OAuth 2.0 Bearer Tokens
Bearer Token 解析
默认情况下,资源服务器会在 Authorization 头部中查找承载令牌。不过,可以通过多种方式对此进行自定义。
从自定义标头读取承载令牌
例如,您可能需要从自定义标头中读取承载令牌。为实现此目的,您可以暴露一个 DefaultBearerTokenResolver 作为 bean,或者将其实例连接到 DSL 中,如下例所示:
- Java
- Kotlin
- Xml
@Bean
BearerTokenResolver bearerTokenResolver() {
DefaultBearerTokenResolver bearerTokenResolver = new DefaultBearerTokenResolver();
bearerTokenResolver.setBearerTokenHeaderName(HttpHeaders.PROXY_AUTHORIZATION);
return bearerTokenResolver;
}
@Bean
fun bearerTokenResolver(): BearerTokenResolver {
val bearerTokenResolver = DefaultBearerTokenResolver()
bearerTokenResolver.setBearerTokenHeaderName(HttpHeaders.PROXY_AUTHORIZATION)
return bearerTokenResolver
}
<http>
<oauth2-resource-server bearer-token-resolver-ref="bearerTokenResolver"/>
</http>
<bean id="bearerTokenResolver"
class="org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver">
<property name="bearerTokenHeaderName" value="Proxy-Authorization"/>
</bean>
或者,在服务提供者同时使用自定义标头和值的情况下,你可以改用 HeaderBearerTokenResolver。
从表单参数中读取承载令牌
或者,您可能希望从表单参数中读取令牌,这可以通过配置 DefaultBearerTokenResolver 来实现,如下所示:
- Java
- Kotlin
- Xml
DefaultBearerTokenResolver resolver = new DefaultBearerTokenResolver();
resolver.setAllowFormEncodedBodyParameter(true);
http
.oauth2ResourceServer((oauth2) -> oauth2
.bearerTokenResolver(resolver)
);
val resolver = DefaultBearerTokenResolver()
resolver.setAllowFormEncodedBodyParameter(true)
http {
oauth2ResourceServer {
bearerTokenResolver = resolver
}
}
<http>
<oauth2-resource-server bearer-token-resolver-ref="bearerTokenResolver"/>
</http>
<bean id="bearerTokenResolver"
class="org.springframework.security.oauth2.server.resource.web.HeaderBearerTokenResolver">
<property name="allowFormEncodedBodyParameter" value="true"/>
</bean>
Bearer Token 传播
既然你的资源服务器已经验证了令牌,将其传递给下游服务可能会很方便。使用 ServletBearerExchangeFilterFunction 可以非常简单地实现这一点,如下例所示:
- Java
- Kotlin
@Bean
public WebClient rest() {
return WebClient.builder()
.filter(new ServletBearerExchangeFilterFunction())
.build();
}
@Bean
fun rest(): WebClient {
return WebClient.builder()
.filter(ServletBearerExchangeFilterFunction())
.build()
}
当使用上述 WebClient 执行请求时,Spring Security 会查找当前的 Authentication 并提取任何 AbstractOAuth2Token 凭证。随后,它会在 Authorization 头部中传播该令牌。
例如:
- Java
- Kotlin
this.rest.get()
.uri("https://other-service.example.com/endpoint")
.retrieve()
.bodyToMono(String.class)
.block()
this.rest.get()
.uri("https://other-service.example.com/endpoint")
.retrieve()
.bodyToMono<String>()
.block()
将调用 [other-service.example.com/endpoint](https://other-service.example.com/endpoint),并自动为您添加承载令牌 Authorization 请求头。
在需要覆盖此行为的地方,只需自行提供头部信息即可,例如:
- Java
- Kotlin
this.rest.get()
.uri("https://other-service.example.com/endpoint")
.headers((headers) -> headers.setBearerAuth(overridingToken))
.retrieve()
.bodyToMono(String.class)
.block()
this.rest.get()
.uri("https://other-service.example.com/endpoint")
.headers{ headers -> headers.setBearerAuth(overridingToken)}
.retrieve()
.bodyToMono<String>()
.block()
在这种情况下,过滤器将回退并直接将请求转发给Web过滤器链的其余部分。
与 OAuth 2.0 客户端过滤器函数 不同,此过滤器函数在令牌过期时不会尝试续订。如需获得此级别的支持,请使用 OAuth 2.0 客户端过滤器。
RestTemplate 支持
目前还没有与 ServletBearerExchangeFilterFunction 对应的 RestTemplate 实现,但你可以通过自定义拦截器轻松传播请求的承载令牌:
- Java
- Kotlin
@Bean
RestTemplate rest() {
RestTemplate rest = new RestTemplate();
rest.getInterceptors().add((request, body, execution) -> {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication == null) {
return execution.execute(request, body);
}
if (!(authentication.getCredentials() instanceof AbstractOAuth2Token)) {
return execution.execute(request, body);
}
AbstractOAuth2Token token = (AbstractOAuth2Token) authentication.getCredentials();
request.getHeaders().setBearerAuth(token.getTokenValue());
return execution.execute(request, body);
});
return rest;
}
@Bean
fun rest(): RestTemplate {
val rest = RestTemplate()
rest.interceptors.add(ClientHttpRequestInterceptor { request, body, execution ->
val authentication: Authentication? = SecurityContextHolder.getContext().authentication
if (authentication == null) {
return execution.execute(request, body)
}
if (authentication.credentials !is AbstractOAuth2Token) {
return execution.execute(request, body)
}
request.headers.setBearerAuth(authentication.credentials.tokenValue)
execution.execute(request, body)
})
return rest
}
与 OAuth 2.0 授权客户端管理器 不同,此过滤器拦截器在令牌过期时不会尝试续订。要获得此级别的支持,请使用 OAuth 2.0 授权客户端管理器 创建拦截器。
Bearer Token 失败
Bearer token 可能因多种原因失效。例如,该 token 可能已不再处于活动状态。
在这种情况下,资源服务器会抛出一个 InvalidBearerTokenException。与其他异常一样,这会导致一个 OAuth 2.0 Bearer Token 错误响应:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer error_code="invalid_token", error_description="Unsupported algorithm of none", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"
此外,该事件会以 AuthenticationFailureBadCredentialsEvent 的形式发布,您可以在应用程序中监听此事件,例如:
- Java
- Kotlin
@Component
public class FailureEvents {
@EventListener
public void onFailure(AuthenticationFailureBadCredentialsEvent badCredentials) {
if (badCredentials.getAuthentication() instanceof BearerTokenAuthenticationToken) {
// ... handle
}
}
}
@Component
class FailureEvents {
@EventListener
fun onFailure(badCredentials: AuthenticationFailureBadCredentialsEvent) {
if (badCredentials.authentication is BearerTokenAuthenticationToken) {
// ... handle
}
}
}