Spring 安全 5 OAuth2 客户端密码授予类型
Spring Security 5 OAuth2 client password grant type
我有 2 个应用程序:
- Spring 应用程序 1 是客户端和资源服务器。
- Spring 应用程序 2 是授权服务器。
用户将能够登录应用程序 1 并访问其资源。
我想实现以下流程:
用户在登录表单中输入他的凭据 -> 应用程序 1 将使用用户凭据及其 clientId 密码授权类型从应用程序 2 获取令牌 -> 使用令牌访问应用程序 1 的资源。
问题是 Spring Security 5 是否支持客户端的密码授予类型?我在 Spring Security 5 实现中找到了所有剩余授权类型,但没有找到密码。
Spring Security 5.1.x 不支持,参见 Spring Security Reference:
6.6 OAuth 2.0 Client
The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework.
The following main features are available:
- Authorization Code Grant
- Client Credentials Grant
WebClient extension for Servlet Environments (for making protected resource requests)
HttpSecurity.oauth2Client() provides a number of configuration options for customizing OAuth 2.0 Client.
但是,您可以使用 Spring Security OAuth2,请参阅 OAuth 2 Developers Guide:
Accessing Protected Resources
As a general rule, a web application should not use password grants, so avoid using ResourceOwnerPasswordResourceDetails if you can in favour of AuthorizationCodeResourceDetails. If you desparately need password grants to work from a Java client, then use the same mechanism to configure your OAuth2RestTemplate and add the credentials to the AccessTokenRequest (which is a Map and is ephemeral) not the ResourceOwnerPasswordResourceDetails (which is shared between all access tokens).
或者您可以更新到 Spring Security 5.2.x,请参阅 Spring Security Reference:
11.2 OAuth 2.0 Client
The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework.
At a high-level, the core features available are:
Authorization Grant support
- Authorization Code
- Refresh Token
- Client Credentials
- Resource Owner Password Credentials
我有 2 个应用程序:
- Spring 应用程序 1 是客户端和资源服务器。
- Spring 应用程序 2 是授权服务器。
用户将能够登录应用程序 1 并访问其资源。 我想实现以下流程:
用户在登录表单中输入他的凭据 -> 应用程序 1 将使用用户凭据及其 clientId 密码授权类型从应用程序 2 获取令牌 -> 使用令牌访问应用程序 1 的资源。
问题是 Spring Security 5 是否支持客户端的密码授予类型?我在 Spring Security 5 实现中找到了所有剩余授权类型,但没有找到密码。
Spring Security 5.1.x 不支持,参见 Spring Security Reference:
6.6 OAuth 2.0 Client
The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework.
The following main features are available:
- Authorization Code Grant
- Client Credentials Grant
WebClientextension for Servlet Environments (for making protected resource requests)
HttpSecurity.oauth2Client()provides a number of configuration options for customizing OAuth 2.0 Client.
但是,您可以使用 Spring Security OAuth2,请参阅 OAuth 2 Developers Guide:
Accessing Protected Resources
As a general rule, a web application should not use password grants, so avoid using
ResourceOwnerPasswordResourceDetailsif you can in favour ofAuthorizationCodeResourceDetails. If you desparately need password grants to work from a Java client, then use the same mechanism to configure yourOAuth2RestTemplateand add the credentials to the AccessTokenRequest (which is a Map and is ephemeral) not theResourceOwnerPasswordResourceDetails(which is shared between all access tokens).
或者您可以更新到 Spring Security 5.2.x,请参阅 Spring Security Reference:
11.2 OAuth 2.0 Client
The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework.
At a high-level, the core features available are:
Authorization Grant support
- Authorization Code
- Refresh Token
- Client Credentials
- Resource Owner Password Credentials