Spring Security 5 OAuth 2.0 ResourceServer如何与AuthorizationServer通信?
Spring Security 5 OAuth 2.0 How does ResourceServer communicate with the AuthorizationServer?
我目前在我公司开发一个内部项目,该项目使用基于角色访问的授权,使用 spring 安全性与 OAuth2 和 JWT。
我设法开发了 AuthorizationServer,它只是 return 一个带有我的自定义声明的访问令牌。
我也已经能够创建能够解码访问令牌以验证用户角色和访问权限的 ResourceServer。
我一直在关注 OAuth 2.0 授权框架的 RFC 6749。
显示如下图表:
access and refresh token protocol flow
我的问题是 ResourceServer 如何与 AuthorizationServer 通信以验证访问令牌是否仍然有效?
the questioned flow i had in mind
我研究了这个问题的答案,发现 ResourceServer 在安全过滤器链中验证令牌本身,这是完全正确的吗?关于 ResourceServer 如何验证令牌有任何答案吗?当 ResourceServer 端点被请求时,ResourceServer 是否验证所有令牌?
如果我们想手动触发或验证令牌怎么办,有没有办法做到这一点?
对于任何寻求启发的人,这里是解释。
Question 1 (Q1):
How does the ResourceServer communicate with AuthorizationServer to validate the access token either the token is still valid or not?
Answer to Q1:
So in a sense we used asymmetric key (private-public key) in our authentication and authorization processes, we shared the public key to our Resource server and kept the private key in our Authorization server.
We do this so that we can achieve the purpose of the separation of Authorization and Resource Server. The public key in Resource server is used when any request with the token coming to the Resource endpoint can be validated if the token was created from the Authorization Server which hold the correct pair of the private key.
Question 2 (Q2): "I research the answer to this question and found that the ResourceServer validate the token itself within the security
filter chain, is this fully true?"
Answer to Q2: It is true to some point if the JWT token used has invalid signature, the token cannot be converted into JSON so after that Resource Server will throw an error of invalid token.
Question 3 (Q3): is there any answer about how the ResourceServer able to validate the token?
Answer to Q3: this answer is related with Q2 which is my only lead at current time.
Question 4 (Q4): Does the ResourceServer validate all the token when the ResourceServer endpoint get requested?
Answer to Q4: Yes it does if you add @EnableResourceServer annotation and configure the endpoint correctly.
Question 5 (Q5): What if we want to manually trigger or validate the token, is there anyway to do this?
Answer to Q5: Still has not found any lead on this one.
我目前在我公司开发一个内部项目,该项目使用基于角色访问的授权,使用 spring 安全性与 OAuth2 和 JWT。
我设法开发了 AuthorizationServer,它只是 return 一个带有我的自定义声明的访问令牌。
我也已经能够创建能够解码访问令牌以验证用户角色和访问权限的 ResourceServer。
我一直在关注 OAuth 2.0 授权框架的 RFC 6749。 显示如下图表: access and refresh token protocol flow
我的问题是 ResourceServer 如何与 AuthorizationServer 通信以验证访问令牌是否仍然有效?
the questioned flow i had in mind
我研究了这个问题的答案,发现 ResourceServer 在安全过滤器链中验证令牌本身,这是完全正确的吗?关于 ResourceServer 如何验证令牌有任何答案吗?当 ResourceServer 端点被请求时,ResourceServer 是否验证所有令牌? 如果我们想手动触发或验证令牌怎么办,有没有办法做到这一点?
对于任何寻求启发的人,这里是解释。
Question 1 (Q1): How does the ResourceServer communicate with AuthorizationServer to validate the access token either the token is still valid or not?
Answer to Q1: So in a sense we used asymmetric key (private-public key) in our authentication and authorization processes, we shared the public key to our Resource server and kept the private key in our Authorization server. We do this so that we can achieve the purpose of the separation of Authorization and Resource Server. The public key in Resource server is used when any request with the token coming to the Resource endpoint can be validated if the token was created from the Authorization Server which hold the correct pair of the private key.
Question 2 (Q2): "I research the answer to this question and found that the ResourceServer validate the token itself within the security filter chain, is this fully true?"
Answer to Q2: It is true to some point if the JWT token used has invalid signature, the token cannot be converted into JSON so after that Resource Server will throw an error of invalid token.
Question 3 (Q3): is there any answer about how the ResourceServer able to validate the token?
Answer to Q3: this answer is related with Q2 which is my only lead at current time.
Question 4 (Q4): Does the ResourceServer validate all the token when the ResourceServer endpoint get requested?
Answer to Q4: Yes it does if you add @EnableResourceServer annotation and configure the endpoint correctly.
Question 5 (Q5): What if we want to manually trigger or validate the token, is there anyway to do this?
Answer to Q5: Still has not found any lead on this one.