Spring OAuth2 SSO 是否支持用于令牌验证的 Azure Active Directory 签名密钥轮转?
Does Spring OAuth2 SSO support Azure Active Directory signing key rollover for token verification?
我正在使用 Spring OAuth2 SSO 开发 SSO 应用程序。我将 Azure AD 用作 OAuth2 提供程序,它具有 signing key rollover 并使用 JWKS URI(OpenID 配置)公开 public 密钥,如下所示。有什么方法可以在 Spring OAuth2 SSO 中进行令牌验证?
{
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid": "9FXDpbfMFT2SvQuXh846YTwEIBw",
"x5t": "9FXDpbfMFT2SvQuXh846YTwEIBw",
"n": "kvt1VmR4nwkNM8jMU0wmj2gSS8NznbOt2pZI6Z7HQT_esF7W19GZR7Y72Xo1i5zXRDM9o3GeTIjBrnr3yy41Q_EaUQ7C-b-Hmg94Vy7EBZyBhi_mznz0dYWs2MIXwR86Nni9TmgTXvjgTPF2YGJoZt4TwcMFefW8rijCVyNrCBA0XspDouNJavvG0BEMXYigoThFjLRXS5U3h4BDfNZFZZS3dyliNOXfgRn2k7oITz8h_ueiPvmDRFh38AeQgx1cELhKWc3P5ugtttraSwgH7nP2NUguO9nCrHuL6TZ-KWpmRWZqwH-jYKFQVt3CDpzwNM6XJL-oHbl1x-gI3YYX5w",
"e": "AQAB",
"x5c": [
"MIIDBTCCAe2gAwIBAgIQZSAeaqWig4BHC1ksmNNcgjANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE3MDUwNjAwMDAwMFoXDTE5MDUwNzAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJL7dVZkeJ8JDTPIzFNMJo9oEkvDc52zrdqWSOmex0E/3rBe1tfRmUe2O9l6NYuc10QzPaNxnkyIwa5698suNUPxGlEOwvm/h5oPeFcuxAWcgYYv5s589HWFrNjCF8EfOjZ4vU5oE1744EzxdmBiaGbeE8HDBXn1vK4owlcjawgQNF7KQ6LjSWr7xtARDF2IoKE4RYy0V0uVN4eAQ3zWRWWUt3cpYjTl34EZ9pO6CE8/If7noj75g0RYd/AHkIMdXBC4SlnNz+boLbba2ksIB+5z9jVILjvZwqx7i+k2filqZkVmasB/o2ChUFbdwg6c8DTOlyS/qB25dcfoCN2GF+cCAwEAAaMhMB8wHQYDVR0OBBYEFGKpXQNrF5IoxS6bL4F92+gxOJlIMA0GCSqGSIb3DQEBCwUAA4IBAQA3HgW5SoHlvvQVxqqi+mtscDZLhNfe13iG/nx8Er5il82b79RVydNs+f9sYxc4T4ctnrZu7x5e7jInJedNdAlrPorBdw+SfvKJsmiNndXugMew1FlcQTQVIFDCbziaJav8rKyMxPfeKkc1aixbajWZkKg6OPmmJn2ceTocbn8PMQy20xNvcWUwgF5FZZIuPqu6feOLJcUIYw+0JFZ265xka30QXpmytcIxajIzpD4PRdCIBuVSqgXacAs4t4+w+OhnosD72yvXck8M4GwX1j+vcuyw0yhDGNMmqsHWP7H3jnJiGDrKhhdVyplzDhTfv2Whbv/dIDn+meLE3yyC5yGL"
]
},
{
"kty": "RSA",
"use": "sig",
"kid": "VWVIc1WD1Tksbb301sasM5kOq5Q",
"x5t": "VWVIc1WD1Tksbb301sasM5kOq5Q",
"n": "wxZQBChCrsCnhy-U6jWszJNnpSwYM3nmF7iwBkp0Qa57Wz7XQLnhUucZe_YkEJg6hJg16XAbZ_3oZnwLqQVlArfu5ldP9IdgOgPJYFGZXamE0v3BFtf1K2leiHqfmt06zJ2NhHCQ5p2yRzrrMV23kjK5bz8a_gQsdkIkBW7qE9TbJFU5D3zPk-sbJi7SIOLx5XRI6eFwu4z1IGooBbNiRopDEdcQizJqH_7PQJuBBk-a-ntI05mZaEZ2nbo8DDu046TEkqA2IRJ1FIvvdxrAi5NQ6E6YcYulNWxUaxBD2e42f9jmhBTBYknN23p3QEmRWvhgFRyDoK-M5XFw1H0mbw",
"e": "AQAB",
"x5c": [
"MIIDBTCCAe2gAwIBAgIQd8BVt03W25FAp3gfq8UytzANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE3MDYxNjAwMDAwMFoXDTE5MDYxNzAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMMWUAQoQq7Ap4cvlOo1rMyTZ6UsGDN55he4sAZKdEGue1s+10C54VLnGXv2JBCYOoSYNelwG2f96GZ8C6kFZQK37uZXT/SHYDoDyWBRmV2phNL9wRbX9StpXoh6n5rdOsydjYRwkOadskc66zFdt5IyuW8/Gv4ELHZCJAVu6hPU2yRVOQ98z5PrGyYu0iDi8eV0SOnhcLuM9SBqKAWzYkaKQxHXEIsyah/+z0CbgQZPmvp7SNOZmWhGdp26PAw7tOOkxJKgNiESdRSL73cawIuTUOhOmHGLpTVsVGsQQ9nuNn/Y5oQUwWJJzdt6d0BJkVr4YBUcg6CvjOVxcNR9Jm8CAwEAAaMhMB8wHQYDVR0OBBYEFKpiEhEA5eJvMS/oZ19jXTqKOHDLMA0GCSqGSIb3DQEBCwUAA4IBAQA7gStJbp9Drkh+K+jG0cMbxKKqOIWRofqZjvsD4B+cuwqZO5O2mEPQmuW021BpkOQ/aQvmd+J97G2LkIU0EvR4F9pu9fep5ZveXDiOXb7hOKzHprRfi0GO64JvP3Rt7pjSUVix21/rn4p4ESGcx7TdFhRIwix6gXWMxlRQyBaZ3wJyr0YnQl1h4vvgi8o5aB/3tNSbuZDFh4GNjqLgyvHgfiJczqR/odJF6aY+hM9QGu6grVUiWWcujE58Z0DdH1VaCVL/UsHj3n2zrgm4ePT+6cl0QRsEGxvMn3/UZ1CP3FllKGNf1PRyM+XC1N62Bt332Xi1swjLfZLbMxDcdBEf"
]
},
{
"kty": "RSA",
"use": "sig",
"kid": "2S4SCVGs8Sg9LS6AqLIq6DpW-g8",
"x5t": "2S4SCVGs8Sg9LS6AqLIq6DpW-g8",
"n": "oZ-QQrNuB4ei9ATYrT61ebPtvwwYWnsrTpp4ISSp6niZYb92XM0oUTNgqd_C1vGN8J-y9wCbaJWkpBf46CjdZehrqczPhzhHau8WcRXocSB1u_tuZhv1ooAZ4bAcy79UkeLiG60HkuTNJJC8CfaTp1R97szBhuk0Vz5yt4r5SpfewIlBCnZUYwkDS172H9WapQu-3P2Qjh0l-JLyCkdrhvizZUk0atq5_AIDKRU-A0pRGc-EZhUL0LqUMz6c6M2s_4GnQaScv44A5iZUDD15B6e8Apb2yARohkWmOnmRcTVfes8EkfxjzZEzm3cNkvP0ogILyISHKlkzy2OmlU6iXw",
"e": "AQAB",
"x5c": [
"MIIDKDCCAhCgAwIBAgIQBHJvVNxP1oZO4HYKh+rypDANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDExhsb2dpbi5taWNyb3NvZnRvbmxpbmUudXMwHhcNMTYxMTE2MDgwMDAwWhcNMTgxMTE2MDgwMDAwWjAjMSEwHwYDVQQDExhsb2dpbi5taWNyb3NvZnRvbmxpbmUudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChn5BCs24Hh6L0BNitPrV5s+2/DBhaeytOmnghJKnqeJlhv3ZczShRM2Cp38LW8Y3wn7L3AJtolaSkF/joKN1l6GupzM+HOEdq7xZxFehxIHW7+25mG/WigBnhsBzLv1SR4uIbrQeS5M0kkLwJ9pOnVH3uzMGG6TRXPnK3ivlKl97AiUEKdlRjCQNLXvYf1ZqlC77c/ZCOHSX4kvIKR2uG+LNlSTRq2rn8AgMpFT4DSlEZz4RmFQvQupQzPpzozaz/gadBpJy/jgDmJlQMPXkHp7wClvbIBGiGRaY6eZFxNV96zwSR/GPNkTObdw2S8/SiAgvIhIcqWTPLY6aVTqJfAgMBAAGjWDBWMFQGA1UdAQRNMEuAEDUj0BrjP0RTbmoRPTRMY3WhJTAjMSEwHwYDVQQDExhsb2dpbi5taWNyb3NvZnRvbmxpbmUudXOCEARyb1TcT9aGTuB2Cofq8qQwDQYJKoZIhvcNAQELBQADggEBAGnLhDHVz2gLDiu9L34V3ro/6xZDiSWhGyHcGqky7UlzQH3pT5so8iF5P0WzYqVtogPsyC2LPJYSTt2vmQugD4xlu/wbvMFLcV0hmNoTKCF1QTVtEQiAiy0Aq+eoF7Al5fV1S3Sune0uQHimuUFHCmUuF190MLcHcdWnPAmzIc8fv7quRUUsExXmxSX2ktUYQXzqFyIOSnDCuWFm6tpfK5JXS8fW5bpqTlrysXXz/OW/8NFGq/alfjrya4ojrOYLpunGriEtNPwK7hxj1AlCYEWaRHRXaUIW1ByoSff/6Y6+ZhXPUe0cDlNRt/qIz5aflwO7+W8baTS4O8m/icu7ItE="
]
}
]
}
根据描述,您正在使用带有 Spring 安全 OAuth 的 Azure AD 实施 OAuth 2.0 提供程序。
根据我的理解,OAuth 2.0 中的提供者角色实际上分为授权服务和资源服务。如果您仅在应用程序中获取令牌并将令牌发送到受 Azure AD 保护的资源,则无需验证令牌。例如,您的 Web 应用程序实施 OAuth 2.0 提供程序以使用户能够从 Azure AD 获取 Microsoft Graph 的访问令牌,然后您的 Web 应用程序可以使用此访问令牌调用 Microsoft Graph。 Microsoft Graph 将验证访问令牌。
如果您还通过 Spring Security OAuth 实现资源服务并使用 Azure AD 对其进行保护,则需要实现 ResourceServerTokenServices 以验证令牌并处理密钥翻转。
您可以参考this link手动验证访问令牌。更多关于Spring Oauth2开发的细节,可以参考下面的link:
我正在使用 Spring OAuth2 SSO 开发 SSO 应用程序。我将 Azure AD 用作 OAuth2 提供程序,它具有 signing key rollover 并使用 JWKS URI(OpenID 配置)公开 public 密钥,如下所示。有什么方法可以在 Spring OAuth2 SSO 中进行令牌验证?
{
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid": "9FXDpbfMFT2SvQuXh846YTwEIBw",
"x5t": "9FXDpbfMFT2SvQuXh846YTwEIBw",
"n": "kvt1VmR4nwkNM8jMU0wmj2gSS8NznbOt2pZI6Z7HQT_esF7W19GZR7Y72Xo1i5zXRDM9o3GeTIjBrnr3yy41Q_EaUQ7C-b-Hmg94Vy7EBZyBhi_mznz0dYWs2MIXwR86Nni9TmgTXvjgTPF2YGJoZt4TwcMFefW8rijCVyNrCBA0XspDouNJavvG0BEMXYigoThFjLRXS5U3h4BDfNZFZZS3dyliNOXfgRn2k7oITz8h_ueiPvmDRFh38AeQgx1cELhKWc3P5ugtttraSwgH7nP2NUguO9nCrHuL6TZ-KWpmRWZqwH-jYKFQVt3CDpzwNM6XJL-oHbl1x-gI3YYX5w",
"e": "AQAB",
"x5c": [
"MIIDBTCCAe2gAwIBAgIQZSAeaqWig4BHC1ksmNNcgjANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE3MDUwNjAwMDAwMFoXDTE5MDUwNzAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJL7dVZkeJ8JDTPIzFNMJo9oEkvDc52zrdqWSOmex0E/3rBe1tfRmUe2O9l6NYuc10QzPaNxnkyIwa5698suNUPxGlEOwvm/h5oPeFcuxAWcgYYv5s589HWFrNjCF8EfOjZ4vU5oE1744EzxdmBiaGbeE8HDBXn1vK4owlcjawgQNF7KQ6LjSWr7xtARDF2IoKE4RYy0V0uVN4eAQ3zWRWWUt3cpYjTl34EZ9pO6CE8/If7noj75g0RYd/AHkIMdXBC4SlnNz+boLbba2ksIB+5z9jVILjvZwqx7i+k2filqZkVmasB/o2ChUFbdwg6c8DTOlyS/qB25dcfoCN2GF+cCAwEAAaMhMB8wHQYDVR0OBBYEFGKpXQNrF5IoxS6bL4F92+gxOJlIMA0GCSqGSIb3DQEBCwUAA4IBAQA3HgW5SoHlvvQVxqqi+mtscDZLhNfe13iG/nx8Er5il82b79RVydNs+f9sYxc4T4ctnrZu7x5e7jInJedNdAlrPorBdw+SfvKJsmiNndXugMew1FlcQTQVIFDCbziaJav8rKyMxPfeKkc1aixbajWZkKg6OPmmJn2ceTocbn8PMQy20xNvcWUwgF5FZZIuPqu6feOLJcUIYw+0JFZ265xka30QXpmytcIxajIzpD4PRdCIBuVSqgXacAs4t4+w+OhnosD72yvXck8M4GwX1j+vcuyw0yhDGNMmqsHWP7H3jnJiGDrKhhdVyplzDhTfv2Whbv/dIDn+meLE3yyC5yGL"
]
},
{
"kty": "RSA",
"use": "sig",
"kid": "VWVIc1WD1Tksbb301sasM5kOq5Q",
"x5t": "VWVIc1WD1Tksbb301sasM5kOq5Q",
"n": "wxZQBChCrsCnhy-U6jWszJNnpSwYM3nmF7iwBkp0Qa57Wz7XQLnhUucZe_YkEJg6hJg16XAbZ_3oZnwLqQVlArfu5ldP9IdgOgPJYFGZXamE0v3BFtf1K2leiHqfmt06zJ2NhHCQ5p2yRzrrMV23kjK5bz8a_gQsdkIkBW7qE9TbJFU5D3zPk-sbJi7SIOLx5XRI6eFwu4z1IGooBbNiRopDEdcQizJqH_7PQJuBBk-a-ntI05mZaEZ2nbo8DDu046TEkqA2IRJ1FIvvdxrAi5NQ6E6YcYulNWxUaxBD2e42f9jmhBTBYknN23p3QEmRWvhgFRyDoK-M5XFw1H0mbw",
"e": "AQAB",
"x5c": [
"MIIDBTCCAe2gAwIBAgIQd8BVt03W25FAp3gfq8UytzANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE3MDYxNjAwMDAwMFoXDTE5MDYxNzAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMMWUAQoQq7Ap4cvlOo1rMyTZ6UsGDN55he4sAZKdEGue1s+10C54VLnGXv2JBCYOoSYNelwG2f96GZ8C6kFZQK37uZXT/SHYDoDyWBRmV2phNL9wRbX9StpXoh6n5rdOsydjYRwkOadskc66zFdt5IyuW8/Gv4ELHZCJAVu6hPU2yRVOQ98z5PrGyYu0iDi8eV0SOnhcLuM9SBqKAWzYkaKQxHXEIsyah/+z0CbgQZPmvp7SNOZmWhGdp26PAw7tOOkxJKgNiESdRSL73cawIuTUOhOmHGLpTVsVGsQQ9nuNn/Y5oQUwWJJzdt6d0BJkVr4YBUcg6CvjOVxcNR9Jm8CAwEAAaMhMB8wHQYDVR0OBBYEFKpiEhEA5eJvMS/oZ19jXTqKOHDLMA0GCSqGSIb3DQEBCwUAA4IBAQA7gStJbp9Drkh+K+jG0cMbxKKqOIWRofqZjvsD4B+cuwqZO5O2mEPQmuW021BpkOQ/aQvmd+J97G2LkIU0EvR4F9pu9fep5ZveXDiOXb7hOKzHprRfi0GO64JvP3Rt7pjSUVix21/rn4p4ESGcx7TdFhRIwix6gXWMxlRQyBaZ3wJyr0YnQl1h4vvgi8o5aB/3tNSbuZDFh4GNjqLgyvHgfiJczqR/odJF6aY+hM9QGu6grVUiWWcujE58Z0DdH1VaCVL/UsHj3n2zrgm4ePT+6cl0QRsEGxvMn3/UZ1CP3FllKGNf1PRyM+XC1N62Bt332Xi1swjLfZLbMxDcdBEf"
]
},
{
"kty": "RSA",
"use": "sig",
"kid": "2S4SCVGs8Sg9LS6AqLIq6DpW-g8",
"x5t": "2S4SCVGs8Sg9LS6AqLIq6DpW-g8",
"n": "oZ-QQrNuB4ei9ATYrT61ebPtvwwYWnsrTpp4ISSp6niZYb92XM0oUTNgqd_C1vGN8J-y9wCbaJWkpBf46CjdZehrqczPhzhHau8WcRXocSB1u_tuZhv1ooAZ4bAcy79UkeLiG60HkuTNJJC8CfaTp1R97szBhuk0Vz5yt4r5SpfewIlBCnZUYwkDS172H9WapQu-3P2Qjh0l-JLyCkdrhvizZUk0atq5_AIDKRU-A0pRGc-EZhUL0LqUMz6c6M2s_4GnQaScv44A5iZUDD15B6e8Apb2yARohkWmOnmRcTVfes8EkfxjzZEzm3cNkvP0ogILyISHKlkzy2OmlU6iXw",
"e": "AQAB",
"x5c": [
"MIIDKDCCAhCgAwIBAgIQBHJvVNxP1oZO4HYKh+rypDANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDExhsb2dpbi5taWNyb3NvZnRvbmxpbmUudXMwHhcNMTYxMTE2MDgwMDAwWhcNMTgxMTE2MDgwMDAwWjAjMSEwHwYDVQQDExhsb2dpbi5taWNyb3NvZnRvbmxpbmUudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChn5BCs24Hh6L0BNitPrV5s+2/DBhaeytOmnghJKnqeJlhv3ZczShRM2Cp38LW8Y3wn7L3AJtolaSkF/joKN1l6GupzM+HOEdq7xZxFehxIHW7+25mG/WigBnhsBzLv1SR4uIbrQeS5M0kkLwJ9pOnVH3uzMGG6TRXPnK3ivlKl97AiUEKdlRjCQNLXvYf1ZqlC77c/ZCOHSX4kvIKR2uG+LNlSTRq2rn8AgMpFT4DSlEZz4RmFQvQupQzPpzozaz/gadBpJy/jgDmJlQMPXkHp7wClvbIBGiGRaY6eZFxNV96zwSR/GPNkTObdw2S8/SiAgvIhIcqWTPLY6aVTqJfAgMBAAGjWDBWMFQGA1UdAQRNMEuAEDUj0BrjP0RTbmoRPTRMY3WhJTAjMSEwHwYDVQQDExhsb2dpbi5taWNyb3NvZnRvbmxpbmUudXOCEARyb1TcT9aGTuB2Cofq8qQwDQYJKoZIhvcNAQELBQADggEBAGnLhDHVz2gLDiu9L34V3ro/6xZDiSWhGyHcGqky7UlzQH3pT5so8iF5P0WzYqVtogPsyC2LPJYSTt2vmQugD4xlu/wbvMFLcV0hmNoTKCF1QTVtEQiAiy0Aq+eoF7Al5fV1S3Sune0uQHimuUFHCmUuF190MLcHcdWnPAmzIc8fv7quRUUsExXmxSX2ktUYQXzqFyIOSnDCuWFm6tpfK5JXS8fW5bpqTlrysXXz/OW/8NFGq/alfjrya4ojrOYLpunGriEtNPwK7hxj1AlCYEWaRHRXaUIW1ByoSff/6Y6+ZhXPUe0cDlNRt/qIz5aflwO7+W8baTS4O8m/icu7ItE="
]
}
]
}
根据描述,您正在使用带有 Spring 安全 OAuth 的 Azure AD 实施 OAuth 2.0 提供程序。
根据我的理解,OAuth 2.0 中的提供者角色实际上分为授权服务和资源服务。如果您仅在应用程序中获取令牌并将令牌发送到受 Azure AD 保护的资源,则无需验证令牌。例如,您的 Web 应用程序实施 OAuth 2.0 提供程序以使用户能够从 Azure AD 获取 Microsoft Graph 的访问令牌,然后您的 Web 应用程序可以使用此访问令牌调用 Microsoft Graph。 Microsoft Graph 将验证访问令牌。
如果您还通过 Spring Security OAuth 实现资源服务并使用 Azure AD 对其进行保护,则需要实现 ResourceServerTokenServices 以验证令牌并处理密钥翻转。
您可以参考this link手动验证访问令牌。更多关于Spring Oauth2开发的细节,可以参考下面的link: