Spring OAuth2 客户端凭据流中的令牌交换
Token exchange in Spring OAuth2 client credentials flow
我有以下 Spring 安全配置:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: ${issuer-uri-of-identity}
client:
registration:
some-app:
client-id: ${qwerty.server.client.client-id}
client-secret: ${qwerty.server.client.client-secret}
scope: ${qwerty.server.client.some-app-scope}
authorization-grant-type: client_credentials
provider: qwerty
qwerty:
server:
max-clock-skew: 60
url: ....
scope: my-scope
client:
client-id: ...
client-secret: ....
some-app-scope: my-ticket-scope
并使用以下配置:
private static final Authentication ANONYMOUS_AUTHENTICATION = new AnonymousAuthenticationToken(
"anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
...
@Bean("someAppRestTemplate")
@Autowired
public RestTemplate buildRestTemplateForSomeApp(RestTemplateBuilder builder) {
return builder
.messageConverters(converter)
.additionalInterceptors(Arrays.asList(contentTypeInterceptor(), oauthInterceptor("some-app")))
.build();
}
...
private ClientHttpRequestInterceptor oauthInterceptor(String id) {
return (r, b, e) -> {
OAuth2AuthorizedClient client = manager.authorize(
OAuth2AuthorizeRequest
.withClientRegistrationId(id)
.principal(ANONYMOUS_AUTHENTICATION)
.build()
);
Assert.notNull(client, "Can not access File Storage Service");
r.getHeaders().setBearerAuth(client.getAccessToken().getTokenValue());
return e.execute(r, b);
};
}
现在我需要进行模拟(https://datatracker.ietf.org/doc/html/rfc8693)。所以我需要假装成某个用户。我需要它是因为某些应用程序中的“当前用户”逻辑。
我如何重新配置才能实现它?
P.S. 我尝试 google 但我没有找到任何相关的东西。
RFC 8693 Token Exchange 于 2020 年 1 月发布并涵盖了此功能。 Spring security 目前还不支持此功能,但应该会很快发布。
您可以在此处关注 Spring 安全性中的未决问题:
Provide support for OAuth 2.0 Token Exchange for client
您可以在此处阅读有关一般流程的更多信息on behalf of flow
我有以下 Spring 安全配置:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: ${issuer-uri-of-identity}
client:
registration:
some-app:
client-id: ${qwerty.server.client.client-id}
client-secret: ${qwerty.server.client.client-secret}
scope: ${qwerty.server.client.some-app-scope}
authorization-grant-type: client_credentials
provider: qwerty
qwerty:
server:
max-clock-skew: 60
url: ....
scope: my-scope
client:
client-id: ...
client-secret: ....
some-app-scope: my-ticket-scope
并使用以下配置:
private static final Authentication ANONYMOUS_AUTHENTICATION = new AnonymousAuthenticationToken(
"anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
...
@Bean("someAppRestTemplate")
@Autowired
public RestTemplate buildRestTemplateForSomeApp(RestTemplateBuilder builder) {
return builder
.messageConverters(converter)
.additionalInterceptors(Arrays.asList(contentTypeInterceptor(), oauthInterceptor("some-app")))
.build();
}
...
private ClientHttpRequestInterceptor oauthInterceptor(String id) {
return (r, b, e) -> {
OAuth2AuthorizedClient client = manager.authorize(
OAuth2AuthorizeRequest
.withClientRegistrationId(id)
.principal(ANONYMOUS_AUTHENTICATION)
.build()
);
Assert.notNull(client, "Can not access File Storage Service");
r.getHeaders().setBearerAuth(client.getAccessToken().getTokenValue());
return e.execute(r, b);
};
}
现在我需要进行模拟(https://datatracker.ietf.org/doc/html/rfc8693)。所以我需要假装成某个用户。我需要它是因为某些应用程序中的“当前用户”逻辑。
我如何重新配置才能实现它?
P.S. 我尝试 google 但我没有找到任何相关的东西。
RFC 8693 Token Exchange 于 2020 年 1 月发布并涵盖了此功能。 Spring security 目前还不支持此功能,但应该会很快发布。
您可以在此处关注 Spring 安全性中的未决问题:
Provide support for OAuth 2.0 Token Exchange for client
您可以在此处阅读有关一般流程的更多信息on behalf of flow