客戶端認證支援
客戶端憑據
使用 client_secret_basic 進行認證
透過 HTTP Basic 的客戶端認證開箱即用,無需額外定製即可啟用。預設實現由 DefaultOAuth2TokenRequestHeadersConverter 提供。
給定以下用於 OAuth 2.0 客戶端註冊的 Spring Boot 屬性
spring:
security:
oauth2:
client:
registration:
okta:
client-id: client-id
client-secret: client-secret
client-authentication-method: client_secret_basic
authorization-grant-type: authorization_code
...以下示例展示瞭如何配置 WebClientReactiveAuthorizationCodeTokenResponseClient 以停用客戶端憑據的 URL 編碼
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter<OAuth2AuthorizationCodeGrantRequest> headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter<>();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveAuthorizationCodeTokenResponseClient tokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
tokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter<OAuth2AuthorizationCodeGrantRequest>()
headersConverter.setEncodeClientCredentials(false)
val tokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
tokenResponseClient.setHeadersConverter(headersConverter)使用 client_secret_post 進行認證
透過請求體中包含客戶端憑據的客戶端認證開箱即用,無需額外定製即可啟用。
以下用於 OAuth 2.0 客戶端註冊的 Spring Boot 屬性展示了配置
spring:
security:
oauth2:
client:
registration:
okta:
client-id: client-id
client-secret: client-secret
client-authentication-method: client_secret_post
authorization-grant-type: authorization_code
...JWT Bearer
|
請參考 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants 以獲取關於 JWT Bearer 客戶端認證的更多詳細資訊。 |
JWT Bearer 客戶端認證的預設實現是 NimbusJwtClientAuthenticationParametersConverter,這是一個 Converter,透過在 client_assertion 引數中添加簽名的 JSON Web Token (JWS) 來定製令牌請求引數。
用於簽署 JWS 的 java.security.PrivateKey 或 javax.crypto.SecretKey 由與 NimbusJwtClientAuthenticationParametersConverter 相關聯的 com.nimbusds.jose.jwk.JWK 解析器提供。
使用 private_key_jwt 進行認證
給定以下用於 OAuth 2.0 客戶端註冊的 Spring Boot 屬性
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-authentication-method: private_key_jwt
authorization-grant-type: authorization_code
...以下示例展示瞭如何配置 WebClientReactiveAuthorizationCodeTokenResponseClient
-
Java
-
Kotlin
Function<ClientRegistration, JWK> jwkResolver = (clientRegistration) -> {
if (clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
// Assuming RSA key type
RSAPublicKey publicKey = ...
RSAPrivateKey privateKey = ...
return new RSAKey.Builder(publicKey)
.privateKey(privateKey)
.keyID(UUID.randomUUID().toString())
.build();
}
return null;
};
WebClientReactiveAuthorizationCodeTokenResponseClient tokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
tokenResponseClient.addParametersConverter(
new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver));val jwkResolver: Function<ClientRegistration, JWK> =
Function<ClientRegistration, JWK> { clientRegistration ->
if (clientRegistration.clientAuthenticationMethod.equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
// Assuming RSA key type
var publicKey: RSAPublicKey = ...
var privateKey: RSAPrivateKey = ...
RSAKey.Builder(publicKey)
.privateKey(privateKey)
.keyID(UUID.randomUUID().toString())
.build()
}
null
}
val tokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
tokenResponseClient.addParametersConverter(
NimbusJwtClientAuthenticationParametersConverter(jwkResolver)
)使用 client_secret_jwt 進行認證
給定以下用於 OAuth 2.0 客戶端註冊的 Spring Boot 屬性
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
client-authentication-method: client_secret_jwt
authorization-grant-type: client_credentials
...以下示例展示瞭如何配置 WebClientReactiveClientCredentialsTokenResponseClient
-
Java
-
Kotlin
Function<ClientRegistration, JWK> jwkResolver = (clientRegistration) -> {
if (clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.CLIENT_SECRET_JWT)) {
SecretKeySpec secretKey = new SecretKeySpec(
clientRegistration.getClientSecret().getBytes(StandardCharsets.UTF_8),
"HmacSHA256");
return new OctetSequenceKey.Builder(secretKey)
.keyID(UUID.randomUUID().toString())
.build();
}
return null;
};
WebClientReactiveClientCredentialsTokenResponseClient tokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
tokenResponseClient.addParametersConverter(
new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver));val jwkResolver = Function<ClientRegistration, JWK?> { clientRegistration: ClientRegistration ->
if (clientRegistration.clientAuthenticationMethod == ClientAuthenticationMethod.CLIENT_SECRET_JWT) {
val secretKey = SecretKeySpec(
clientRegistration.clientSecret.toByteArray(StandardCharsets.UTF_8),
"HmacSHA256"
)
OctetSequenceKey.Builder(secretKey)
.keyID(UUID.randomUUID().toString())
.build()
}
null
}
val tokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
tokenResponseClient.addParametersConverter(
NimbusJwtClientAuthenticationParametersConverter(jwkResolver)
)定製 JWT 斷言
NimbusJwtClientAuthenticationParametersConverter 生成的 JWT 預設包含 iss、sub、aud、jti、iat 和 exp 宣告。你可以透過向 setJwtClientAssertionCustomizer() 提供一個 Consumer<NimbusJwtClientAuthenticationParametersConverter.JwtClientAuthenticationContext<T>> 來定製頭部和/或宣告。以下示例展示瞭如何定製 JWT 的宣告
-
Java
-
Kotlin
Function<ClientRegistration, JWK> jwkResolver = ...
NimbusJwtClientAuthenticationParametersConverter<OAuth2ClientCredentialsGrantRequest> converter =
new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver);
converter.setJwtClientAssertionCustomizer((context) -> {
context.getHeaders().header("custom-header", "header-value");
context.getClaims().claim("custom-claim", "claim-value");
});val jwkResolver = ...
val converter: NimbusJwtClientAuthenticationParametersConverter<OAuth2ClientCredentialsGrantRequest> =
NimbusJwtClientAuthenticationParametersConverter(jwkResolver)
converter.setJwtClientAssertionCustomizer { context ->
context.headers.header("custom-header", "header-value")
context.claims.claim("custom-claim", "claim-value")
}公共認證
公共客戶端認證開箱即用,無需額外定製即可啟用。
以下用於 OAuth 2.0 客戶端註冊的 Spring Boot 屬性展示了配置
spring:
security:
oauth2:
client:
registration:
okta:
client-id: client-id
client-authentication-method: none
authorization-grant-type: authorization_code
...|
公共客戶端透過 Proof Key for Code Exchange (PKCE) 提供支援。當 |
