本站内所有文档均为中英对照文档,点击中文可以显示英文。此提醒连续关闭5次后,将不再显示。
如何实现多租户
本指南展示了如何自定义 Spring Authorization Server,以支持在多租户托管配置中每个主机对应多个颁发者。本指南旨在演示为 Spring Authorization Server 构建支持多租户功能组件的通用模式,该模式也可应用于其他组件以满足您的需求。
定义租户标识符
OpenID Connect 1.0 提供方配置端点和 OAuth2 授权服务器元数据端点允许在颁发者标识符值中包含路径组件,这实际上支持了每个主机托管多个颁发者。
{
"issuer": "http://localhost:9000/issuer1",
"authorization_endpoint": "http://localhost:9000/issuer1/oauth2/authorize",
"token_endpoint": "http://localhost:9000/issuer1/oauth2/token",
"jwks_uri": "http://localhost:9000/issuer1/oauth2/jwks",
"revocation_endpoint": "http://localhost:9000/issuer1/oauth2/revoke",
"introspection_endpoint": "http://localhost:9000/issuer1/oauth2/introspect",
...
}
备注
协议端点 的基础 URL 是颁发者标识符值。
本质上,带有路径组件的颁发者标识符代表 "租户标识符"。
启用多签发者
默认情况下,每个主机使用多个颁发者的功能是禁用的。要启用此功能,请添加以下配置:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
@Configuration(proxyBeanMethods = false)
public class AuthorizationServerSettingsConfig {
@Bean
public AuthorizationServerSettings authorizationServerSettings() {
return AuthorizationServerSettings.builder()
.multipleIssuersAllowed(true) 1
.build();
}
}
设置为
true以允许每个主机使用多个颁发者。
创建组件注册表
我们首先构建一个简单的注册表,用于管理每个租户的具体组件。该注册表包含通过颁发者标识符值检索特定类具体实现的逻辑。
在下面的每个委托实现中,我们将使用以下类:
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import org.springframework.lang.Nullable;
import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContext;
import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.util.Assert;
@Component
public class TenantPerIssuerComponentRegistry {
private final ConcurrentMap<String, Map<Class<?>, Object>> registry = new ConcurrentHashMap<>();
public <T> void register(String tenantId, Class<T> componentClass, T component) { 1
Assert.hasText(tenantId, "tenantId cannot be empty");
Assert.notNull(componentClass, "componentClass cannot be null");
Assert.notNull(component, "component cannot be null");
Map<Class<?>, Object> components = this.registry.computeIfAbsent(tenantId, (key) -> new ConcurrentHashMap<>());
components.put(componentClass, component);
}
@Nullable
public <T> T get(Class<T> componentClass) {
AuthorizationServerContext context = AuthorizationServerContextHolder.getContext();
if (context == null || context.getIssuer() == null) {
return null;
}
for (Map.Entry<String, Map<Class<?>, Object>> entry : this.registry.entrySet()) {
if (context.getIssuer().endsWith(entry.getKey())) {
return componentClass.cast(entry.getValue().get(componentClass));
}
}
return null;
}
}
组件注册会隐式启用一个已批准发行者的允许列表,该列表可供使用。
提示
该注册表设计用于在启动时轻松注册组件,以支持静态添加租户,同时也支持在运行时动态添加租户。
创建多租户组件
需要具备多租户能力的组件包括:
对于这些组件中的每一个,都可以提供一个复合实现,该实现将委托给与*"请求的"*颁发者标识符相关联的具体组件。
让我们逐步了解如何自定义 Spring Authorization Server,以支持每个具备多租户能力的组件对应 2x 个租户。
多租户 RegisteredClientRepository
以下示例展示了一个 RegisteredClientRepository 的示例实现,该实现由两个 JdbcRegisteredClientRepository 实例组成,每个实例都映射到一个颁发者标识符:
import java.util.UUID;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.util.Assert;
@Configuration(proxyBeanMethods = false)
public class RegisteredClientRepositoryConfig {
@Bean
public RegisteredClientRepository registeredClientRepository(
@Qualifier("issuer1-data-source") DataSource issuer1DataSource,
@Qualifier("issuer2-data-source") DataSource issuer2DataSource,
TenantPerIssuerComponentRegistry componentRegistry) {
JdbcRegisteredClientRepository issuer1RegisteredClientRepository =
new JdbcRegisteredClientRepository(new JdbcTemplate(issuer1DataSource)); 1
issuer1RegisteredClientRepository.save(
RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("client-1")
.clientSecret("{noop}secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.scope("scope-1")
.build()
);
JdbcRegisteredClientRepository issuer2RegisteredClientRepository =
new JdbcRegisteredClientRepository(new JdbcTemplate(issuer2DataSource)); 2
issuer2RegisteredClientRepository.save(
RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("client-2")
.clientSecret("{noop}secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.scope("scope-2")
.build()
);
componentRegistry.register("issuer1", RegisteredClientRepository.class, issuer1RegisteredClientRepository);
componentRegistry.register("issuer2", RegisteredClientRepository.class, issuer2RegisteredClientRepository);
return new DelegatingRegisteredClientRepository(componentRegistry);
}
private static class DelegatingRegisteredClientRepository implements RegisteredClientRepository { 3
private final TenantPerIssuerComponentRegistry componentRegistry;
private DelegatingRegisteredClientRepository(TenantPerIssuerComponentRegistry componentRegistry) {
this.componentRegistry = componentRegistry;
}
@Override
public void save(RegisteredClient registeredClient) {
getRegisteredClientRepository().save(registeredClient);
}
@Override
public RegisteredClient findById(String id) {
return getRegisteredClientRepository().findById(id);
}
@Override
public RegisteredClient findByClientId(String clientId) {
return getRegisteredClientRepository().findByClientId(clientId);
}
private RegisteredClientRepository getRegisteredClientRepository() {
RegisteredClientRepository registeredClientRepository =
this.componentRegistry.get(RegisteredClientRepository.class); 4
Assert.state(registeredClientRepository != null,
"RegisteredClientRepository not found for \"requested\" issuer identifier."); 5
return registeredClientRepository;
}
}
}
提示
点击上方代码示例中的 "展开折叠文本" 图标以显示完整示例。
一个映射到颁发者标识符
issuer1并使用专用DataSource的JdbcRegisteredClientRepository实例。一个映射到颁发者标识符
issuer2并使用专用DataSource的JdbcRegisteredClientRepository实例。一个
RegisteredClientRepository的复合实现,它委托给映射到*"请求的"*颁发者标识符的JdbcRegisteredClientRepository。获取映射到
AuthorizationServerContext.getIssuer()指示的*"请求的"*颁发者标识符的JdbcRegisteredClientRepository。如果无法找到
JdbcRegisteredClientRepository,则报错,因为*"请求的"*颁发者标识符不在已批准颁发者的允许列表中。
important
通过 AuthorizationServerSettings.builder().issuer("http://localhost:9000") 显式配置颁发者标识符会强制使用单租户配置。在使用多租户托管配置时,应避免显式配置颁发者标识符。
在前面的示例中,每个 JdbcRegisteredClientRepository 实例都配置了一个 JdbcTemplate 和关联的 DataSource。这在多租户配置中非常重要,因为一个主要要求是能够隔离每个租户的数据。
为每个组件实例配置专用的 DataSource 提供了灵活性,既可以将数据隔离在同一数据库实例内的独立模式中,也可以将数据完全隔离在单独的数据库实例中。
以下示例展示了两个 DataSource @Bean 的配置示例(每个租户对应一个),这些配置由支持多租户的组件使用:
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabase;
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType;
@Configuration(proxyBeanMethods = false)
public class DataSourceConfig {
@Bean("issuer1-data-source")
public EmbeddedDatabase issuer1DataSource() {
return new EmbeddedDatabaseBuilder()
.setName("issuer1-db") 1
.setType(EmbeddedDatabaseType.H2)
.setScriptEncoding("UTF-8")
.addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-schema.sql")
.addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-consent-schema.sql")
.addScript("org/springframework/security/oauth2/server/authorization/client/oauth2-registered-client-schema.sql")
.build();
}
@Bean("issuer2-data-source")
public EmbeddedDatabase issuer2DataSource() {
return new EmbeddedDatabaseBuilder()
.setName("issuer2-db") 2
.setType(EmbeddedDatabaseType.H2)
.setScriptEncoding("UTF-8")
.addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-schema.sql")
.addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-consent-schema.sql")
.addScript("org/springframework/security/oauth2/server/authorization/client/oauth2-registered-client-schema.sql")
.build();
}
}
使用独立的 H2 数据库实例,命名为
issuer1-db。使用独立的 H2 数据库实例,命名为
issuer2-db。
多租户 OAuth2AuthorizationService
以下示例展示了一个 OAuth2AuthorizationService 的示例实现,该实现由两个 JdbcOAuth2AuthorizationService 实例组成,每个实例都映射到一个颁发者标识符:
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.util.Assert;
@Configuration(proxyBeanMethods = false)
public class OAuth2AuthorizationServiceConfig {
@Bean
public OAuth2AuthorizationService authorizationService(
@Qualifier("issuer1-data-source") DataSource issuer1DataSource,
@Qualifier("issuer2-data-source") DataSource issuer2DataSource,
TenantPerIssuerComponentRegistry componentRegistry,
RegisteredClientRepository registeredClientRepository) {
componentRegistry.register("issuer1", OAuth2AuthorizationService.class,
new JdbcOAuth2AuthorizationService( 1
new JdbcTemplate(issuer1DataSource), registeredClientRepository));
componentRegistry.register("issuer2", OAuth2AuthorizationService.class,
new JdbcOAuth2AuthorizationService( 2
new JdbcTemplate(issuer2DataSource), registeredClientRepository));
return new DelegatingOAuth2AuthorizationService(componentRegistry);
}
private static class DelegatingOAuth2AuthorizationService implements OAuth2AuthorizationService { 3
private final TenantPerIssuerComponentRegistry componentRegistry;
private DelegatingOAuth2AuthorizationService(TenantPerIssuerComponentRegistry componentRegistry) {
this.componentRegistry = componentRegistry;
}
@Override
public void save(OAuth2Authorization authorization) {
getAuthorizationService().save(authorization);
}
@Override
public void remove(OAuth2Authorization authorization) {
getAuthorizationService().remove(authorization);
}
@Override
public OAuth2Authorization findById(String id) {
return getAuthorizationService().findById(id);
}
@Override
public OAuth2Authorization findByToken(String token, OAuth2TokenType tokenType) {
return getAuthorizationService().findByToken(token, tokenType);
}
private OAuth2AuthorizationService getAuthorizationService() {
OAuth2AuthorizationService authorizationService =
this.componentRegistry.get(OAuth2AuthorizationService.class); 4
Assert.state(authorizationService != null,
"OAuth2AuthorizationService not found for \"requested\" issuer identifier."); 5
return authorizationService;
}
}
}
一个映射到颁发者标识符
issuer1并使用专用DataSource的JdbcOAuth2AuthorizationService实例。一个映射到颁发者标识符
issuer2并使用专用DataSource的JdbcOAuth2AuthorizationService实例。一个
OAuth2AuthorizationService的复合实现,它委托给映射到*"请求的"*颁发者标识符的JdbcOAuth2AuthorizationService。获取映射到由
AuthorizationServerContext.getIssuer()指示的*"请求的"*颁发者标识符的JdbcOAuth2AuthorizationService。如果无法找到
JdbcOAuth2AuthorizationService,则报错,因为*"请求的"*颁发者标识符不在已批准颁发者的允许列表中。
多租户 OAuth2AuthorizationConsentService
以下示例展示了一个 OAuth2AuthorizationConsentService 的示例实现,该实现由两个 JdbcOAuth2AuthorizationConsentService 实例组成,每个实例都映射到一个颁发者标识符:
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.util.Assert;
@Configuration(proxyBeanMethods = false)
public class OAuth2AuthorizationConsentServiceConfig {
@Bean
public OAuth2AuthorizationConsentService authorizationConsentService(
@Qualifier("issuer1-data-source") DataSource issuer1DataSource,
@Qualifier("issuer2-data-source") DataSource issuer2DataSource,
TenantPerIssuerComponentRegistry componentRegistry,
RegisteredClientRepository registeredClientRepository) {
componentRegistry.register("issuer1", OAuth2AuthorizationConsentService.class,
new JdbcOAuth2AuthorizationConsentService( 1
new JdbcTemplate(issuer1DataSource), registeredClientRepository));
componentRegistry.register("issuer2", OAuth2AuthorizationConsentService.class,
new JdbcOAuth2AuthorizationConsentService( 2
new JdbcTemplate(issuer2DataSource), registeredClientRepository));
return new DelegatingOAuth2AuthorizationConsentService(componentRegistry);
}
private static class DelegatingOAuth2AuthorizationConsentService implements OAuth2AuthorizationConsentService { 3
private final TenantPerIssuerComponentRegistry componentRegistry;
private DelegatingOAuth2AuthorizationConsentService(TenantPerIssuerComponentRegistry componentRegistry) {
this.componentRegistry = componentRegistry;
}
@Override
public void save(OAuth2AuthorizationConsent authorizationConsent) {
getAuthorizationConsentService().save(authorizationConsent);
}
@Override
public void remove(OAuth2AuthorizationConsent authorizationConsent) {
getAuthorizationConsentService().remove(authorizationConsent);
}
@Override
public OAuth2AuthorizationConsent findById(String registeredClientId, String principalName) {
return getAuthorizationConsentService().findById(registeredClientId, principalName);
}
private OAuth2AuthorizationConsentService getAuthorizationConsentService() {
OAuth2AuthorizationConsentService authorizationConsentService =
this.componentRegistry.get(OAuth2AuthorizationConsentService.class); 4
Assert.state(authorizationConsentService != null,
"OAuth2AuthorizationConsentService not found for \"requested\" issuer identifier."); 5
return authorizationConsentService;
}
}
}
一个映射到颁发者标识符
issuer1并使用专用DataSource的JdbcOAuth2AuthorizationConsentService实例。一个映射到颁发者标识符
issuer2并使用专用DataSource的JdbcOAuth2AuthorizationConsentService实例。一个
OAuth2AuthorizationConsentService的复合实现,它委托给映射到*"请求的"*颁发者标识符的JdbcOAuth2AuthorizationConsentService。获取映射到
AuthorizationServerContext.getIssuer()指示的*"请求的"*颁发者标识符的JdbcOAuth2AuthorizationConsentService。如果无法找到
JdbcOAuth2AuthorizationConsentService,则报错,因为*"请求的"*颁发者标识符不在已批准颁发者的允许列表中。
多租户 JWKSource
最后,以下示例展示了一个 JWKSource<SecurityContext> 的示例实现,它由两个 JWKSet 实例组成,每个实例都映射到一个颁发者标识符:
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.List;
import java.util.UUID;
import com.nimbusds.jose.KeySourceException;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.util.Assert;
@Configuration(proxyBeanMethods = false)
public class JWKSourceConfig {
@Bean
public JWKSource<SecurityContext> jwkSource(TenantPerIssuerComponentRegistry componentRegistry) {
componentRegistry.register("issuer1", JWKSet.class, new JWKSet(generateRSAJwk())); 1
componentRegistry.register("issuer2", JWKSet.class, new JWKSet(generateRSAJwk())); 2
return new DelegatingJWKSource(componentRegistry);
}
private static RSAKey generateRSAJwk() {
KeyPair keyPair;
try {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048);
keyPair = keyPairGenerator.generateKeyPair();
} catch (Exception ex) {
throw new IllegalStateException(ex);
}
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
return new RSAKey.Builder(publicKey)
.privateKey(privateKey)
.keyID(UUID.randomUUID().toString())
.build();
}
private static class DelegatingJWKSource implements JWKSource<SecurityContext> { 3
private final TenantPerIssuerComponentRegistry componentRegistry;
private DelegatingJWKSource(TenantPerIssuerComponentRegistry componentRegistry) {
this.componentRegistry = componentRegistry;
}
@Override
public List<JWK> get(JWKSelector jwkSelector, SecurityContext context) throws KeySourceException {
return jwkSelector.select(getJwkSet());
}
private JWKSet getJwkSet() {
JWKSet jwkSet = this.componentRegistry.get(JWKSet.class); 4
Assert.state(jwkSet != null, "JWKSet not found for \"requested\" issuer identifier."); 5
return jwkSet;
}
}
}
一个映射到发行者标识符
issuer1的JWKSet实例。一个映射到发行者标识符
issuer2的JWKSet实例。一个
JWKSource<SecurityContext>的复合实现,它使用映射到*"请求的"*发行者标识符的JWKSet。获取映射到由
AuthorizationServerContext.getIssuer()指示的*"请求的"*发行者标识符的JWKSet。如果无法找到
JWKSet,则报错,因为*"请求的"*发行者标识符不在已批准发行者的允许列表中。
动态添加租户
如果租户数量是动态的,并且可以在运行时发生变化,那么将每个 DataSource 定义为 @Bean 可能并不可行。在这种情况下,可以在应用程序启动时和/或运行时通过其他方式注册 DataSource 及相应的组件。
以下示例展示了一个能够动态添加租户的 Spring @Service:
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.UUID;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabase;
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType;
import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.stereotype.Service;
@Service
public class TenantService {
private final TenantPerIssuerComponentRegistry componentRegistry;
public TenantService(TenantPerIssuerComponentRegistry componentRegistry) {
this.componentRegistry = componentRegistry;
}
public void createTenant(String tenantId) {
EmbeddedDatabase dataSource = createDataSource(tenantId);
JdbcTemplate jdbcOperations = new JdbcTemplate(dataSource);
RegisteredClientRepository registeredClientRepository =
new JdbcRegisteredClientRepository(jdbcOperations);
this.componentRegistry.register(tenantId, RegisteredClientRepository.class, registeredClientRepository);
OAuth2AuthorizationService authorizationService =
new JdbcOAuth2AuthorizationService(jdbcOperations, registeredClientRepository);
this.componentRegistry.register(tenantId, OAuth2AuthorizationService.class, authorizationService);
OAuth2AuthorizationConsentService authorizationConsentService =
new JdbcOAuth2AuthorizationConsentService(jdbcOperations, registeredClientRepository);
this.componentRegistry.register(tenantId, OAuth2AuthorizationConsentService.class, authorizationConsentService);
JWKSet jwkSet = new JWKSet(generateRSAJwk());
this.componentRegistry.register(tenantId, JWKSet.class, jwkSet);
}
private EmbeddedDatabase createDataSource(String tenantId) {
return new EmbeddedDatabaseBuilder()
.setName(tenantId)
.setType(EmbeddedDatabaseType.H2)
.setScriptEncoding("UTF-8")
.addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-schema.sql")
.addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-consent-schema.sql")
.addScript("org/springframework/security/oauth2/server/authorization/client/oauth2-registered-client-schema.sql")
.build();
}
private static RSAKey generateRSAJwk() {
KeyPair keyPair;
try {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048);
keyPair = keyPairGenerator.generateKeyPair();
} catch (Exception ex) {
throw new IllegalStateException(ex);
}
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
return new RSAKey.Builder(publicKey)
.privateKey(privateKey)
.keyID(UUID.randomUUID().toString())
.build();
}
}