在 Spring 安全 OAuth 应用程序中是否有端点可以获取配置的 public 证书?
Is there an endpoint to get the configured public certificate in a Spring Security OAuth application?
在 Spring 启动应用程序中作为授权服务器使用 Spring 安全 Oauth,我配置了 JWT 和密钥对来签署令牌。
是否有任何现有端点允许我们获得 public 证书?
这里是:/oauth/token_key
为了允许未经身份验证的访问,我们需要添加:
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
...
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.tokenKeyAccess("isAnonymous()");
}
...
}
您可以使用 .well-known 发现端点获取有关所有端点、签名算法等的详细信息。
您已经写了一个自我回答,但参考文献可能会有所帮助,请参阅 OAuth 2 Developers Guide:
JWT Tokens
[... ]The tokens are signed by default, and the Resource Server also has to be able to verify the signature, so it either needs the same symmetric (signing) key as the Authorization Server (shared secret, or symmetric key), or it needs the public key (verifier key) that matches the private key (signing key) in the Authorization Server (public-private or asymmetric key). The public key (if available) is exposed by the Authorization Server on the /oauth/token_key endpoint, which is secure by default with access rule "denyAll()". You can open it up by injecting a standard SpEL expression into the AuthorizationServerSecurityConfigurer (e.g. "permitAll()" is probably adequate since it is a public key).
和
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')").checkTokenAccess(
"hasAuthority('ROLE_TRUSTED_CLIENT')");
}
In this example we are configuring both the /oauth/check_token endpoint and the /oauth/token_key endpoint (so trusted resources can obtain the public key for JWT verification). These two endpoints are protected by HTTP Basic authentication using client credentials.
在 Spring 启动应用程序中作为授权服务器使用 Spring 安全 Oauth,我配置了 JWT 和密钥对来签署令牌。
是否有任何现有端点允许我们获得 public 证书?
这里是:/oauth/token_key
为了允许未经身份验证的访问,我们需要添加:
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
...
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.tokenKeyAccess("isAnonymous()");
}
...
}
您可以使用 .well-known 发现端点获取有关所有端点、签名算法等的详细信息。
您已经写了一个自我回答,但参考文献可能会有所帮助,请参阅 OAuth 2 Developers Guide:
JWT Tokens
[... ]The tokens are signed by default, and the Resource Server also has to be able to verify the signature, so it either needs the same symmetric (signing) key as the Authorization Server (shared secret, or symmetric key), or it needs the public key (verifier key) that matches the private key (signing key) in the Authorization Server (public-private or asymmetric key). The public key (if available) is exposed by the Authorization Server on the
/oauth/token_keyendpoint, which is secure by default with access rule "denyAll()". You can open it up by injecting a standard SpEL expression into theAuthorizationServerSecurityConfigurer(e.g. "permitAll()" is probably adequate since it is a public key).
和
@Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')").checkTokenAccess( "hasAuthority('ROLE_TRUSTED_CLIENT')"); }In this example we are configuring both the
/oauth/check_tokenendpoint and the/oauth/token_keyendpoint (so trusted resources can obtain the public key for JWT verification). These two endpoints are protected by HTTP Basic authentication using client credentials.