使用 Spring OAuth2 的智威汤逊

JWT with Spring OAuth2

我已经创建了 Spring 授权服务器,它发布 JWT-s 和一个资源服务器,它检查 JWT,它在授权服务器上的声明和权限。为此,我遵循了这个 article.

我的问题是为什么我需要在获取令牌请求中发送带有 HTTP Basic 授权和 Base64 编码 username/password (ClientId:ClientSecret) 的 Authorization header?我见过只需要用户名和密码的 JWT 实现。

它是规范的一部分,参见RFC 6749:

2.3 Client Authentication

If the client type is confidential, the client and authorization server establish a client authentication method suitable for the security requirements of the authorization server. The authorization server MAY accept any form of client authentication meeting its security requirements.

Confidential clients are typically issued (or establish) a set of client credentials used for authenticating with the authorization server (e.g., password, public/private key pair).

The authorization server MAY establish a client authentication method with public clients. However, the authorization server MUST NOT rely on public client authentication for the purpose of identifying the client.

The client MUST NOT use more than one authentication method in each request.

默认情况下 Spring Security OAuth 2.0 保护令牌端点,请参阅 OAuth 2 Developers Guide:

The token endpoint is protected for you by default by Spring OAuth in the @Configuration support using HTTP Basic authentication of the client secret.

不过,您似乎可以禁用客户端身份验证:

  • Spring Security OAuth 2.0 with no client_secret

这是 JWT 令牌的结构:

HMACSHA256(
      base64UrlEncode(header) + "." +
      base64UrlEncode(payload),
    secret

    )


As you are doing a JWT implementation all the 3 parts must be there: header.payload.secret

也许在您看到的实现中 - 服务器正在使用默认密码