高级配置
OAuth 2.0 授权框架将协议端点定义如下:
授权流程利用两个授权服务器端点(HTTP 资源):
-
授权端点:客户端通过用户代理重定向,用于从资源所有者处获取授权。
-
令牌端点:客户端用于将授权许可交换为访问令牌,通常伴随客户端认证。
以及一个客户端端点:
- 重定向端点:授权服务器通过资源所有者用户代理,向客户端返回包含授权凭证的响应时使用。
OpenID Connect Core 1.0 规范将 UserInfo 端点 定义如下:
用户信息端点(UserInfo Endpoint)是一个 OAuth 2.0 受保护资源,用于返回经过身份验证的最终用户的相关声明。客户端通过使用通过 OpenID Connect 身份验证获得的访问令牌,向用户信息端点发起请求,以获取关于最终用户的所需声明。这些声明通常由一个包含声明名称-值对集合的 JSON 对象表示。
ServerHttpSecurity.oauth2Login() 为自定义 OAuth 2.0 登录提供了多种配置选项。
以下代码展示了 oauth2Login() DSL 可用的完整配置选项:
- Java
- Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.oauth2Login((oauth2) -> oauth2
.authenticationConverter(this.authenticationConverter())
.authenticationMatcher(this.authenticationMatcher())
.authenticationManager(this.authenticationManager())
.authenticationSuccessHandler(this.authenticationSuccessHandler())
.authenticationFailureHandler(this.authenticationFailureHandler())
.clientRegistrationRepository(this.clientRegistrationRepository())
.authorizedClientRepository(this.authorizedClientRepository())
.authorizedClientService(this.authorizedClientService())
.authorizationRequestResolver(this.authorizationRequestResolver())
.authorizationRequestRepository(this.authorizationRequestRepository())
.securityContextRepository(this.securityContextRepository())
);
return http.build();
}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login {
authenticationConverter = authenticationConverter()
authenticationMatcher = authenticationMatcher()
authenticationManager = authenticationManager()
authenticationSuccessHandler = authenticationSuccessHandler()
authenticationFailureHandler = authenticationFailureHandler()
clientRegistrationRepository = clientRegistrationRepository()
authorizedClientRepository = authorizedClientRepository()
authorizedClientService = authorizedClientService()
authorizationRequestResolver = authorizationRequestResolver()
authorizationRequestRepository = authorizationRequestRepository()
securityContextRepository = securityContextRepository()
}
}
return http.build()
}
}
以下章节将详细说明各项可用配置选项:
OAuth 2.0 登录页面
默认情况下,OAuth 2.0 登录页面由 LoginPageGeneratingWebFilter 自动生成。该默认登录页面会显示每个已配置的 OAuth 客户端,并以 ClientRegistration.clientName 作为链接,该链接能够发起授权请求(或 OAuth 2.0 登录)。
为了让 LoginPageGeneratingWebFilter 能够显示已配置的 OAuth 客户端的链接,已注册的 ReactiveClientRegistrationRepository 也需要实现 Iterable<ClientRegistration> 接口。请参考 InMemoryReactiveClientRegistrationRepository。
每个 OAuth 客户端的链接目标默认指向以下地址:
"/oauth2/authorization/{registrationId}"
以下行展示了一个示例:
<a href="/oauth2/authorization/google">Google</a>
要覆盖默认的登录页面,请配置 exceptionHandling().authenticationEntryPoint() 和(可选)oauth2Login().authorizationRequestResolver()。
以下清单展示了一个示例:
- Java
- Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.exceptionHandling((exceptionHandling) -> exceptionHandling
.authenticationEntryPoint(new RedirectServerAuthenticationEntryPoint("/login/oauth2"))
)
.oauth2Login((oauth2) -> oauth2
.authorizationRequestResolver(this.authorizationRequestResolver())
);
return http.build();
}
private ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver() {
ServerWebExchangeMatcher authorizationRequestMatcher =
new PathPatternParserServerWebExchangeMatcher(
"/login/oauth2/authorization/{registrationId}");
return new DefaultServerOAuth2AuthorizationRequestResolver(
this.clientRegistrationRepository(), authorizationRequestMatcher);
}
...
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
exceptionHandling {
authenticationEntryPoint = RedirectServerAuthenticationEntryPoint("/login/oauth2")
}
oauth2Login {
authorizationRequestResolver = authorizationRequestResolver()
}
}
return http.build()
}
private fun authorizationRequestResolver(): ServerOAuth2AuthorizationRequestResolver {
val authorizationRequestMatcher: ServerWebExchangeMatcher = PathPatternParserServerWebExchangeMatcher(
"/login/oauth2/authorization/{registrationId}"
)
return DefaultServerOAuth2AuthorizationRequestResolver(
clientRegistrationRepository(), authorizationRequestMatcher
)
}
...
}
:::重要
你需要提供一个带有 @RequestMapping("/login/oauth2") 注解的 @Controller,该控制器能够渲染自定义的登录页面。
:::
如前所述,配置 oauth2Login().authorizationRequestResolver() 是可选的。但是,如果您选择自定义它,请确保每个 OAuth 客户端的链接与通过 ServerWebExchangeMatcher 提供的模式匹配。
以下行展示了一个示例:
<a href="/login/oauth2/authorization/google">Google</a>
重定向端点
重定向端点由授权服务器用于通过资源所有者用户代理将授权响应(包含授权凭证)返回给客户端。
OAuth 2.0 登录利用了授权码许可类型。因此,授权凭证就是授权码。
默认的授权响应重定向端点为 /login/oauth2/code/{registrationId}。
如果您希望自定义授权响应的重定向端点,请按以下示例进行配置:
- Java
- Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.oauth2Login((oauth2) -> oauth2
.authenticationMatcher(new PathPatternParserServerWebExchangeMatcher("/login/oauth2/callback/{registrationId}"))
);
return http.build();
}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login {
authenticationMatcher = PathPatternParserServerWebExchangeMatcher("/login/oauth2/callback/{registrationId}")
}
}
return http.build()
}
}
您还需要确保 ClientRegistration.redirectUri 与自定义的授权响应重定向端点匹配。
以下清单展示了一个示例:
- Java
- Kotlin
return CommonOAuth2Provider.GOOGLE.getBuilder("google")
.clientId("google-client-id")
.clientSecret("google-client-secret")
.redirectUri("{baseUrl}/login/oauth2/callback/{registrationId}")
.build();
return CommonOAuth2Provider.GOOGLE.getBuilder("google")
.clientId("google-client-id")
.clientSecret("google-client-secret")
.redirectUri("{baseUrl}/login/oauth2/callback/{registrationId}")
.build()
用户信息端点
UserInfo端点包含多个配置选项,具体说明如下:
映射用户权限
当用户成功通过 OAuth 2.0 提供者完成身份验证后,OAuth2User.getAuthorities()(或 OidcUser.getAuthorities())会包含一个已授予权限的列表,这些权限来源于 OAuth2UserRequest.getAccessToken().getScopes() 并带有 SCOPE_ 前缀。这些已授予的权限可以被映射为一组新的 GrantedAuthority 实例,在完成身份验证时提供给 OAuth2AuthenticationToken。
OAuth2AuthenticationToken.getAuthorities() 用于授权请求,例如在 hasRole('USER') 或 hasRole('ADMIN') 中。
在映射用户权限时,有以下几种选项可供选择:
使用 GrantedAuthoritiesMapper
GrantedAuthoritiesMapper 接收一个包含特殊权限类型 OAuth2UserAuthority 及其权限字符串 OAUTH2_USER(或 OidcUserAuthority 及其权限字符串 OIDC_USER)的已授权权限列表。
注册一个 GrantedAuthoritiesMapper @Bean,使其自动应用于配置,如下例所示:
- Java
- Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
...
.oauth2Login(withDefaults());
return http.build();
}
@Bean
public GrantedAuthoritiesMapper userAuthoritiesMapper() {
return (authorities) -> {
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
authorities.forEach(authority -> {
if (OidcUserAuthority.class.isInstance(authority)) {
OidcUserAuthority oidcUserAuthority = (OidcUserAuthority)authority;
OidcIdToken idToken = oidcUserAuthority.getIdToken();
OidcUserInfo userInfo = oidcUserAuthority.getUserInfo();
// Map the claims found in idToken and/or userInfo
// to one or more GrantedAuthority's and add it to mappedAuthorities
} else if (OAuth2UserAuthority.class.isInstance(authority)) {
OAuth2UserAuthority oauth2UserAuthority = (OAuth2UserAuthority)authority;
Map<String, Object> userAttributes = oauth2UserAuthority.getAttributes();
// Map the attributes found in userAttributes
// to one or more GrantedAuthority's and add it to mappedAuthorities
}
});
return mappedAuthorities;
};
}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login { }
}
return http.build()
}
@Bean
fun userAuthoritiesMapper(): GrantedAuthoritiesMapper = GrantedAuthoritiesMapper { authorities: Collection<GrantedAuthority> ->
val mappedAuthorities = emptySet<GrantedAuthority>()
authorities.forEach { authority ->
if (authority is OidcUserAuthority) {
val idToken = authority.idToken
val userInfo = authority.userInfo
// Map the claims found in idToken and/or userInfo
// to one or more GrantedAuthority's and add it to mappedAuthorities
} else if (authority is OAuth2UserAuthority) {
val userAttributes = authority.attributes
// Map the attributes found in userAttributes
// to one or more GrantedAuthority's and add it to mappedAuthorities
}
}
mappedAuthorities
}
}
基于委托策略的 ReactiveOAuth2UserService
与使用 GrantedAuthoritiesMapper 相比,此策略更为先进,同时也更加灵活,因为它允许你访问 OAuth2UserRequest 和 OAuth2User(当使用 OAuth 2.0 UserService 时)或 OidcUserRequest 和 OidcUser(当使用 OpenID Connect 1.0 UserService 时)。
OAuth2UserRequest(以及OidcUserRequest)为您提供了对关联的OAuth2AccessToken的访问权限,这在委托方需要从受保护资源获取权限信息后才能为用户映射自定义权限的情况下非常有用。
以下示例展示了如何使用 OpenID Connect 1.0 UserService 实现和配置基于委托的策略:
- Java
- Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
...
.oauth2Login(withDefaults());
return http.build();
}
@Bean
public ReactiveOAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
final OidcReactiveOAuth2UserService delegate = new OidcReactiveOAuth2UserService();
return (userRequest) -> {
// Delegate to the default implementation for loading a user
return delegate.loadUser(userRequest)
.flatMap((oidcUser) -> {
OAuth2AccessToken accessToken = userRequest.getAccessToken();
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
// TODO
// 1) Fetch the authority information from the protected resource using accessToken
// 2) Map the authority information to one or more GrantedAuthority's and add it to mappedAuthorities
// 3) Create a copy of oidcUser but use the mappedAuthorities instead
ProviderDetails providerDetails = userRequest.getClientRegistration().getProviderDetails();
String userNameAttributeName = providerDetails.getUserInfoEndpoint().getUserNameAttributeName();
if (StringUtils.hasText(userNameAttributeName)) {
oidcUser = new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo(), userNameAttributeName);
} else {
oidcUser = new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo());
}
return Mono.just(oidcUser);
});
};
}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login { }
}
return http.build()
}
@Bean
fun oidcUserService(): ReactiveOAuth2UserService<OidcUserRequest, OidcUser> {
val delegate = OidcReactiveOAuth2UserService()
return ReactiveOAuth2UserService { userRequest ->
// Delegate to the default implementation for loading a user
delegate.loadUser(userRequest)
.flatMap { oidcUser ->
val accessToken = userRequest.accessToken
val mappedAuthorities = mutableSetOf<GrantedAuthority>()
// TODO
// 1) Fetch the authority information from the protected resource using accessToken
// 2) Map the authority information to one or more GrantedAuthority's and add it to mappedAuthorities
// 3) Create a copy of oidcUser but use the mappedAuthorities instead
val providerDetails = userRequest.getClientRegistration().getProviderDetails()
val userNameAttributeName = providerDetails.getUserInfoEndpoint().getUserNameAttributeName()
val mappedOidcUser = if (StringUtils.hasText(userNameAttributeName)) {
DefaultOidcUser(mappedAuthorities, oidcUser.idToken, oidcUser.userInfo, userNameAttributeName)
} else {
DefaultOidcUser(mappedAuthorities, oidcUser.idToken, oidcUser.userInfo)
}
Mono.just(mappedOidcUser)
}
}
}
}
OAuth 2.0 用户服务
DefaultReactiveOAuth2UserService 是 ReactiveOAuth2UserService 的一个实现,它支持标准的 OAuth 2.0 提供商。
ReactiveOAuth2UserService 从用户信息端点(通过使用在授权流程中授予客户端的访问令牌)获取最终用户(资源所有者)的用户属性,并以 OAuth2User 的形式返回一个 AuthenticatedPrincipal。
DefaultReactiveOAuth2UserService 在向用户信息端点请求用户属性时,会使用一个 WebClient。
如果您需要自定义用户信息请求的预处理和/或用户信息响应的后处理,则需要通过 DefaultReactiveOAuth2UserService.setWebClient() 方法提供一个自定义配置的 WebClient。
无论你是自定义 DefaultReactiveOAuth2UserService 还是提供自己的 ReactiveOAuth2UserService 实现,都需要按以下示例所示进行配置:
- Java
- Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
...
.oauth2Login(withDefaults());
return http.build();
}
@Bean
public ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() {
...
}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login { }
}
return http.build()
}
@Bean
fun oauth2UserService(): ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> {
// ...
}
}
OpenID Connect 1.0 用户服务
OidcReactiveOAuth2UserService 是一个 ReactiveOAuth2UserService 的实现,它支持 OpenID Connect 1.0 提供者。
OidcReactiveOAuth2UserService 在向 UserInfo 端点请求用户属性时,会利用 DefaultReactiveOAuth2UserService。
若需自定义用户信息请求的预处理和/或用户信息响应的后处理,您需要通过 OidcReactiveOAuth2UserService.setOauth2UserService() 方法提供一个自定义配置的 ReactiveOAuth2UserService。
无论您自定义 OidcReactiveOAuth2UserService 还是为 OpenID Connect 1.0 提供者提供自己的 ReactiveOAuth2UserService 实现,都需要按以下示例所示进行配置:
- Java
- Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
...
.oauth2Login(withDefaults());
return http.build();
}
@Bean
public ReactiveOAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
...
}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2LoginSecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Login { }
}
return http.build()
}
@Bean
fun oidcUserService(): ReactiveOAuth2UserService<OidcUserRequest, OidcUser> {
// ...
}
}
ID 令牌签名验证
OpenID Connect 1.0 认证引入了 ID Token,这是一种安全令牌,当客户端使用时,它包含了关于终端用户由授权服务器进行认证的声明。
ID Token 以 JSON Web Token (JWT) 的形式表示,并且必须使用 JSON Web Signature (JWS) 进行签名。
ReactiveOidcIdTokenDecoderFactory 提供了一个用于 OidcIdToken 签名验证的 ReactiveJwtDecoder。默认算法为 RS256,但在客户端注册期间分配时可能有所不同。对于这些情况,可以配置一个解析器来返回为特定客户端分配的预期 JWS 算法。
JWS算法解析器是一个Function,它接收一个ClientRegistration并返回该客户端预期的JwsAlgorithm,例如SignatureAlgorithm.RS256或MacAlgorithm.HS256。
以下代码展示了如何配置 OidcIdTokenDecoderFactory @Bean,使其为所有 ClientRegistration 默认使用 MacAlgorithm.HS256 算法:
- Java
- Kotlin
@Bean
public ReactiveJwtDecoderFactory<ClientRegistration> idTokenDecoderFactory() {
ReactiveOidcIdTokenDecoderFactory idTokenDecoderFactory = new ReactiveOidcIdTokenDecoderFactory();
idTokenDecoderFactory.setJwsAlgorithmResolver((clientRegistration) -> clientRegistration.HS256);
return idTokenDecoderFactory;
}
@Bean
fun idTokenDecoderFactory(): ReactiveJwtDecoderFactory<ClientRegistration> {
val idTokenDecoderFactory = ReactiveOidcIdTokenDecoderFactory()
idTokenDecoderFactory.setJwsAlgorithmResolver { MacAlgorithm.HS256 }
return idTokenDecoderFactory
}
对于基于 MAC 的算法,例如 HS256、HS384 或 HS512,与 client-id 对应的 client-secret 被用作验证签名的对称密钥。
如果为 OpenID Connect 1.0 认证配置了多个 ClientRegistration,JWS 算法解析器可能会评估所提供的 ClientRegistration 以确定返回哪种算法。
接下来,您可以继续配置注销。