OAuth2AuthenticationToken 与 OAuth2Authentication
OAuth2AuthenticationToken vs OAuth2Authentication
1-OAuth2AuthenticationToken 和 OAuth2Authentication 有什么区别?
2-在我的 spring 引导客户端 Web 应用程序中,我使用依赖项 "spring-boot-starter-oauth2-client" 通过授权服务器实现(单点登录)sso,因此客户端应用程序中的主体是OAuth2AuthenticationToken。是吗?
3-我无法使用 @PreAuthorize(#oauth2.hasScope('xxx')) 因为它在 OAuth2Authentication 而不是 OAuth2AuthenticationToken 上工作,为什么?
但是当我使用@PreAuthorize(hasRole('SomeRole'))时,它工作正常。
4-这里是认证对象(The Principal)的例子
{
"authorities": [
{
"authority": "ROLE_USER",
"attributes": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null,
"tokenValue": "184dd32f-7c70-4bf5-9d7f-43c8d565f996",
"tokenType": "Bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "A9ADB8153471994D338F0FDEAF98FF07"
},
"authenticated": true,
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"credentials": null,
"name": "bob"
},
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"oauth2Request": {
"clientId": "demo",
"scope": [
"demo_scope"
],
"requestParameters": {
"code": "yymxbk",
"grant_type": "authorization_code",
"scope": "demo_scope",
"response_type": "code",
"state": "osBji_UdByl9XG5O4Jy3lavSHSiU1FRo-knhY7gTsI8=",
"redirect_uri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"client_id": "demo"
},
"resourceIds": [
"demo_resource",
"auth_resource"
],
"authorities": [
{
"authority": "demo_auth"
}
],
"approved": true,
"refresh": false,
"redirectUri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"responseTypes": [
"code"
],
"extensions": {},
"grantType": "authorization_code",
"refreshTokenRequest": null
},
"credentials": "",
"clientOnly": false,
"name": "bob"
}
}
],
"details": null,
"authenticated": true,
"principal": {
"authorities": [
{
"authority": "ROLE_USER",
"attributes": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null,
"tokenValue": "184dd32f-7c70-4bf5-9d7f-43c8d565f996",
"tokenType": "Bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "A9ADB8153471994D338F0FDEAF98FF07"
},
"authenticated": true,
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"credentials": null,
"name": "bob"
},
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"oauth2Request": {
"clientId": "demo",
"scope": [
"demo_scope"
],
"requestParameters": {
"code": "yymxbk",
"grant_type": "authorization_code",
"scope": "demo_scope",
"response_type": "code",
"state": "osBji_UdByl9XG5O4Jy3lavSHSiU1FRo-knhY7gTsI8=",
"redirect_uri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"client_id": "demo"
},
"resourceIds": [
"demo_resource",
"auth_resource"
],
"authorities": [
{
"authority": "demo_auth"
}
],
"approved": true,
"refresh": false,
"redirectUri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"responseTypes": [
"code"
],
"extensions": {},
"grantType": "authorization_code",
"refreshTokenRequest": null
},
"credentials": "",
"clientOnly": false,
"name": "bob"
}
}
],
"attributes": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null,
"tokenValue": "184dd32f-7c70-4bf5-9d7f-43c8d565f996",
"tokenType": "Bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "A9ADB8153471994D338F0FDEAF98FF07"
},
"authenticated": true,
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"credentials": null,
"name": "bob"
},
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"oauth2Request": {
"clientId": "demo",
"scope": [
"demo_scope"
],
"requestParameters": {
"code": "yymxbk",
"grant_type": "authorization_code",
"scope": "demo_scope",
"response_type": "code",
"state": "osBji_UdByl9XG5O4Jy3lavSHSiU1FRo-knhY7gTsI8=",
"redirect_uri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"client_id": "demo"
},
"resourceIds": [
"demo_resource",
"auth_resource"
],
"authorities": [
{
"authority": "demo_auth"
}
],
"approved": true,
"refresh": false,
"redirectUri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"responseTypes": [
"code"
],
"extensions": {},
"grantType": "authorization_code",
"refreshTokenRequest": null
},
"credentials": "",
"clientOnly": false,
"name": "bob"
},
"name": "bob"
},
"authorizedClientRegistrationId": "custom-client",
"credentials": "",
"name": "bob"
}
那些字段是什么?为什么会有一些冗余信息?为什么有多个权限具有不同的值?
5- 如果我转而在授权服务器中使用 JWT,我是否必须更改客户端应用程序中的任何内容?
谢谢
这里是对您的多个问题的部分回答。
您应该首先注意:
OAuth2AuthenticationToken is a class from the Spring Security project packaged into spring-security-oauth2-resource-server.
OAuth2Authentication is a class from the deprecated Spring Security OAuth project packaged into spring-security-oauth2
class OAuth2Authentication 是用 @Deprecated 注释的,不应在新项目中使用。
如果您只需要实现一个资源服务器和一个 OAuth2 客户端,您应该使用来自 spring-security-oauth2-resource-server 和 spring-boot-starter-oauth2-client Maven 包的 classes 并摆脱 classes 来自 spring-security-oauth2 Maven 包。
如果您还需要授权服务器,您可以尝试使用新的 Spring Authorization Server
1-OAuth2AuthenticationToken 和 OAuth2Authentication 有什么区别?
2-在我的 spring 引导客户端 Web 应用程序中,我使用依赖项 "spring-boot-starter-oauth2-client" 通过授权服务器实现(单点登录)sso,因此客户端应用程序中的主体是OAuth2AuthenticationToken。是吗?
3-我无法使用 @PreAuthorize(#oauth2.hasScope('xxx')) 因为它在 OAuth2Authentication 而不是 OAuth2AuthenticationToken 上工作,为什么? 但是当我使用@PreAuthorize(hasRole('SomeRole'))时,它工作正常。
4-这里是认证对象(The Principal)的例子
{
"authorities": [
{
"authority": "ROLE_USER",
"attributes": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null,
"tokenValue": "184dd32f-7c70-4bf5-9d7f-43c8d565f996",
"tokenType": "Bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "A9ADB8153471994D338F0FDEAF98FF07"
},
"authenticated": true,
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"credentials": null,
"name": "bob"
},
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"oauth2Request": {
"clientId": "demo",
"scope": [
"demo_scope"
],
"requestParameters": {
"code": "yymxbk",
"grant_type": "authorization_code",
"scope": "demo_scope",
"response_type": "code",
"state": "osBji_UdByl9XG5O4Jy3lavSHSiU1FRo-knhY7gTsI8=",
"redirect_uri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"client_id": "demo"
},
"resourceIds": [
"demo_resource",
"auth_resource"
],
"authorities": [
{
"authority": "demo_auth"
}
],
"approved": true,
"refresh": false,
"redirectUri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"responseTypes": [
"code"
],
"extensions": {},
"grantType": "authorization_code",
"refreshTokenRequest": null
},
"credentials": "",
"clientOnly": false,
"name": "bob"
}
}
],
"details": null,
"authenticated": true,
"principal": {
"authorities": [
{
"authority": "ROLE_USER",
"attributes": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null,
"tokenValue": "184dd32f-7c70-4bf5-9d7f-43c8d565f996",
"tokenType": "Bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "A9ADB8153471994D338F0FDEAF98FF07"
},
"authenticated": true,
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"credentials": null,
"name": "bob"
},
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"oauth2Request": {
"clientId": "demo",
"scope": [
"demo_scope"
],
"requestParameters": {
"code": "yymxbk",
"grant_type": "authorization_code",
"scope": "demo_scope",
"response_type": "code",
"state": "osBji_UdByl9XG5O4Jy3lavSHSiU1FRo-knhY7gTsI8=",
"redirect_uri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"client_id": "demo"
},
"resourceIds": [
"demo_resource",
"auth_resource"
],
"authorities": [
{
"authority": "demo_auth"
}
],
"approved": true,
"refresh": false,
"redirectUri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"responseTypes": [
"code"
],
"extensions": {},
"grantType": "authorization_code",
"refreshTokenRequest": null
},
"credentials": "",
"clientOnly": false,
"name": "bob"
}
}
],
"attributes": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null,
"tokenValue": "184dd32f-7c70-4bf5-9d7f-43c8d565f996",
"tokenType": "Bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "A9ADB8153471994D338F0FDEAF98FF07"
},
"authenticated": true,
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"credentials": null,
"name": "bob"
},
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"oauth2Request": {
"clientId": "demo",
"scope": [
"demo_scope"
],
"requestParameters": {
"code": "yymxbk",
"grant_type": "authorization_code",
"scope": "demo_scope",
"response_type": "code",
"state": "osBji_UdByl9XG5O4Jy3lavSHSiU1FRo-knhY7gTsI8=",
"redirect_uri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"client_id": "demo"
},
"resourceIds": [
"demo_resource",
"auth_resource"
],
"authorities": [
{
"authority": "demo_auth"
}
],
"approved": true,
"refresh": false,
"redirectUri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"responseTypes": [
"code"
],
"extensions": {},
"grantType": "authorization_code",
"refreshTokenRequest": null
},
"credentials": "",
"clientOnly": false,
"name": "bob"
},
"name": "bob"
},
"authorizedClientRegistrationId": "custom-client",
"credentials": "",
"name": "bob"
}
那些字段是什么?为什么会有一些冗余信息?为什么有多个权限具有不同的值?
5- 如果我转而在授权服务器中使用 JWT,我是否必须更改客户端应用程序中的任何内容?
谢谢
这里是对您的多个问题的部分回答。
您应该首先注意:
OAuth2AuthenticationToken is a class from the Spring Security project packaged into spring-security-oauth2-resource-server.
OAuth2Authentication is a class from the deprecated Spring Security OAuth project packaged into spring-security-oauth2
class OAuth2Authentication 是用 @Deprecated 注释的,不应在新项目中使用。
如果您只需要实现一个资源服务器和一个 OAuth2 客户端,您应该使用来自 spring-security-oauth2-resource-server 和 spring-boot-starter-oauth2-client Maven 包的 classes 并摆脱 classes 来自 spring-security-oauth2 Maven 包。
如果您还需要授权服务器,您可以尝试使用新的 Spring Authorization Server