跳到主要内容

QWen Max 中英对照 OAuth2 Client Authentication #

客户端认证支持

客户端凭证

使用 client_secret_basic 进行认证

开箱即支持使用 HTTP Basic 进行客户端认证,无需任何自定义即可启用。默认实现由 DefaultOAuth2TokenRequestHeadersConverter 提供。

给定以下用于OAuth 2.0客户端注册的Spring Boot属性:

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: client-id
            client-secret: client-secret
            client-authentication-method: client_secret_basic
            authorization-grant-type: authorization_code
            ...
yaml

以下示例展示了如何配置 DefaultAuthorizationCodeTokenResponseClient 以禁用客户端凭证的 URL 编码:

DefaultOAuth2TokenRequestHeadersConverter<OAuth2AuthorizationCodeGrantRequest> headersConverter =
        new DefaultOAuth2TokenRequestHeadersConverter<>();
headersConverter.setEncodeClientCredentials(false);

OAuth2AuthorizationCodeGrantRequestEntityConverter requestEntityConverter =
        new OAuth2AuthorizationCodeGrantRequestEntityConverter();
requestEntityConverter.setHeadersConverter(headersConverter);

DefaultAuthorizationCodeTokenResponseClient tokenResponseClient =
        new DefaultAuthorizationCodeTokenResponseClient();
tokenResponseClient.setRequestEntityConverter(requestEntityConverter);
java

使用 client_secret_post 进行认证

在请求正文中包含客户端凭据的客户端身份验证是开箱即用的,无需任何自定义即可启用。

以下Spring Boot属性用于OAuth 2.0客户端注册,展示了配置内容:

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: client-id
            client-secret: client-secret
            client-authentication-method: client_secret_post
            authorization-grant-type: authorization_code
            ...
yaml

JWT Bearer

备注

请参阅适用于 OAuth 2.0 客户端身份验证和授权许可的 JSON Web Token (JWT) 规范,以获取有关 JWT 承载 客户端身份验证的更多详细信息。

JWT Bearer Client Authentication 的默认实现是 NimbusJwtClientAuthenticationParametersConverter,它是一个 Converter,通过在 client_assertion 参数中添加一个已签名的 JSON Web 令牌(JWS)来定制 Token 请求参数。

用于签名 JWS 的 java.security.PrivateKeyjavax.crypto.SecretKey 由与 NimbusJwtClientAuthenticationParametersConverter 关联的 com.nimbusds.jose.jwk.JWK 解析器提供。

使用 private_key_jwt 进行身份验证

给定以下用于OAuth 2.0客户端注册的Spring Boot属性:

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-authentication-method: private_key_jwt
            authorization-grant-type: authorization_code
            ...
yaml

以下示例展示了如何配置 DefaultAuthorizationCodeTokenResponseClient

Function<ClientRegistration, JWK> jwkResolver = (clientRegistration) -> {
    if (clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
        // Assuming RSA key type
        RSAPublicKey publicKey = ...
        RSAPrivateKey privateKey = ...
        return new RSAKey.Builder(publicKey)
                .privateKey(privateKey)
                .keyID(UUID.randomUUID().toString())
                .build();
    }
    return null;
};

OAuth2AuthorizationCodeGrantRequestEntityConverter requestEntityConverter =
        new OAuth2AuthorizationCodeGrantRequestEntityConverter();
requestEntityConverter.addParametersConverter(
        new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver));

DefaultAuthorizationCodeTokenResponseClient tokenResponseClient =
        new DefaultAuthorizationCodeTokenResponseClient();
tokenResponseClient.setRequestEntityConverter(requestEntityConverter);
java

使用 client_secret_jwt 进行身份验证

给定以下用于OAuth 2.0客户端注册的Spring Boot属性:

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
            client-authentication-method: client_secret_jwt
            authorization-grant-type: client_credentials
            ...
yaml

以下示例展示了如何配置 DefaultClientCredentialsTokenResponseClient

Function<ClientRegistration, JWK> jwkResolver = (clientRegistration) -> {
    if (clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.CLIENT_SECRET_JWT)) {
        SecretKeySpec secretKey = new SecretKeySpec(
                clientRegistration.getClientSecret().getBytes(StandardCharsets.UTF_8),
                "HmacSHA256");
        return new OctetSequenceKey.Builder(secretKey)
                .keyID(UUID.randomUUID().toString())
                .build();
    }
    return null;
};

OAuth2ClientCredentialsGrantRequestEntityConverter requestEntityConverter =
        new OAuth2ClientCredentialsGrantRequestEntityConverter();
requestEntityConverter.addParametersConverter(
        new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver));

DefaultClientCredentialsTokenResponseClient tokenResponseClient =
        new DefaultClientCredentialsTokenResponseClient();
tokenResponseClient.setRequestEntityConverter(requestEntityConverter);
java

自定义 JWT 断言

NimbusJwtClientAuthenticationParametersConverter 生成的 JWT 默认包含 isssubaudjtiiatexp 声明。你可以通过向 setJwtClientAssertionCustomizer() 提供一个 Consumer<NimbusJwtClientAuthenticationParametersConverter.JwtClientAuthenticationContext<T>> 来自定义头部和/或声明。以下示例展示了如何自定义 JWT 的声明:

Function<ClientRegistration, JWK> jwkResolver = ...

NimbusJwtClientAuthenticationParametersConverter<OAuth2ClientCredentialsGrantRequest> converter =
        new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver);
converter.setJwtClientAssertionCustomizer((context) -> {
    context.getHeaders().header("custom-header", "header-value");
    context.getClaims().claim("custom-claim", "claim-value");
});
java

公共认证

公共客户端认证开箱即用,无需任何自定义即可启用。

以下Spring Boot属性用于OAuth 2.0客户端注册,展示了配置内容:

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: client-id
            client-authentication-method: none
            authorization-grant-type: authorization_code
            ...
yaml
备注

公共客户端支持使用Proof Key for Code Exchange (PKCE)。当 client-authentication-method 设置为 "none"(ClientAuthenticationMethod.NONE)时,将自动使用 PKCE。