没有合适的资源?快使用搜索试试~ 我知道了~
spring-security-oauth2文档
需积分: 0 0 下载量 22 浏览量
2024-03-26
11:41:06
上传
评论
收藏 371KB PDF 举报
温馨提示
试读
30页
spring-security-oauth2-boot-reference-2.6.8 是最后一版的官方文档
资源推荐
资源详情
资源评论
OAuth2 Boot
Version 2.6.8
If you have spring-security-oauth2 on your classpath, you can take advantage of
some auto-configuration to simplify setting up Authorization and Resource
Servers. For full details, see the Spring Security OAuth 2 Developers Guide.
The following projects are in maintenance mode:
• spring-security-oauth2
• spring-security-oauth2-autoconfigure
You are, of course, welcome to use them, and we will help you out!
However, before selecting spring-security-oauth2 and spring-security-oauth2-
autoconfigure, you should check out Spring Security’s feature matrix to see if
the new first-class support meets your needs.
This project is a port of the Spring Security OAuth support that came with Spring
Boot 1.x. Support was removed in Spring Boot 2.x in favor of Spring Security
5’s first-class OAuth support.
To ease migration, this project exists as a bridge between the old Spring Security
OAuth support and Spring Boot 2.x.
1
Chapter 1. Authorization Server
Spring Security OAuth2 Boot simplifies standing up an OAuth 2.0 Authorization Server.
1.1. Do I Need to Stand Up My Own Authorization
Server?
You need to stand up your own authorization server if:
• You want to delegate the operations of sign-in, sign-out, and password recovery to a separate
service (also called identity federation) that you want to manage yourself and
• You want to use the OAuth 2.0 protocol for this separate service to coordinate with other
services
1.2. Dependencies
To use the auto-configuration features in this library, you need spring-security-oauth2, which has
the OAuth 2.0 primitives and spring-security-oauth2-autoconfigure. Note that you need to specify
the version for spring-security-oauth2-autoconfigure, since it is not managed by Spring Boot any
longer, though it should match Boot’s version anyway.
For JWT support, you also need spring-security-jwt.
1.3. Minimal OAuth2 Boot Configuration
Creating a minimal Spring Boot authorization server consists of three basic steps:
1. Including the dependencies.
2. Including the @EnableAuthorizationServer annotation.
3. Specifying at least one client ID and secret pair.
1.3.1. Enabling the Authorization Server
Similar to other Spring Boot @Enable annotations, you can add the @EnableAuthorizationServer
annotation to the class that contains your main method, as the following example shows:
@EnableAuthorizationServer
@SpringBootApplication
public class SimpleAuthorizationServerApplication {
Ê public static void main(String[] args) {
Ê SpringApplication.run(SimpleAuthorizationServerApplication, args);
Ê }
}
2
Adding this annotation imports other Spring configuration files that add a number of reasonable
defaults, such as how tokens ought to be signed, their duration, and what grants to allow.
1.3.2. Specifying a Client and Secret
By spec, numerous OAuth 2.0 endpoints require client authentication, so you need to specify at least
one client in order for anyone to be able to communicate with your authorization server.
The following example shows how to specify a client:
security:
Ê oauth2:
Ê client:
Ê client-id: first-client
Ê client-secret: noonewilleverguess
While convenient, this makes a number of assumptions that are unlikely to be
viable in production. You likely need to do more than this to ship.
That’s it! But, what do you do with it? We cover that next.
1.3.3. Retrieving a Token
OAuth 2.0 is essentially a framework that specifies strategies for exchanging long-lived tokens for
short-lived ones.
By default, @EnableAuthorizationServer grants a client access to client credentials, which means you
can do something like the following:
curl first-client:noonewilleverguess@localhost:8080/oauth/token
-dgrant_type=client_credentials -dscope=any
The application responds with a token similar to the following:
{
Ê "access_token" : "f05a1ea7-4c80-4583-a123-dc7a99415588",
Ê "token_type" : "bearer",
Ê "expires_in" : 43173,
Ê "scope" : "any"
}
This token can be presented to any resource server that supports opaque OAuth 2.0 tokens and is
3
configured to point at this authorization server for verification.
From here, you can jump to:
• How to Switch Off OAuth2 Boot’s Auto Configuration
• How to Make Authorization Code Grant Flow Work
• How to Make Password Grant Flow Work
• How and When to Give Authorization Server an AuthenticationManager
• Is Authorization Server Compatible with Spring Security 5.1 Resource Server and Client?
• How to Configure for Jwt Tokens
1.4. How to Switch Off OAuth2 Boot’s Auto
Configuration
Basically, the OAuth2 Boot project creates an instance of AuthorizationServerConfigurer with some
reasonable defaults:
• It registers a NoOpPasswordEncoder (overriding the Spring Security default)
• It lets the client you provided use any grant type this server supports: authorization_code,
password, client_credentials, implicit, or refresh_token.
Otherwise, it also tries to pick up a handful of beans, if they are defined — namely:
• AuthenticationManager: For looking up end users (not clients)
• TokenStore: For generating and retrieving tokens
• AccessTokenConverter: For converting access tokens into different formats, such as JWT.
While this documentation covers a bit of what each of these beans does, the Spring
Security OAuth documentation is a better place to read up on its primitives
If you expose a bean of type AuthorizationServerConfigurer, none of this is done automatically.
So, for example, if you need to configure more than one client, change their allowed grant types, or
use something better than the no-op password encoder (highly recommended!), then you want to
expose your own AuthorizationServerConfigurer, as the following example shows:
4
剩余29页未读,继续阅读
资源评论
起个名特麻烦
- 粉丝: 6
- 资源: 2
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功