核心接口和类
本节描述了 Spring Security 提供的 OAuth2 核心接口和类。
ClientRegistration
ClientRegistration 是在 OAuth 2.0 或 OpenID Connect 1.0 提供程序中注册的客户端的表示。
ClientRegistration 对象保存了诸如客户端ID、客户端密钥、授权许可类型、重定向URI、范围(scope)、授权URI、令牌URI等信息。
ClientRegistration 及其属性定义如下:
public final class ClientRegistration {
private String registrationId; 1
private String clientId; 2
private String clientSecret; 3
private ClientAuthenticationMethod clientAuthenticationMethod; 4
private AuthorizationGrantType authorizationGrantType; 5
private String redirectUri; 6
private Set<String> scopes; 7
private ProviderDetails providerDetails;
private String clientName; 8
public class ProviderDetails {
private String authorizationUri; 9
private String tokenUri; 10
private UserInfoEndpoint userInfoEndpoint;
private String jwkSetUri; 11
private String issuerUri; 12
private Map<String, Object> configurationMetadata; 13
public class UserInfoEndpoint {
private String uri; 14
private AuthenticationMethod authenticationMethod; 15
private String userNameAttributeName; 16
}
}
}
registrationId: 用于唯一标识ClientRegistration的 ID。clientId: 客户端标识符。clientSecret: 客户端密钥。clientAuthenticationMethod: 用于与提供商进行客户端身份验证的方法。支持的值为 client_secret_basic、client_secret_post、private_key_jwt、client_secret_jwt 和 none (公开客户端)。authorizationGrantType: OAuth 2.0 授权框架定义了四种 授权授予 类型。支持的值为authorization_code、client_credentials、password以及扩展授权类型urn:ietf:params:oauth:grant-type:jwt-bearer。redirectUri: 授权服务器在终端用户完成身份验证并授权客户端访问后,将终端用户的用户代理重定向到的已注册重定向 URI。scopes: 客户端在授权请求流程中请求的作用域,例如 openid、email 或 profile。clientName: 用于描述客户端的名称。该名称可能在某些场景下使用,例如在自动生成的登录页面上显示客户端名称时。authorizationUri: 授权服务器的授权端点 URI。tokenUri: 授权服务器的令牌端点 URI。jwkSetUri: 用于从授权服务器检索 JSON Web Key (JWK) 集合的 URI,其中包含用于验证 ID Token 和(可选)UserInfo 响应的 JSON Web Signature (JWS) 的加密密钥。issuerUri: 返回 OpenID Connect 1.0 提供商或 OAuth 2.0 授权服务器的发行者标识符 URI。configurationMetadata: OpenID 提供商配置信息。仅当配置了 Spring Boot 属性spring.security.oauth2.client.provider.[providerId].issuerUri时,此信息才可用。(userInfoEndpoint)uri: 用于访问已认证终端用户的声明和属性的 UserInfo 端点 URI。(userInfoEndpoint)authenticationMethod: 向 UserInfo 端点发送访问令牌时使用的身份验证方法。支持的值为 header、form 和 query。userNameAttributeName: 在 UserInfo 响应中返回的引用终端用户名或标识符的属性名称。
ClientRegistrations 提供了方便的方法来以这种方式配置 ClientRegistration,如下所示:
- Java
- Kotlin
ClientRegistration clientRegistration =
ClientRegistrations.fromIssuerLocation("https://idp.example.com/issuer").build();
val clientRegistration = ClientRegistrations.fromIssuerLocation("https://idp.example.com/issuer").build()
上述代码依次查询 [idp.example.com/issuer/.well-known/openid-configuration](https://idp.example.com/issuer/.well-known/openid-configuration)、[idp.example.com/.well-known/openid-configuration/issuer](https://idp.example.com/.well-known/openid-configuration/issuer) 和 [idp.example.com/.well-known/oauth-authorization-server/issuer](https://idp.example.com/.well-known/oauth-authorization-server/issuer),并在第一个返回 200 响应时停止。
作为一种替代方法,你可以使用 ClientRegistrations.fromOidcIssuerLocation() 来仅查询 OpenID Connect 提供者的配置端点。
ClientRegistrationRepository
ClientRegistrationRepository 作为 OAuth 2.0 / OpenID Connect 1.0 ClientRegistration 的仓库。
客户端注册信息最终存储并归属于相关的授权服务器。此仓库提供了检索主要客户端注册信息的子集的功能,这些信息存储在授权服务器中。
Spring Boot 自动配置将 spring.security.oauth2.client.registration._[registrationId]_ 下的每个属性绑定到 ClientRegistration 的实例,然后将每个 ClientRegistration 实例组合在一个 ClientRegistrationRepository 中。
ClientRegistrationRepository 的默认实现是 InMemoryClientRegistrationRepository。
自动配置还会将 ClientRegistrationRepository 作为 @Bean 注册到 ApplicationContext 中,以便在应用程序需要时可以进行依赖注入。
以下列表显示了一个示例:
- Java
- Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private ClientRegistrationRepository clientRegistrationRepository;
@GetMapping("/")
public String index() {
ClientRegistration oktaRegistration =
this.clientRegistrationRepository.findByRegistrationId("okta");
...
return "index";
}
}
@Controller
class OAuth2ClientController {
@Autowired
private lateinit var clientRegistrationRepository: ClientRegistrationRepository
@GetMapping("/")
fun index(): String {
val oktaRegistration =
this.clientRegistrationRepository.findByRegistrationId("okta")
//...
return "index";
}
}
OAuth2AuthorizedClient
OAuth2AuthorizedClient 是一个已授权客户端的表示。当终端用户(资源所有者)授予客户端访问其受保护资源的权限时,该客户端被视为已授权。
OAuth2AuthorizedClient 的作用是将 OAuth2AccessToken(以及可选的 OAuth2RefreshToken)与 ClientRegistration(客户端)和资源所有者关联起来,这里的资源所有者是授予授权的 Principal 最终用户。
OAuth2AuthorizedClientRepository 和 OAuth2AuthorizedClientService
OAuth2AuthorizedClientRepository 负责在 Web 请求之间持久化 OAuth2AuthorizedClient,而 OAuth2AuthorizedClientService 的主要作用是在应用程序级别管理 OAuth2AuthorizedClient。
从开发人员的角度来看,OAuth2AuthorizedClientRepository 或 OAuth2AuthorizedClientService 提供了查找与客户端关联的 OAuth2AccessToken 的能力,以便可以使用它来发起受保护的资源请求。
以下列表显示了一个示例:
- Java
- Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private OAuth2AuthorizedClientService authorizedClientService;
@GetMapping("/")
public String index(Authentication authentication) {
OAuth2AuthorizedClient authorizedClient =
this.authorizedClientService.loadAuthorizedClient("okta", authentication.getName());
OAuth2AccessToken accessToken = authorizedClient.getAccessToken();
...
return "index";
}
}
@Controller
class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientService: OAuth2AuthorizedClientService
@GetMapping("/")
fun index(authentication: Authentication): String {
val authorizedClient: OAuth2AuthorizedClient =
this.authorizedClientService.loadAuthorizedClient("okta", authentication.getName());
val accessToken = authorizedClient.accessToken
...
return "index";
}
}
Spring Boot 自动配置会在 ApplicationContext 中注册一个 OAuth2AuthorizedClientRepository 或 OAuth2AuthorizedClientService @Bean。但是,应用程序可以覆盖并注册自定义的 OAuth2AuthorizedClientRepository 或 OAuth2AuthorizedClientService @Bean。
OAuth2AuthorizedClientService 的默认实现是 InMemoryOAuth2AuthorizedClientService,它将 OAuth2AuthorizedClient 对象存储在内存中。
或者,你可以配置JDBC实现JdbcOAuth2AuthorizedClientService以将OAuth2AuthorizedClient实例持久化到数据库中。
JdbcOAuth2AuthorizedClientService 依赖于OAuth 2.0 客户端模式中描述的表定义。
OAuth2AuthorizedClientManager 和 OAuth2AuthorizedClientProvider
OAuth2AuthorizedClientManager 负责 OAuth2AuthorizedClient 的整体管理。
主要职责包括:
-
通过使用
OAuth2AuthorizedClientProvider授权(或重新授权)一个 OAuth 2.0 客户端。 -
委托
OAuth2AuthorizedClient的持久化,通常通过使用OAuth2AuthorizedClientService或OAuth2AuthorizedClientRepository。 -
当 OAuth 2.0 客户端成功授权(或重新授权)时,委托给
OAuth2AuthorizationSuccessHandler。 -
当 OAuth 2.0 客户端授权(或重新授权)失败时,委托给
OAuth2AuthorizationFailureHandler。
OAuth2AuthorizedClientProvider 实现了一种授权(或重新授权)OAuth 2.0 客户端的策略。实现通常会实现一种授权许可类型,如 authorization_code、client_credentials 等。
OAuth2AuthorizedClientManager 的默认实现是 DefaultOAuth2AuthorizedClientManager,它与一个 OAuth2AuthorizedClientProvider 相关联,该提供者可能使用基于委托的复合体支持多种授权许可类型。你可以使用 OAuth2AuthorizedClientProviderBuilder 来配置和构建基于委托的复合体。
以下代码展示了如何配置和构建一个 OAuth2AuthorizedClientProvider 组合,该组合支持 authorization_code、refresh_token、client_credentials 和 password 授权类型:
- Java
- Kotlin
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken()
.clientCredentials()
.password()
.build();
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}
@Bean
fun authorizedClientManager(
clientRegistrationRepository: ClientRegistrationRepository,
authorizedClientRepository: OAuth2AuthorizedClientRepository): OAuth2AuthorizedClientManager {
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken()
.clientCredentials()
.password()
.build()
val authorizedClientManager = DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}
当授权尝试成功时,DefaultOAuth2AuthorizedClientManager 会委托给 OAuth2AuthorizationSuccessHandler,后者(默认情况下)通过 OAuth2AuthorizedClientRepository 保存 OAuth2AuthorizedClient。如果重新授权失败(例如刷新令牌不再有效),则会通过 RemoveAuthorizedClientOAuth2AuthorizationFailureHandler 从 OAuth2AuthorizedClientRepository 中移除先前保存的 OAuth2AuthorizedClient。你可以通过 setAuthorizationSuccessHandler(OAuth2AuthorizationSuccessHandler) 和 setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler) 自定义默认行为。
DefaultOAuth2AuthorizedClientManager 还与类型为 Function<OAuth2AuthorizeRequest, Map<String, Object>> 的 contextAttributesMapper 相关联,该映射器负责将 OAuth2AuthorizeRequest 中的属性映射到要与 OAuth2AuthorizationContext 关联的属性 Map。当您需要向 OAuth2AuthorizedClientProvider 提供所需的(支持的)属性时,这可能会很有用,例如,PasswordOAuth2AuthorizedClientProvider 需要在 OAuth2AuthorizationContext.getAttributes() 中提供资源所有者的 username 和 password。
以下代码展示了 contextAttributesMapper 的一个示例:
- Java
- Kotlin
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build();
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Assuming the `username` and `password` are supplied as `HttpServletRequest` parameters,
// map the `HttpServletRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper());
return authorizedClientManager;
}
private Function<OAuth2AuthorizeRequest, Map<String, Object>> contextAttributesMapper() {
return authorizeRequest -> {
Map<String, Object> contextAttributes = Collections.emptyMap();
HttpServletRequest servletRequest = authorizeRequest.getAttribute(HttpServletRequest.class.getName());
String username = servletRequest.getParameter(OAuth2ParameterNames.USERNAME);
String password = servletRequest.getParameter(OAuth2ParameterNames.PASSWORD);
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = new HashMap<>();
// `PasswordOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username);
contextAttributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password);
}
return contextAttributes;
};
}
@Bean
fun authorizedClientManager(
clientRegistrationRepository: ClientRegistrationRepository,
authorizedClientRepository: OAuth2AuthorizedClientRepository): OAuth2AuthorizedClientManager {
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build()
val authorizedClientManager = DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
// Assuming the `username` and `password` are supplied as `HttpServletRequest` parameters,
// map the `HttpServletRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper())
return authorizedClientManager
}
private fun contextAttributesMapper(): Function<OAuth2AuthorizeRequest, MutableMap<String, Any>> {
return Function { authorizeRequest ->
var contextAttributes: MutableMap<String, Any> = mutableMapOf()
val servletRequest: HttpServletRequest = authorizeRequest.getAttribute(HttpServletRequest::class.java.name)
val username: String = servletRequest.getParameter(OAuth2ParameterNames.USERNAME)
val password: String = servletRequest.getParameter(OAuth2ParameterNames.PASSWORD)
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = hashMapOf()
// `PasswordOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes[OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME] = username
contextAttributes[OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME] = password
}
contextAttributes
}
}
DefaultOAuth2AuthorizedClientManager 设计为在 HttpServletRequest 的上下文中使用。在 HttpServletRequest 上下文之外操作时,请使用 AuthorizedClientServiceOAuth2AuthorizedClientManager 代替。
服务应用程序是使用 AuthorizedClientServiceOAuth2AuthorizedClientManager 的常见用例。服务应用程序通常在后台运行,没有任何用户交互,并且通常以系统级帐户而不是用户帐户运行。配置了 client_credentials 授权类型的 OAuth 2.0 客户端可以被视为一种服务应用程序。
以下代码展示了如何配置一个 AuthorizedClientServiceOAuth2AuthorizedClientManager,以支持 client_credentials 授权类型:
- Java
- Kotlin
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientService authorizedClientService) {
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
AuthorizedClientServiceOAuth2AuthorizedClientManager authorizedClientManager =
new AuthorizedClientServiceOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientService);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}
@Bean
fun authorizedClientManager(
clientRegistrationRepository: ClientRegistrationRepository,
authorizedClientService: OAuth2AuthorizedClientService): OAuth2AuthorizedClientManager {
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build()
val authorizedClientManager = AuthorizedClientServiceOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientService)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}