哪一个是正确的 OAuth2 流程
Which one is the correct OAuth2 flow
试图在 spring 中实施 OAuth2。但不知道哪一个是正确的流程?
我保持一个流量@Order(1) in (WebSecurityConfigurerAdapter)
点击下面的按钮后,我看到了默认登录页面,我成功登录了。 http://localhost:8301/oauth/authorize?client_id=getidfromfacebook&response_type=code&redirect_uri=http://localhost:9191/xyz
重定向到授权页面并在接受后获得代码 http://localhost:9191/xyz?code=mkuyG4,这有助于通过 curl http://localhost:8301/oauth/token -H"Content-type: application/x-www-form-urlencoded" -d'grant_type=authorization_code&redirect_uri=http://localhost:9191/xyz&code=LJQef7' -u getidfromfacebook:getit 获取访问和刷新令牌
我还可以通过 curl --location --request POST 'http://localhost:8301/oauth/token?grant_type=refresh_token&client_id=getidfromfacebook&refresh_token=a045acd6-5d66-4db5-a509-4bdadca065e0' -u getidfromfacebook:getit
从给定的刷新令牌中获取新的访问令牌
我在这里面临的问题是,使用给定的访问令牌,我无法访问中提到的任何资源
antMatchers("/api/**").authenticated() (ResourceServerConfigurerAdapter)。
就像在邮递员中提供了一个带有 Authorization 和值 Bearer access-token 或类似 curl -H"Authorization: Bearer 1738520f-9f9c-43ef-8f7f-f5886075a7aa" http://localhost:8301/api/users/all/ 的 Header。
请注意,我也可以获得其他 grant_types 的访问令牌并刷新它。但是无法通过令牌访问资源。需要注意的是,如果我点击资源 url,我会看到默认登录名并能够访问它。
其他流程我去掉@Order(1)。当我尝试通过授权代码流程时,系统抱怨用户需要登录才能请求(授权)代码。由于没有显示默认登录页面,因此无法继续。
但是,我可以继续使用密码授予类型 curl http://localhost:8301/oauth/token -d"grant_type=password&username=username&password=userpassword" -H"Content-type:application/x-www-form-urlencoded; charset=utf-8" -u getidfromfacebook:getit
我还可以通过访问令牌访问资源。
哪种方法是正确的?
为什么我无法访问以前方法中的资源。
@Configuration
@EnableAuthorizationServer
@AllArgsConstructor
public class AuthorizationServerConfigAdapter extends AuthorizationServerConfigurerAdapter {
private final AuthenticationManager authenticationManager;
private final ClientService clientService;
private final UserService userService;
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security
.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(clientService);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.authenticationManager(this.authenticationManager)
.userDetailsService(userService)
;
}
/*****************************/
@Configuration
@EnableResourceServer
public class ResourceServerConfigAdapter extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/**").authenticated()
.antMatchers("/").permitAll();
}
}
/*****************************/
@Configuration
@EnableWebSecurity
@AllArgsConstructor
@Order(1) // Since we have this working as N, Z and R sever.
public class WebSecurityConfigAdapter extends WebSecurityConfigurerAdapter {
private final UserService userService;
@Override
protected void configure(HttpSecurity http) throws Exception {
//http.csrf().disable();
http
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/oauth/authorize**", "/login**", "/error**")
.permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder
.userDetailsService(userService)
.passwordEncoder(passwordEncoder());
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(BCryptPasswordEncoder.BCryptVersion.A);
}
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatcher(request -> {
String auth = request.getHeader("Authorization");
return (auth != null && auth.startsWith("Bearer"));
})
.authorizeRequests()
.antMatchers("/api/**").authenticated()
.antMatchers("/").permitAll();
}
试图在 spring 中实施 OAuth2。但不知道哪一个是正确的流程?
我保持一个流量@Order(1) in (WebSecurityConfigurerAdapter)
点击下面的按钮后,我看到了默认登录页面,我成功登录了。 http://localhost:8301/oauth/authorize?client_id=getidfromfacebook&response_type=code&redirect_uri=http://localhost:9191/xyz
重定向到授权页面并在接受后获得代码 http://localhost:9191/xyz?code=mkuyG4,这有助于通过 curl http://localhost:8301/oauth/token -H"Content-type: application/x-www-form-urlencoded" -d'grant_type=authorization_code&redirect_uri=http://localhost:9191/xyz&code=LJQef7' -u getidfromfacebook:getit 获取访问和刷新令牌
我还可以通过 curl --location --request POST 'http://localhost:8301/oauth/token?grant_type=refresh_token&client_id=getidfromfacebook&refresh_token=a045acd6-5d66-4db5-a509-4bdadca065e0' -u getidfromfacebook:getit
我在这里面临的问题是,使用给定的访问令牌,我无法访问中提到的任何资源
antMatchers("/api/**").authenticated() (ResourceServerConfigurerAdapter)。
就像在邮递员中提供了一个带有 Authorization 和值 Bearer access-token 或类似 curl -H"Authorization: Bearer 1738520f-9f9c-43ef-8f7f-f5886075a7aa" http://localhost:8301/api/users/all/ 的 Header。
请注意,我也可以获得其他 grant_types 的访问令牌并刷新它。但是无法通过令牌访问资源。需要注意的是,如果我点击资源 url,我会看到默认登录名并能够访问它。
其他流程我去掉@Order(1)。当我尝试通过授权代码流程时,系统抱怨用户需要登录才能请求(授权)代码。由于没有显示默认登录页面,因此无法继续。
但是,我可以继续使用密码授予类型 curl http://localhost:8301/oauth/token -d"grant_type=password&username=username&password=userpassword" -H"Content-type:application/x-www-form-urlencoded; charset=utf-8" -u getidfromfacebook:getit
我还可以通过访问令牌访问资源。
哪种方法是正确的? 为什么我无法访问以前方法中的资源。
@Configuration
@EnableAuthorizationServer
@AllArgsConstructor
public class AuthorizationServerConfigAdapter extends AuthorizationServerConfigurerAdapter {
private final AuthenticationManager authenticationManager;
private final ClientService clientService;
private final UserService userService;
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security
.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(clientService);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.authenticationManager(this.authenticationManager)
.userDetailsService(userService)
;
}
/*****************************/
@Configuration
@EnableResourceServer
public class ResourceServerConfigAdapter extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/**").authenticated()
.antMatchers("/").permitAll();
}
}
/*****************************/
@Configuration
@EnableWebSecurity
@AllArgsConstructor
@Order(1) // Since we have this working as N, Z and R sever.
public class WebSecurityConfigAdapter extends WebSecurityConfigurerAdapter {
private final UserService userService;
@Override
protected void configure(HttpSecurity http) throws Exception {
//http.csrf().disable();
http
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/oauth/authorize**", "/login**", "/error**")
.permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
authenticationManagerBuilder
.userDetailsService(userService)
.passwordEncoder(passwordEncoder());
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(BCryptPasswordEncoder.BCryptVersion.A);
}
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatcher(request -> {
String auth = request.getHeader("Authorization");
return (auth != null && auth.startsWith("Bearer"));
})
.authorizeRequests()
.antMatchers("/api/**").authenticated()
.antMatchers("/").permitAll();
}