对于最新的稳定版本,请使用 Spring Security 6.4.1spring-doc.cn

OAuth 迁移

以下步骤与有关如何配置 OAuth 2.0 的更改相关。spring-doc.cn

更改默认权限oauth2Login()

在 Spring Security 5 中,为使用 OAuth2 或 OpenID Connect 1.0 提供程序(通过 )进行身份验证的用户提供的默认值是 。GrantedAuthorityoauth2Login()ROLE_USERspring-doc.cn

有关更多信息,请参阅映射用户权限spring-doc.cn

在 Spring Security 6 中,授予使用 OAuth2 提供者进行身份验证的用户的默认权限是 。 授予使用 OpenID Connect 1.0 提供程序进行身份验证的用户的默认权限为 。 这些默认值允许更清楚地区分已使用 OAuth2 或 OpenID Connect 1.0 提供者进行身份验证的用户。OAUTH2_USEROIDC_USERspring-doc.cn

如果您使用授权规则或表达式(例如或)来授权具有此特定权限的用户,则 Spring Security 6 中的新默认值将影响您的应用程序。hasRole("USER")hasAuthority("ROLE_USER")spring-doc.cn

要选择新的 Spring Security 6 默认值,可以使用以下配置。spring-doc.cn

使用 6.0 默认值配置 oauth2Login()
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
	http
		// ...
		.oauth2Login((oauth2Login) -> oauth2Login
			.userInfoEndpoint((userInfo) -> userInfo
				.userAuthoritiesMapper(grantedAuthoritiesMapper())
			)
		);
	return http.build();
}

private GrantedAuthoritiesMapper grantedAuthoritiesMapper() {
	return (authorities) -> {
		Set<GrantedAuthority> mappedAuthorities = new HashSet<>();

		authorities.forEach((authority) -> {
			GrantedAuthority mappedAuthority;

			if (authority instanceof OidcUserAuthority) {
				OidcUserAuthority userAuthority = (OidcUserAuthority) authority;
				mappedAuthority = new OidcUserAuthority(
					"OIDC_USER", userAuthority.getIdToken(), userAuthority.getUserInfo());
			} else if (authority instanceof OAuth2UserAuthority) {
				OAuth2UserAuthority userAuthority = (OAuth2UserAuthority) authority;
				mappedAuthority = new OAuth2UserAuthority(
					"OAUTH2_USER", userAuthority.getAttributes());
			} else {
				mappedAuthority = authority;
			}

			mappedAuthorities.add(mappedAuthority);
		});

		return mappedAuthorities;
	};
}
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
	http {
		// ...
		oauth2Login {
			userInfoEndpoint {
				userAuthoritiesMapper = grantedAuthoritiesMapper()
			}
		}
	}
	return http.build()
}

private fun grantedAuthoritiesMapper(): GrantedAuthoritiesMapper {
	return GrantedAuthoritiesMapper { authorities ->
		authorities.map { authority ->
			when (authority) {
				is OidcUserAuthority ->
					OidcUserAuthority("OIDC_USER", authority.idToken, authority.userInfo)
				is OAuth2UserAuthority ->
					OAuth2UserAuthority("OAUTH2_USER", authority.attributes)
				else -> authority
			}
		}
	}
}
<http>
	<oauth2-login user-authorities-mapper-ref="userAuthoritiesMapper" ... />
</http>

选择退出步骤

如果配置新权限给您带来麻烦,您可以选择退出并通过以下配置显式使用 5.8 权限。ROLE_USERspring-doc.cn

使用 5.8 默认值配置 oauth2Login()
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
	http
		// ...
		.oauth2Login((oauth2Login) -> oauth2Login
			.userInfoEndpoint((userInfo) -> userInfo
				.userAuthoritiesMapper(grantedAuthoritiesMapper())
			)
		);
	return http.build();
}

private GrantedAuthoritiesMapper grantedAuthoritiesMapper() {
	return (authorities) -> {
		Set<GrantedAuthority> mappedAuthorities = new HashSet<>();

		authorities.forEach((authority) -> {
			GrantedAuthority mappedAuthority;

			if (authority instanceof OidcUserAuthority) {
				OidcUserAuthority userAuthority = (OidcUserAuthority) authority;
				mappedAuthority = new OidcUserAuthority(
					"ROLE_USER", userAuthority.getIdToken(), userAuthority.getUserInfo());
			} else if (authority instanceof OAuth2UserAuthority) {
				OAuth2UserAuthority userAuthority = (OAuth2UserAuthority) authority;
				mappedAuthority = new OAuth2UserAuthority(
					"ROLE_USER", userAuthority.getAttributes());
			} else {
				mappedAuthority = authority;
			}

			mappedAuthorities.add(mappedAuthority);
		});

		return mappedAuthorities;
	};
}
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
	http {
		// ...
		oauth2Login {
			userInfoEndpoint {
				userAuthoritiesMapper = grantedAuthoritiesMapper()
			}
		}
	}
	return http.build()
}

private fun grantedAuthoritiesMapper(): GrantedAuthoritiesMapper {
	return GrantedAuthoritiesMapper { authorities ->
		authorities.map { authority ->
			when (authority) {
				is OidcUserAuthority ->
					OidcUserAuthority("ROLE_USER", authority.idToken, authority.userInfo)
				is OAuth2UserAuthority ->
					OAuth2UserAuthority("ROLE_USER", authority.attributes)
				else -> authority
			}
		}
	}
}
<http>
	<oauth2-login user-authorities-mapper-ref="userAuthoritiesMapper" ... />
</http>

解决 OAuth2 客户端弃用问题

在 Spring Security 6 中,已弃用的类和方法已从 OAuth2 客户端中删除。 下面列出了每个弃用版本以及直接替换版本。spring-doc.cn

ServletOAuth2AuthorizedClientExchangeFilterFunction

该方法可替换为以下之一:setAccessTokenExpiresSkew(…​)spring-doc.cn

  • ClientCredentialsOAuth2AuthorizedClientProvider#setClockSkew(…​)spring-doc.cn

  • RefreshTokenOAuth2AuthorizedClientProvider#setClockSkew(…​)spring-doc.cn

  • JwtBearerOAuth2AuthorizedClientProvider#setClockSkew(…​)spring-doc.cn

该方法可以替换为 constructor 。setClientCredentialsTokenResponseClient(…​)ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)spring-doc.cn

有关更多信息,请参阅 客户端凭证spring-doc.cn

OidcUserInfo

该方法可替换为 。phoneNumberVerified(String)phoneNumberVerified(Boolean)spring-doc.cn

OAuth2AuthorizedClientArgumentResolver

该方法可以替换为 constructor 。setClientCredentialsTokenResponseClient(…​)OAuth2AuthorizedClientArgumentResolver(OAuth2AuthorizedClientManager)spring-doc.cn

有关更多信息,请参阅 客户端凭证spring-doc.cn

ClaimAccessor

该方法可替换为 。containsClaim(…​)hasClaim(…​)spring-doc.cn

OidcClientInitiatedLogoutSuccessHandler

该方法可替换为 。setPostLogoutRedirectUri(URI)setPostLogoutRedirectUri(String)spring-doc.cn

HttpSessionOAuth2AuthorizationRequestRepository

该方法没有直接的替代。setAllowMultipleAuthorizationRequests(…​)spring-doc.cn

AuthorizationRequestRepository

该方法可替换为 。removeAuthorizationRequest(HttpServletRequest)removeAuthorizationRequest(HttpServletRequest, HttpServletResponse)spring-doc.cn

ClientRegistration

该方法可替换为 。getRedirectUriTemplate()getRedirectUri()spring-doc.cn

ClientRegistration.Builder

该方法可替换为 。redirectUriTemplate(…​)redirectUri(…​)spring-doc.cn

AbstractOAuth2AuthorizationGrantRequest

构造函数可以替换为 .AbstractOAuth2AuthorizationGrantRequest(AuthorizationGrantType)AbstractOAuth2AuthorizationGrantRequest(AuthorizationGrantType, ClientRegistration)spring-doc.cn

ClientAuthenticationMethod

static 字段可以替换为 。BASICCLIENT_SECRET_BASICspring-doc.cn

static 字段可以替换为 。POSTCLIENT_SECRET_POSTspring-doc.cn

OAuth2AccessTokenResponseHttpMessageConverter

该字段没有直接替代。tokenResponseConverterspring-doc.cn

该方法可替换为 。setTokenResponseConverter(…​)setAccessTokenResponseConverter(…​)spring-doc.cn

该字段没有直接替代。tokenResponseParametersConverterspring-doc.cn

该方法可替换为 。setTokenResponseParametersConverter(…​)setAccessTokenResponseParametersConverter(…​)spring-doc.cn

NimbusAuthorizationCodeTokenResponseClient

该类可以替换为 。NimbusAuthorizationCodeTokenResponseClientDefaultAuthorizationCodeTokenResponseClientspring-doc.cn

NimbusJwtDecoderJwkSupport

该类可以替换为 或 。NimbusJwtDecoderJwkSupportNimbusJwtDecoderJwtDecodersspring-doc.cn

ImplicitGrantConfigurer

该类没有直接替换。ImplicitGrantConfigurerspring-doc.cn

不建议使用授权类型,并且在 Spring Security 6 中删除了所有相关支持。implicitspring-doc.cn

AuthorizationGrantType

static 字段没有直接替换。IMPLICITspring-doc.cn

不建议使用授权类型,并且在 Spring Security 6 中删除了所有相关支持。implicitspring-doc.cn

OAuth2AuthorizationResponseType

static 字段没有直接替换。TOKENspring-doc.cn

不建议使用授权类型,并且在 Spring Security 6 中删除了所有相关支持。implicitspring-doc.cn

OAuth2AuthorizationRequest

static 方法没有直接替代。implicit()spring-doc.cn

不建议使用授权类型,并且在 Spring Security 6 中删除了所有相关支持。implicitspring-doc.cn

地址弃用JwtAuthenticationConverter

该方法将被删除。 请提供自定义的授予权限转换器,而不是扩展 。extractAuthoritiesJwtAuthenticationConverterJwtAuthenticationConverter#setJwtGrantedAuthoritiesConverterspring-doc.cn