 授权请求的预处理、主处理和后处理逻辑。
OAuth2AuthorizationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint
.authorizationRequestConverter(authorizationRequestConverter) (1)
.authorizationRequestConverters(authorizationRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.authorizationResponseHandler(authorizationResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
.consentPage("/oauth2/v1/authorize") (7)
)
);
return http.build();
}| 1 | authorizationRequestConverter():添加尝试将 OAuth2 授权请求(或同意)提取到 或 实例时使用的(预处理器)。AuthenticationConverterHttpServletRequestOAuth2AuthorizationCodeRequestAuthenticationTokenOAuth2AuthorizationConsentAuthenticationToken |
| 2 | authorizationRequestConverters():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationConverterAuthenticationConverter |
| 3 | authenticationProvider():添加用于验证 或 的(主处理器)。AuthenticationProviderOAuth2AuthorizationCodeRequestAuthenticationTokenOAuth2AuthorizationConsentAuthenticationToken |
| 4 | authenticationProviders():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationProviderAuthenticationProvider |
| 5 | authorizationResponseHandler():用于处理“已验证”并返回 OAuth2AuthorizationResponse 的(后处理器)。AuthenticationSuccessHandlerOAuth2AuthorizationCodeRequestAuthenticationToken |
| 6 | errorResponseHandler():用于处理和返回 OAuth2Error 响应的(后处理器)。AuthenticationFailureHandlerOAuth2AuthorizationCodeRequestAuthenticationException |
| 7 | consentPage():自定义同意页面,用于在授权请求流程中将资源所有者重定向到是否需要同意。URI |
OAuth2AuthorizationEndpointConfigurer配置 并将其注册到 OAuth2 授权服务器 。 是处理 OAuth2 授权请求(和同意)的 。OAuth2AuthorizationEndpointFilterSecurityFilterChain@BeanOAuth2AuthorizationEndpointFilterFilter
OAuth2AuthorizationEndpointFilter配置了以下默认值:
-
AuthenticationConverter— A 由 和 组成。DelegatingAuthenticationConverterOAuth2AuthorizationCodeRequestAuthenticationConverterOAuth2AuthorizationConsentAuthenticationConverter -
AuthenticationManager— 由 和 组成的 。AuthenticationManagerOAuth2AuthorizationCodeRequestAuthenticationProviderOAuth2AuthorizationConsentAuthenticationProvider -
AuthenticationSuccessHandler— 一个内部实现,用于处理 “authenticated” 并返回 .OAuth2AuthorizationCodeRequestAuthenticationTokenOAuth2AuthorizationResponse -
AuthenticationFailureHandler— 使用 associated with the 并返回响应的内部实现。OAuth2ErrorOAuth2AuthorizationCodeRequestAuthenticationExceptionOAuth2Error
自定义授权请求验证
OAuth2AuthorizationCodeRequestAuthenticationValidator是用于验证授权码授予中使用的特定 OAuth2 授权请求参数的默认验证器。
默认实现验证 and 参数。
如果验证失败,则引发 an。redirect_uriscopeOAuth2AuthorizationCodeRequestAuthenticationException
OAuth2AuthorizationCodeRequestAuthenticationProvider通过向 提供 类型的自定义身份验证验证程序,提供覆盖默认授权请求验证的功能。Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext>setAuthenticationValidator()
OAuth2AuthorizationCodeRequestAuthenticationContext保存 ,其中包含 OAuth2 授权请求参数。OAuth2AuthorizationCodeRequestAuthenticationToken |
如果验证失败,身份验证验证器必须抛出 .OAuth2AuthorizationCodeRequestAuthenticationException |
开发生命周期阶段的一个常见用例是在参数中允许。localhostredirect_uri
以下示例显示了如何使用允许在参数中使用的自定义身份验证验证器进行配置:OAuth2AuthorizationCodeRequestAuthenticationProviderlocalhostredirect_uri
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint
.authenticationProviders(configureAuthenticationValidator())
)
);
return http.build();
}
private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
return (authenticationProviders) ->
authenticationProviders.forEach((authenticationProvider) -> {
if (authenticationProvider instanceof OAuth2AuthorizationCodeRequestAuthenticationProvider) {
Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
// Override default redirect_uri validator
new CustomRedirectUriValidator()
// Reuse default scope validator
.andThen(OAuth2AuthorizationCodeRequestAuthenticationValidator.DEFAULT_SCOPE_VALIDATOR);
((OAuth2AuthorizationCodeRequestAuthenticationProvider) authenticationProvider)
.setAuthenticationValidator(authenticationValidator);
}
});
}
static class CustomRedirectUriValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {
@Override
public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
authenticationContext.getAuthentication();
RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
String requestedRedirectUri = authorizationCodeRequestAuthentication.getRedirectUri();
// Use exact string matching when comparing client redirect URIs against pre-registered URIs
if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
}
}
}OAuth2 设备授权端点
OAuth2DeviceAuthorizationEndpointConfigurer提供自定义 OAuth2 设备授权端点的功能。
它定义了扩展点,允许您自定义 OAuth2 设备授权请求的预处理、主处理和后处理逻辑。
OAuth2DeviceAuthorizationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.deviceAuthorizationEndpoint(deviceAuthorizationEndpoint ->
deviceAuthorizationEndpoint
.deviceAuthorizationRequestConverter(deviceAuthorizationRequestConverter) (1)
.deviceAuthorizationRequestConverters(deviceAuthorizationRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.deviceAuthorizationResponseHandler(deviceAuthorizationResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
.verificationUri("/oauth2/v1/device_verification") (7)
)
);
return http.build();
}| 1 | deviceAuthorizationRequestConverter():添加尝试将 OAuth2 设备授权请求提取到 实例时使用的(预处理器)。AuthenticationConverterHttpServletRequestOAuth2DeviceAuthorizationRequestAuthenticationToken |
| 2 | deviceAuthorizationRequestConverters():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationConverterAuthenticationConverter |
| 3 | authenticationProvider():添加一个(主处理器)用于验证 .AuthenticationProviderOAuth2DeviceAuthorizationRequestAuthenticationToken |
| 4 | authenticationProviders():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationProviderAuthenticationProvider |
| 5 | deviceAuthorizationResponseHandler():用于处理“已验证”并返回 OAuth2DeviceAuthorizationResponse 的(后处理器)。AuthenticationSuccessHandlerOAuth2DeviceAuthorizationRequestAuthenticationToken |
| 6 | errorResponseHandler():用于处理和返回 OAuth2Error 响应的(后处理器)。AuthenticationFailureHandlerOAuth2AuthenticationException |
| 7 | verificationUri():自定义最终用户验证页面,用于将资源所有者定向到辅助设备。URI |
OAuth2DeviceAuthorizationEndpointConfigurer配置 并将其注册到 OAuth2 授权服务器 。 是处理 OAuth2 设备授权请求的 。OAuth2DeviceAuthorizationEndpointFilterSecurityFilterChain@BeanOAuth2DeviceAuthorizationEndpointFilterFilter
OAuth2DeviceAuthorizationEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 一个 .OAuth2DeviceAuthorizationRequestAuthenticationConverter -
AuthenticationManager— 由 .AuthenticationManagerOAuth2DeviceAuthorizationRequestAuthenticationProvider -
AuthenticationSuccessHandler— 一个内部实现,用于处理 “authenticated” 并返回 .OAuth2DeviceAuthorizationRequestAuthenticationTokenOAuth2DeviceAuthorizationResponse -
AuthenticationFailureHandler— 一个 .OAuth2ErrorAuthenticationFailureHandler
OAuth2 设备验证端点
OAuth2DeviceVerificationEndpointConfigurer提供自定义 OAuth2 设备验证端点(或“用户交互”)的功能。
它定义了扩展点,允许您自定义 OAuth2 设备验证请求的预处理、主处理和后处理逻辑。
OAuth2DeviceVerificationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.deviceVerificationEndpoint(deviceVerificationEndpoint ->
deviceVerificationEndpoint
.deviceVerificationRequestConverter(deviceVerificationRequestConverter) (1)
.deviceVerificationRequestConverters(deviceVerificationRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.deviceVerificationResponseHandler(deviceVerificationResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
.consentPage("/oauth2/v1/consent") (7)
)
);
return http.build();
}| 1 | deviceVerificationRequestConverter():添加尝试将 OAuth2 设备验证请求(或同意)提取到 或 的实例时使用的(预处理器)。AuthenticationConverterHttpServletRequestOAuth2DeviceVerificationAuthenticationTokenOAuth2DeviceAuthorizationConsentAuthenticationToken |
| 2 | deviceVerificationRequestConverters():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationConverterAuthenticationConverter |
| 3 | authenticationProvider():添加用于验证 或 的(主处理器)。AuthenticationProviderOAuth2DeviceVerificationAuthenticationTokenOAuth2DeviceAuthorizationConsentAuthenticationToken |
| 4 | authenticationProviders():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationProviderAuthenticationProvider |
| 5 | deviceVerificationResponseHandler():用于处理“已验证”并指示资源所有者返回其设备的(后处理器)。AuthenticationSuccessHandlerOAuth2DeviceVerificationAuthenticationToken |
| 6 | errorResponseHandler():用于处理和返回错误响应的(后处理器)。AuthenticationFailureHandlerOAuth2AuthenticationException |
| 7 | consentPage():自定义同意页面,用于在设备验证请求流程中需要同意时将资源所有者重定向到该页面。URI |
OAuth2DeviceVerificationEndpointConfigurer配置 并将其注册到 OAuth2 授权服务器 。 是处理 OAuth2 设备验证请求(和同意)的 。OAuth2DeviceVerificationEndpointFilterSecurityFilterChain@BeanOAuth2DeviceVerificationEndpointFilterFilter
OAuth2DeviceVerificationEndpointFilter配置了以下默认值:
-
AuthenticationConverter— A 由 和 组成。DelegatingAuthenticationConverterOAuth2DeviceVerificationAuthenticationConverterOAuth2DeviceAuthorizationConsentAuthenticationConverter -
AuthenticationManager— 由 和 组成的 。AuthenticationManagerOAuth2DeviceVerificationAuthenticationProviderOAuth2DeviceAuthorizationConsentAuthenticationProvider -
AuthenticationSuccessHandler— 处理“已验证”并将用户重定向到成功页面 () 的 A。SimpleUrlAuthenticationSuccessHandlerOAuth2DeviceVerificationAuthenticationToken/?success -
AuthenticationFailureHandler— 使用 associated with the 并返回响应的内部实现。OAuth2ErrorOAuth2AuthenticationExceptionOAuth2Error
OAuth2 令牌端点
OAuth2TokenEndpointConfigurer提供自定义 OAuth2 令牌端点的功能。
它定义了扩展点,允许您自定义 OAuth2 访问令牌请求的预处理、主处理和后处理逻辑。
OAuth2TokenEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.tokenEndpoint(tokenEndpoint ->
tokenEndpoint
.accessTokenRequestConverter(accessTokenRequestConverter) (1)
.accessTokenRequestConverters(accessTokenRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.accessTokenResponseHandler(accessTokenResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
)
);
return http.build();
}| 1 | accessTokenRequestConverter():添加尝试将 OAuth2 访问令牌请求提取到 的实例时使用的(预处理器)。AuthenticationConverterHttpServletRequestOAuth2AuthorizationGrantAuthenticationToken |
| 2 | accessTokenRequestConverters():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationConverterAuthenticationConverter |
| 3 | authenticationProvider():添加一个(主处理器)用于验证 .AuthenticationProviderOAuth2AuthorizationGrantAuthenticationToken |
| 4 | authenticationProviders():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationProviderAuthenticationProvider |
| 5 | accessTokenResponseHandler():用于处理和返回 OAuth2AccessTokenResponse 的(后处理器)。AuthenticationSuccessHandlerOAuth2AccessTokenAuthenticationToken |
| 6 | errorResponseHandler():用于处理和返回 OAuth2Error 响应的(后处理器)。AuthenticationFailureHandlerOAuth2AuthenticationException |
OAuth2TokenEndpointConfigurer配置 并将其注册到 OAuth2 授权服务器 。 是处理 OAuth2 访问令牌请求的 。OAuth2TokenEndpointFilterSecurityFilterChain@BeanOAuth2TokenEndpointFilterFilter
支持的授权授权类型包括 、 和 。authorization_coderefresh_tokenclient_credentialsurn:ietf:params:oauth:grant-type:device_codeurn:ietf:params:oauth:grant-type:token-exchange
OAuth2TokenEndpointFilter配置了以下默认值:
-
AuthenticationConverter— A 由 、 、 、 和 组成。DelegatingAuthenticationConverterOAuth2AuthorizationCodeAuthenticationConverterOAuth2RefreshTokenAuthenticationConverterOAuth2ClientCredentialsAuthenticationConverterOAuth2DeviceCodeAuthenticationConverterOAuth2TokenExchangeAuthenticationConverter -
AuthenticationManager— 由 、 、 、 和 组成的 。AuthenticationManagerOAuth2AuthorizationCodeAuthenticationProviderOAuth2RefreshTokenAuthenticationProviderOAuth2ClientCredentialsAuthenticationProviderOAuth2DeviceCodeAuthenticationProviderOAuth2TokenExchangeAuthenticationProvider -
AuthenticationSuccessHandler— 一个 .OAuth2AccessTokenResponseAuthenticationSuccessHandler -
AuthenticationFailureHandler— 一个 .OAuth2ErrorAuthenticationFailureHandler
自定义客户端身份凭证授权请求验证
OAuth2ClientCredentialsAuthenticationValidator是用于验证特定 OAuth2 客户端凭证授予请求参数的默认验证器。
默认实现验证参数。
如果验证失败,则引发 an。scopeOAuth2AuthenticationException
OAuth2ClientCredentialsAuthenticationProvider提供了通过向 提供 类型的自定义身份验证验证程序来覆盖默认请求验证的功能。Consumer<OAuth2ClientCredentialsAuthenticationContext>setAuthenticationValidator()
OAuth2ClientCredentialsAuthenticationContext包含 ,其中包含 OAuth2 客户端凭据授予请求参数。OAuth2ClientCredentialsAuthenticationToken |
如果验证失败,身份验证验证器必须抛出 .OAuth2AuthenticationException |
以下示例显示如何使用覆盖默认验证的自定义身份验证验证器进行配置:OAuth2ClientCredentialsAuthenticationProviderscope
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.tokenEndpoint(tokenEndpoint ->
tokenEndpoint
.authenticationProviders(configureAuthenticationValidator())
)
);
return http.build();
}
private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
return (authenticationProviders) ->
authenticationProviders.forEach((authenticationProvider) -> {
if (authenticationProvider instanceof OAuth2ClientCredentialsAuthenticationProvider) {
Consumer<OAuth2ClientCredentialsAuthenticationContext> authenticationValidator =
new CustomScopeValidator();
// Override default scope validation
((OAuth2ClientCredentialsAuthenticationProvider) authenticationProvider)
.setAuthenticationValidator(authenticationValidator);
}
});
}
static class CustomScopeValidator implements Consumer<OAuth2ClientCredentialsAuthenticationContext> {
@Override
public void accept(OAuth2ClientCredentialsAuthenticationContext authenticationContext) {
OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthentication =
authenticationContext.getAuthentication();
Set<String> requestedScopes = clientCredentialsAuthentication.getScopes();
RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
Set<String> allowedScopes = registeredClient.getScopes();
// TODO Implement scope validation
}
}OAuth2 令牌自省端点
OAuth2TokenIntrospectionEndpointConfigurer提供自定义 OAuth2 令牌自检端点的功能。
它定义了扩展点,允许您自定义 OAuth2 自省请求的预处理、主处理和后处理逻辑。
OAuth2TokenIntrospectionEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.tokenIntrospectionEndpoint(tokenIntrospectionEndpoint ->
tokenIntrospectionEndpoint
.introspectionRequestConverter(introspectionRequestConverter) (1)
.introspectionRequestConverters(introspectionRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.introspectionResponseHandler(introspectionResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
)
);
return http.build();
}| 1 | introspectionRequestConverter():添加尝试将 OAuth2 内省请求提取到 的实例时使用的(预处理器)。AuthenticationConverterHttpServletRequestOAuth2TokenIntrospectionAuthenticationToken |
| 2 | introspectionRequestConverters():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationConverterAuthenticationConverter |
| 3 | authenticationProvider():添加一个(主处理器)用于验证 .AuthenticationProviderOAuth2TokenIntrospectionAuthenticationToken |
| 4 | authenticationProviders():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationProviderAuthenticationProvider |
| 5 | introspectionResponseHandler():用于处理“经过身份验证”并返回 OAuth2TokenIntrospection 响应的(后处理器)。AuthenticationSuccessHandlerOAuth2TokenIntrospectionAuthenticationToken |
| 6 | errorResponseHandler():用于处理和返回 OAuth2Error 响应的(后处理器)。AuthenticationFailureHandlerOAuth2AuthenticationException |
OAuth2TokenIntrospectionEndpointConfigurer配置 并将其注册到 OAuth2 授权服务器 。 是处理 OAuth2 自省请求的 。OAuth2TokenIntrospectionEndpointFilterSecurityFilterChain@BeanOAuth2TokenIntrospectionEndpointFilterFilter
OAuth2TokenIntrospectionEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 一个 .OAuth2TokenIntrospectionAuthenticationConverter -
AuthenticationManager— 由 .AuthenticationManagerOAuth2TokenIntrospectionAuthenticationProvider -
AuthenticationSuccessHandler— 处理 “authenticated” 并返回响应的内部实现。OAuth2TokenIntrospectionAuthenticationTokenOAuth2TokenIntrospection -
AuthenticationFailureHandler— 一个 .OAuth2ErrorAuthenticationFailureHandler
OAuth2 令牌吊销端点
OAuth2TokenRevocationEndpointConfigurer提供自定义 OAuth2 令牌吊销端点的功能。
它定义了扩展点,允许您自定义 OAuth2 吊销请求的预处理、主处理和后处理逻辑。
OAuth2TokenRevocationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.tokenRevocationEndpoint(tokenRevocationEndpoint ->
tokenRevocationEndpoint
.revocationRequestConverter(revocationRequestConverter) (1)
.revocationRequestConverters(revocationRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.revocationResponseHandler(revocationResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
)
);
return http.build();
}| 1 | revocationRequestConverter():添加尝试将 OAuth2 吊销请求提取到 的实例时使用的(预处理器)。AuthenticationConverterHttpServletRequestOAuth2TokenRevocationAuthenticationToken |
| 2 | revocationRequestConverters():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationConverterAuthenticationConverter |
| 3 | authenticationProvider():添加一个(主处理器)用于验证 .AuthenticationProviderOAuth2TokenRevocationAuthenticationToken |
| 4 | authenticationProviders():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationProviderAuthenticationProvider |
| 5 | revocationResponseHandler():用于处理“经过身份验证”并返回 OAuth2 吊销响应的(后处理器)。AuthenticationSuccessHandlerOAuth2TokenRevocationAuthenticationToken |
| 6 | errorResponseHandler():用于处理和返回 OAuth2Error 响应的(后处理器)。AuthenticationFailureHandlerOAuth2AuthenticationException |
OAuth2TokenRevocationEndpointConfigurer配置 并将其注册到 OAuth2 授权服务器 。 是处理 OAuth2 吊销请求的 。OAuth2TokenRevocationEndpointFilterSecurityFilterChain@BeanOAuth2TokenRevocationEndpointFilterFilter
OAuth2TokenRevocationEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 一个 .OAuth2TokenRevocationAuthenticationConverter -
AuthenticationManager— 由 .AuthenticationManagerOAuth2TokenRevocationAuthenticationProvider -
AuthenticationSuccessHandler— 处理“已验证”并返回 OAuth2 吊销响应的内部实现。OAuth2TokenRevocationAuthenticationToken -
AuthenticationFailureHandler— 一个 .OAuth2ErrorAuthenticationFailureHandler
OAuth2 授权服务器元数据端点
OAuth2AuthorizationServerMetadataEndpointConfigurer提供自定义 OAuth2 授权服务器元数据端点的功能。
它定义了一个扩展点,允许您自定义 OAuth2 Authorization Server 元数据响应。
OAuth2AuthorizationServerMetadataEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.authorizationServerMetadataEndpoint(authorizationServerMetadataEndpoint ->
authorizationServerMetadataEndpoint
.authorizationServerMetadataCustomizer(authorizationServerMetadataCustomizer) (1)
)
);
return http.build();
}| 1 | authorizationServerMetadataCustomizer():提供对 允许自定义授权服务器配置的声明的能力的访问权限。ConsumerOAuth2AuthorizationServerMetadata.Builder |
OAuth2AuthorizationServerMetadataEndpointConfigurer配置 并将其注册到 OAuth2 授权服务器 。 是返回 OAuth2AuthorizationServerMetadata 响应的 。OAuth2AuthorizationServerMetadataEndpointFilterSecurityFilterChain@BeanOAuth2AuthorizationServerMetadataEndpointFilterFilter
JWK 设置端点
OAuth2AuthorizationServerConfigurer提供对 JWK Set 端点的支持。
OAuth2AuthorizationServerConfigurer配置 并将其注册到 OAuth2 授权服务器 。 是返回 JWK 集的 。NimbusJwkSetEndpointFilterSecurityFilterChain@BeanNimbusJwkSetEndpointFilterFilter
仅当注册了 a 时,才会配置 JWK Set 端点。JWKSource<SecurityContext>@Bean |
OpenID Connect 1.0 提供者配置终端节点
OidcProviderConfigurationEndpointConfigurer提供自定义 OpenID Connect 1.0 提供程序配置终端节点的功能。
它定义了一个扩展点,允许您自定义 OpenID Provider Configuration 响应。
OidcProviderConfigurationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(oidc ->
oidc
.providerConfigurationEndpoint(providerConfigurationEndpoint ->
providerConfigurationEndpoint
.providerConfigurationCustomizer(providerConfigurationCustomizer) (1)
)
)
);
return http.build();
}| 1 | providerConfigurationCustomizer():提供对 允许自定义 OpenID Provider 配置的声明的能力的访问权限。ConsumerOidcProviderConfiguration.Builder |
OidcProviderConfigurationEndpointConfigurer配置 并将其注册到 OAuth2 授权服务器 。 是返回 OidcProviderConfiguration 响应的 。OidcProviderConfigurationEndpointFilterSecurityFilterChain@BeanOidcProviderConfigurationEndpointFilterFilter
OpenID Connect 1.0 注销端点
OidcLogoutEndpointConfigurer提供自定义 OpenID Connect 1.0 注销终端节点的功能。
它定义了扩展点,允许您自定义 RP 发起的注销请求的预处理、主处理和后处理逻辑。
OidcLogoutEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(oidc ->
oidc
.logoutEndpoint(logoutEndpoint ->
logoutEndpoint
.logoutRequestConverter(logoutRequestConverter) (1)
.logoutRequestConverters(logoutRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.logoutResponseHandler(logoutResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
)
)
);
return http.build();
}| 1 | logoutRequestConverter():添加尝试将注销请求提取到 的实例时使用的(预处理器)。AuthenticationConverterHttpServletRequestOidcLogoutAuthenticationToken |
| 2 | logoutRequestConverters():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationConverterAuthenticationConverter |
| 3 | authenticationProvider():添加一个(主处理器)用于验证 .AuthenticationProviderOidcLogoutAuthenticationToken |
| 4 | authenticationProviders():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationProviderAuthenticationProvider |
| 5 | logoutResponseHandler():用于处理 “authenticated” 和执行注销的 (后处理器)。AuthenticationSuccessHandlerOidcLogoutAuthenticationToken |
| 6 | errorResponseHandler():用于处理和返回错误响应的(后处理器)。AuthenticationFailureHandlerOAuth2AuthenticationException |
OidcLogoutEndpointConfigurer配置 并将其注册到 OAuth2 授权服务器 。 是处理 RP 发起的注销请求并执行最终用户注销的 VPN。OidcLogoutEndpointFilterSecurityFilterChain@BeanOidcLogoutEndpointFilterFilter
OidcLogoutEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 一个 .OidcLogoutAuthenticationConverter -
AuthenticationManager— 由 .AuthenticationManagerOidcLogoutAuthenticationProvider -
AuthenticationSuccessHandler— 一个 .OidcLogoutAuthenticationSuccessHandler -
AuthenticationFailureHandler— 使用 associated with the 并返回响应的内部实现。OAuth2ErrorOAuth2AuthenticationExceptionOAuth2Error
OidcLogoutAuthenticationProvider使用 SessionRegistry 查找与请求注销的 End-User 关联的实例。SessionInformation |
OidcClientInitiatedLogoutSuccessHandler是 Spring Security 的 OAuth2 客户端支持中用于配置 OpenID Connect 1.0 RP 发起的注销的相应配置。 |
自定义注销请求验证
OidcLogoutAuthenticationValidator是用于验证特定 OpenID Connect RP 发起的注销请求参数的默认验证程序。
默认实现验证参数。
如果验证失败,则引发 an。post_logout_redirect_uriOAuth2AuthenticationException
OidcLogoutAuthenticationProvider通过向 提供 类型的自定义身份验证验证程序,提供覆盖默认注销请求验证的功能。Consumer<OidcLogoutAuthenticationContext>setAuthenticationValidator()
OidcLogoutAuthenticationContext保存 ,其中包含 logout 请求参数。OidcLogoutAuthenticationToken |
如果验证失败,身份验证验证器必须抛出 .OAuth2AuthenticationException |
以下示例显示如何使用自定义身份验证验证器进行配置:OidcLogoutAuthenticationProvider
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(oidc ->
oidc
.logoutEndpoint(logoutEndpoint ->
logoutEndpoint
.authenticationProviders(configureAuthenticationValidator())
)
)
);
return http.build();
}
private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
return (authenticationProviders) ->
authenticationProviders.forEach((authenticationProvider) -> {
if (authenticationProvider instanceof OidcLogoutAuthenticationProvider oidcLogoutAuthenticationProvider) {
Consumer<OidcLogoutAuthenticationContext> authenticationValidator = new CustomPostLogoutRedirectUriValidator();
oidcLogoutAuthenticationProvider.setAuthenticationValidator(authenticationValidator);
}
});
}
static class CustomPostLogoutRedirectUriValidator implements Consumer<OidcLogoutAuthenticationContext> {
@Override
public void accept(OidcLogoutAuthenticationContext authenticationContext) {
OidcLogoutAuthenticationToken oidcLogoutAuthentication =
authenticationContext.getAuthentication();
RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
// TODO
}
}OpenID Connect 1.0 UserInfo 端点
OidcUserInfoEndpointConfigurer提供自定义 OpenID Connect 1.0 UserInfo 终端节点的功能。
它定义了扩展点,允许您自定义 UserInfo 请求的预处理、主处理和后处理逻辑。
OidcUserInfoEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(oidc ->
oidc
.userInfoEndpoint(userInfoEndpoint ->
userInfoEndpoint
.userInfoRequestConverter(userInfoRequestConverter) (1)
.userInfoRequestConverters(userInfoRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.userInfoResponseHandler(userInfoResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
.userInfoMapper(userInfoMapper) (7)
)
)
);
return http.build();
}| 1 | userInfoRequestConverter():添加尝试将 UserInfo 请求提取到 的实例时使用的(预处理器)。AuthenticationConverterHttpServletRequestOidcUserInfoAuthenticationToken |
| 2 | userInfoRequestConverters():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationConverterAuthenticationConverter |
| 3 | authenticationProvider():添加一个(主处理器)用于验证 .AuthenticationProviderOidcUserInfoAuthenticationToken |
| 4 | authenticationProviders():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationProviderAuthenticationProvider |
| 5 | userInfoResponseHandler():用于处理 “authenticated” 并返回 UserInfo 响应的 (后处理器)。AuthenticationSuccessHandlerOidcUserInfoAuthenticationToken |
| 6 | errorResponseHandler():用于处理和返回 UserInfo Error 响应的(后处理器)。AuthenticationFailureHandlerOAuth2AuthenticationException |
| 7 | userInfoMapper():用于将声明提取到 的实例。FunctionOidcUserInfoAuthenticationContextOidcUserInfo |
OidcUserInfoEndpointConfigurer配置 并将其注册到 OAuth2 授权服务器 。 是处理 UserInfo 请求并返回 OidcUserInfo 响应的 ID。OidcUserInfoEndpointFilterSecurityFilterChain@BeanOidcUserInfoEndpointFilterFilter
OidcUserInfoEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 从 获取 并创建 with 主体的内部实现。AuthenticationSecurityContextOidcUserInfoAuthenticationToken -
AuthenticationManager— 一个 组成的 ,它与 的内部实现相关联,该实现根据授权期间请求的范围从 ID 令牌中提取标准声明。AuthenticationManagerOidcUserInfoAuthenticationProvideruserInfoMapper -
AuthenticationSuccessHandler— 处理 “authenticated” 并返回响应的内部实现。OidcUserInfoAuthenticationTokenOidcUserInfo -
AuthenticationFailureHandler— 使用 associated with the 并返回响应的内部实现。OAuth2ErrorOAuth2AuthenticationExceptionOAuth2Error
您可以通过提供 OAuth2TokenCustomizer<JwtEncodingContext> 来自定义 ID 令牌。@Bean |
OpenID Connect 1.0 UserInfo 终端节点是受 OAuth2 保护的资源,它要求在 UserInfo 请求中将访问令牌作为持有者令牌发送。
OAuth2 资源服务器支持是自动配置的,但是,OpenID Connect 1.0 UserInfo 端点需要 a。JwtDecoder@Bean |
| 指南操作方法:自定义 OpenID Connect 1.0 UserInfo 响应包含自定义 UserInfo 端点的示例。 |
OpenID Connect 1.0 客户端注册终端节点
OidcClientRegistrationEndpointConfigurer提供自定义 OpenID Connect 1.0 客户端注册终端节点的功能。
它定义了扩展点,允许您自定义客户端注册请求或客户端读取请求的预处理、主处理和后处理逻辑。
OidcClientRegistrationEndpointConfigurer提供以下配置选项:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(oidc ->
oidc
.clientRegistrationEndpoint(clientRegistrationEndpoint ->
clientRegistrationEndpoint
.clientRegistrationRequestConverter(clientRegistrationRequestConverter) (1)
.clientRegistrationRequestConverters(clientRegistrationRequestConvertersConsumers) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.clientRegistrationResponseHandler(clientRegistrationResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
)
)
);
return http.build();
}| 1 | clientRegistrationRequestConverter():添加尝试将客户端注册请求或客户端读取请求提取到 的实例时使用的(预处理器)。AuthenticationConverterHttpServletRequestOidcClientRegistrationAuthenticationToken |
| 2 | clientRegistrationRequestConverters():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationConverterAuthenticationConverter |
| 3 | authenticationProvider():添加一个(主处理器)用于验证 .AuthenticationProviderOidcClientRegistrationAuthenticationToken |
| 4 | authenticationProviders():设置对 default 和(可选)added 的 提供访问权限,以允许添加、删除或自定义特定 .ConsumerListAuthenticationProviderAuthenticationProvider |
| 5 | clientRegistrationResponseHandler():用于处理“已验证”并返回客户端注册响应或客户端读取响应的(后处理器)。AuthenticationSuccessHandlerOidcClientRegistrationAuthenticationToken |
| 6 | errorResponseHandler():用于处理和返回客户端注册错误响应或客户端读取错误响应的(后处理器)。AuthenticationFailureHandlerOAuth2AuthenticationException |
| 默认情况下,OpenID Connect 1.0 客户端注册终端节点处于禁用状态,因为许多部署不需要动态客户端注册。 |
OidcClientRegistrationEndpointConfigurer配置 并将其注册到 OAuth2 授权服务器 。 是处理客户端注册请求并返回 OidcClientRegistration 响应的 。OidcClientRegistrationEndpointFilterSecurityFilterChain@BeanOidcClientRegistrationEndpointFilterFilter
OidcClientRegistrationEndpointFilter还会处理 Client Read 请求并返回 OidcClientRegistration 响应。 |
OidcClientRegistrationEndpointFilter配置了以下默认值:
-
AuthenticationConverter— 一个 .OidcClientRegistrationAuthenticationConverter -
AuthenticationManager— 由 和 组成的 。AuthenticationManagerOidcClientRegistrationAuthenticationProviderOidcClientConfigurationAuthenticationProvider -
AuthenticationSuccessHandler— 处理 “authenticated” 并返回响应的内部实现。OidcClientRegistrationAuthenticationTokenOidcClientRegistration -
AuthenticationFailureHandler— 使用 associated with the 并返回响应的内部实现。OAuth2ErrorOAuth2AuthenticationExceptionOAuth2Error
OpenID Connect 1.0 客户端注册终端节点是受 OAuth2 保护的资源,它要求在客户端注册(或客户端读取)请求中将访问令牌作为持有者令牌发送。
OAuth2 资源服务器支持是自动配置的,但是,OpenID Connect 1.0 客户端注册终端节点需要 a。JwtDecoder@Bean |
客户端注册请求中的访问令牌需要 OAuth2 范围 。client.create |
客户端读取请求中的访问令牌需要 OAuth2 范围 。client.read |