Spring 安全 oauth2 使用 grant_type "password" 禁用令牌端点上的客户端身份验证
Spring Security oauth 2 Disable Client authentification on TokenEndPoint with grant_type "password"
我的应用程序使用 Spring 安全 Oauth2 配置来管理身份验证。
目前,我的请求需要这些信息:grand_type、用户名、密码、client_id 和 client_secret。
但是,我的应用程序不需要客户端身份验证 (client_id + client_secret)。那么,如何删除此身份验证?
这是我当前的配置:
AuthorizationServerConfigurerAdapter:
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Autowired
private UserApprovalHandler userApprovalHandler;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("khk")
.autoApprove(true)
.authorizedGrantTypes("refresh_token", "password")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("openid")
//.secret("changeme")
.accessTokenValiditySeconds(30000)
.refreshTokenValiditySeconds(60000);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
.authenticationManager(authenticationManager).pathMapping("/oauth/token", "/connect").accessTokenConverter(accessTokenConverter());
}
public AccessTokenConverter accessTokenConverter() {
return new DefaultAccessTokenConverter();
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
}
}
WebSecurityConfigurerAdapter:
@Configuration
@EnableWebSecurity
public class OAuth2SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private ClientDetailsService clientDetailsService;
@Autowired
private DataSource dataSource;
@Autowired
public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource)
.usersByUsernameQuery("select us_pseudo, us_passwd, us_enabled from t_user where us_pseudo=?")
.authoritiesByUsernameQuery("select us.us_pseudo, gr.name from t_user us, t_group gr, r_groupuser gu where us.us_id = gu.groupuser_user_id and gr.gp_id = gu.groupuser_group_id and us.us_pseudo = ?");
//.groupAuthoritiesByUsername("TO DO FOR RIGHTS");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Bean
@Autowired
public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore){
TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
handler.setTokenStore(tokenStore);
handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
handler.setClientDetailsService(clientDetailsService);
return handler;
}
@Bean
@Autowired
public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
TokenApprovalStore store = new TokenApprovalStore();
store.setTokenStore(tokenStore);
return store;
}
}
ResourceServerConfigurerAdapter:
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "SPRING_REST_API";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID).stateless(false);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/connect").permitAll()
.anyRequest().permitAll()
.and()
.exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
}
简短的回答是:您需要该信息才能使用 oauth2。这不是可选信息,您可以删除它并让一切正常工作。
请记住,client_id 和 client_secret 的目的是授权您的客户端应用程序本身。根据您使用的授权类型,您的客户端应用程序将只需要 client_id 或两者都需要。
如果您只想要 client_id,您可以在 授权代码 或 隐式 授权类型之间进行选择。但首先我建议阅读 this article 以了解不同的资助类型并确定最适合您的情况。
我的应用程序使用 Spring 安全 Oauth2 配置来管理身份验证。
目前,我的请求需要这些信息:grand_type、用户名、密码、client_id 和 client_secret。
但是,我的应用程序不需要客户端身份验证 (client_id + client_secret)。那么,如何删除此身份验证?
这是我当前的配置:
AuthorizationServerConfigurerAdapter:
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private TokenStore tokenStore;
@Autowired
private UserApprovalHandler userApprovalHandler;
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("khk")
.autoApprove(true)
.authorizedGrantTypes("refresh_token", "password")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("openid")
//.secret("changeme")
.accessTokenValiditySeconds(30000)
.refreshTokenValiditySeconds(60000);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler)
.authenticationManager(authenticationManager).pathMapping("/oauth/token", "/connect").accessTokenConverter(accessTokenConverter());
}
public AccessTokenConverter accessTokenConverter() {
return new DefaultAccessTokenConverter();
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
}
}
WebSecurityConfigurerAdapter:
@Configuration
@EnableWebSecurity
public class OAuth2SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private ClientDetailsService clientDetailsService;
@Autowired
private DataSource dataSource;
@Autowired
public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource)
.usersByUsernameQuery("select us_pseudo, us_passwd, us_enabled from t_user where us_pseudo=?")
.authoritiesByUsernameQuery("select us.us_pseudo, gr.name from t_user us, t_group gr, r_groupuser gu where us.us_id = gu.groupuser_user_id and gr.gp_id = gu.groupuser_group_id and us.us_pseudo = ?");
//.groupAuthoritiesByUsername("TO DO FOR RIGHTS");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Bean
@Autowired
public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore){
TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler();
handler.setTokenStore(tokenStore);
handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
handler.setClientDetailsService(clientDetailsService);
return handler;
}
@Bean
@Autowired
public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception {
TokenApprovalStore store = new TokenApprovalStore();
store.setTokenStore(tokenStore);
return store;
}
}
ResourceServerConfigurerAdapter:
@Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
private static final String RESOURCE_ID = "SPRING_REST_API";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(RESOURCE_ID).stateless(false);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/connect").permitAll()
.anyRequest().permitAll()
.and()
.exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
}
简短的回答是:您需要该信息才能使用 oauth2。这不是可选信息,您可以删除它并让一切正常工作。
请记住,client_id 和 client_secret 的目的是授权您的客户端应用程序本身。根据您使用的授权类型,您的客户端应用程序将只需要 client_id 或两者都需要。
如果您只想要 client_id,您可以在 授权代码 或 隐式 授权类型之间进行选择。但首先我建议阅读 this article 以了解不同的资助类型并确定最适合您的情况。